storage: support multiple SSL CA certificates (#11341)

## Problem - We need to support multiple SSL CA certificates for graceful root CA certificate rotation. - Closes: https://github.com/neondatabase/cloud/issues/25971 ## Summary of changes - Parses `ssl_ca_file` as a pem bundle, which may contain multiple certificates. Single pem cert is a valid pem bundle, so the change is backward compatible.
2026-01-07 21:42:56 +00:00 · 2025-03-21 17:43:38 +04:00
parent 0f367cb665
commit aeb53fea94
12 changed files with 41 additions and 38 deletions
--- a/storage_controller/src/main.rs
+++ b/storage_controller/src/main.rs
@@ -200,7 +200,7 @@ struct Cli {
    /// Period to reload certificate and private key from files.
    #[arg(long, default_value = DEFAULT_SSL_CERT_RELOAD_PERIOD)]
    ssl_cert_reload_period: humantime::Duration,
-    /// Trusted root CA certificate to use in https APIs.
+    /// Trusted root CA certificates to use in https APIs.
    #[arg(long)]
    ssl_ca_file: Option<PathBuf>,
 }
@@ -376,13 +376,13 @@ async fn async_main() -> anyhow::Result<()> {
        }
    }

-    let ssl_ca_cert = match args.ssl_ca_file.as_ref() {
+    let ssl_ca_certs = match args.ssl_ca_file.as_ref() {
        Some(ssl_ca_file) => {
            tracing::info!("Using ssl root CA file: {ssl_ca_file:?}");
            let buf = tokio::fs::read(ssl_ca_file).await?;
-            Some(Certificate::from_pem(&buf)?)
+            Certificate::from_pem_bundle(&buf)?
        }
-        None => None,
+        None => Vec::new(),
    };

    let config = Config {
@@ -425,7 +425,7 @@ async fn async_main() -> anyhow::Result<()> {
        start_as_candidate: args.start_as_candidate,
        use_https_pageserver_api: args.use_https_pageserver_api,
        use_https_safekeeper_api: args.use_https_safekeeper_api,
-        ssl_ca_cert,
+        ssl_ca_certs,
        timelines_onto_safekeepers: args.timelines_onto_safekeepers,
    };

--- a/storage_controller/src/service.rs
+++ b/storage_controller/src/service.rs
@@ -445,7 +445,7 @@ pub struct Config {

    pub use_https_safekeeper_api: bool,

-    pub ssl_ca_cert: Option<Certificate>,
+    pub ssl_ca_certs: Vec<Certificate>,

    pub timelines_onto_safekeepers: bool,
 }
@@ -1668,7 +1668,7 @@ impl Service {
        //
        // The bug has been fixed in hyper v1, so keep alive may be enabled only after we migrate to hyper1.
        http_client = http_client.pool_max_idle_per_host(0);
-        if let Some(ssl_ca_cert) = &config.ssl_ca_cert {
+        for ssl_ca_cert in &config.ssl_ca_certs {
            http_client = http_client.add_root_certificate(ssl_ca_cert.clone());
        }
        let http_client = http_client.build()?;