feat: support mTLS for remote database (#2638)

This PR adds mTLS (mutual TLS) configuration support for the LanceDB
remote HTTP client, allowing users to authenticate with client
certificates and configure custom CA certificates for server
verification.

---------

Co-authored-by: Claude <noreply@anthropic.com>

python/python/lancedb/remote/__init__.py

@@ -8,7 +8,7 @@ from typing import List, Optional
 
 from lancedb import __version__
 
-__all__ = ["TimeoutConfig", "RetryConfig", "ClientConfig"]
+__all__ = ["TimeoutConfig", "RetryConfig", "TlsConfig", "ClientConfig"]
 
 
 @dataclass
@@ -112,6 +112,29 @@ class RetryConfig:
     statuses: Optional[List[int]] = None
 
 
+@dataclass
+class TlsConfig:
+    """TLS/mTLS configuration for the remote HTTP client.
+
+    Attributes
+    ----------
+    cert_file: Optional[str]
+        Path to the client certificate file (PEM format) for mTLS authentication.
+    key_file: Optional[str]
+        Path to the client private key file (PEM format) for mTLS authentication.
+    ssl_ca_cert: Optional[str]
+        Path to the CA certificate file (PEM format) for server verification.
+    assert_hostname: bool
+        Whether to verify the hostname in the server's certificate. Default is True.
+        Set to False to disable hostname verification (use with caution).
+    """
+
+    cert_file: Optional[str] = None
+    key_file: Optional[str] = None
+    ssl_ca_cert: Optional[str] = None
+    assert_hostname: bool = True
+
+
 @dataclass
 class ClientConfig:
     user_agent: str = f"LanceDB-Python-Client/{__version__}"
@@ -119,9 +142,12 @@ class ClientConfig:
     timeout_config: Optional[TimeoutConfig] = field(default_factory=TimeoutConfig)
     extra_headers: Optional[dict] = None
     id_delimiter: Optional[str] = None
+    tls_config: Optional[TlsConfig] = None
 
     def __post_init__(self):
         if isinstance(self.retry_config, dict):
             self.retry_config = RetryConfig(**self.retry_config)
         if isinstance(self.timeout_config, dict):
             self.timeout_config = TimeoutConfig(**self.timeout_config)
+        if isinstance(self.tls_config, dict):
+            self.tls_config = TlsConfig(**self.tls_config)

python/src/connection.rs

@@ -301,6 +301,7 @@ pub struct PyClientConfig {
     timeout_config: Option<PyClientTimeoutConfig>,
     extra_headers: Option<HashMap<String, String>>,
     id_delimiter: Option<String>,
+    tls_config: Option<PyClientTlsConfig>,
 }
 
 #[derive(FromPyObject)]
@@ -321,6 +322,14 @@ pub struct PyClientTimeoutConfig {
     pool_idle_timeout: Option<Duration>,
 }
 
+#[derive(FromPyObject)]
+pub struct PyClientTlsConfig {
+    cert_file: Option<String>,
+    key_file: Option<String>,
+    ssl_ca_cert: Option<String>,
+    assert_hostname: bool,
+}
+
 #[cfg(feature = "remote")]
 impl From<PyClientRetryConfig> for lancedb::remote::RetryConfig {
     fn from(value: PyClientRetryConfig) -> Self {
@@ -347,6 +356,18 @@ impl From<PyClientTimeoutConfig> for lancedb::remote::TimeoutConfig {
     }
 }
 
+#[cfg(feature = "remote")]
+impl From<PyClientTlsConfig> for lancedb::remote::TlsConfig {
+    fn from(value: PyClientTlsConfig) -> Self {
+        Self {
+            cert_file: value.cert_file,
+            key_file: value.key_file,
+            ssl_ca_cert: value.ssl_ca_cert,
+            assert_hostname: value.assert_hostname,
+        }
+    }
+}
+
 #[cfg(feature = "remote")]
 impl From<PyClientConfig> for lancedb::remote::ClientConfig {
     fn from(value: PyClientConfig) -> Self {
@@ -356,6 +377,7 @@ impl From<PyClientConfig> for lancedb::remote::ClientConfig {
             timeout_config: value.timeout_config.map(Into::into).unwrap_or_default(),
             extra_headers: value.extra_headers.unwrap_or_default(),
             id_delimiter: value.id_delimiter,
+            tls_config: value.tls_config.map(Into::into),
         }
     }
 }