{{ message }}
fda: add --tls-cert flag to trust custom CA for HTTPS#6074
Merged
gz merged 1 commit intofeldera:mainfrom Apr 21, 2026
Merged
Conversation
mythical-fred
suggested changes
Apr 19, 2026
mythical-fred
left a comment
mythical-fred
left a comment
There was a problem hiding this comment.
Please add the missing docs update, see inline.
Contributor
Author
mihaibudiu
approved these changes
Apr 19, 2026
Contributor
mihaibudiu
left a comment
mihaibudiu
left a comment
There was a problem hiding this comment.
I think @gz will have to also review this from a security pov, but this looks fine.
gz
requested changes
Apr 20, 2026
Contributor
|
Thanks a lot for the contribution! Only semantic I would change is the "Using both continues to be valid and remains controlled by existing |
mvanhorn
added a commit
to mvanhorn/feldera
that referenced
this pull request
Apr 20, 2026
Per @gz review on feldera#6074: combining TLS trust-store extension with certificate verification disabled is confusing and not a combination that ever makes sense. clap now rejects the pair at parse time with a hard error (exit 2), before any HTTPS request runs. - crates/fda/src/cli.rs: add conflicts_with = "insecure" on --tls-cert - docs.feldera.com/docs/interface/cli.md: mention the mutual exclusion and use /etc/ssl/ca-bundle.pem in the example (a private CA bundle is not a "private-ca.pem" singular file in practice) - crates/fda/test.bash: add two fail_on_success cases covering both --insecure and -k shorthand combined with --tls-cert
Contributor
Author
|
Done in 890cbdc. Docs updated to mention the mutual exclusion. |
Contributor
|
@mvanhorn I think these commits can be squashed to just 1, and then I will merge the PR. |
Adds a new global option `--tls-cert` (env: `FELDERA_HTTPS_TLS_CERT`) to the `fda` CLI. When set, the path is read and parsed as one or more PEM-encoded certificates via `reqwest::Certificate::from_pem_bundle`, and each certificate is added to the client's set of trusted roots via `add_root_certificate`. This lets operators point `fda` at a Feldera deployment that serves HTTPS with a self-signed cert or a cert issued by a private CA not in the system trust store, without having to resort to `--insecure`/`-k`. `--tls-cert` and `--insecure`/`-k` are mutually exclusive at the clap parse level: combining a trust-store extension with verification disabled doesn't make sense and is rejected with a hard error (exit 2) before any HTTPS request runs. `crates/fda/test.bash` covers both forms. Docs at `docs.feldera.com/docs/interface/cli.md` document the flag, the env var, and the mutual exclusion under a new 'Connecting to HTTPS with a custom CA' subsection. Closes feldera#5475 Signed-off-by: Matt Van Horn <mvanhorn@gmail.com>
mvanhorn
force-pushed
the
osc/5475-fda-tls-cert
branch
from
890cbdc to
a1ac231
Compare
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #5475
Adds a new global option `--tls-cert` (env: `FELDERA_HTTPS_TLS_CERT`) to the `fda` CLI. When set, the path is read and parsed as one or more PEM-encoded certificates via `reqwest::Certificate::from_pem_bundle`, and each certificate is added to the client's set of trusted roots via `add_root_certificate`. This lets operators point `fda` at a Feldera deployment that serves HTTPS with a self-signed cert or a cert issued by a private CA not in the system trust store, without having to resort to the blanket `--insecure`/`-k`.
Usage matches the issue:
```bash
FELDERA_HTTPS_TLS_CERT=/path/to/my/cacert fda --host https://localhost pipelines
or
fda --tls-cert /path/to/my/cacert --host https://localhost pipelines
```
Behavior notes
Describe Manual Test Plan
Checklist
Breaking Changes?
Mark if you think the answer is yes for any of these components:
Additive change only: new optional `--tls-cert` flag with no change to existing flag behavior.