Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[pipeline-manager] Support additional private CA for pipeline connections #5495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
blp merged 1 commit into from
Jan 23, 2026
Merged

[pipeline-manager] Support additional private CA for pipeline connections #5495

blp merged 1 commit into from
Jan 23, 2026

Conversation

@blp
Copy link
Member

@blp blp commented Jan 22, 2026

This will enable the coordinator to generate certificates for connections to pipelines in multihost environments.

@blp blp requested review from gz and snkas January 22, 2026 19:35
@blp blp self-assigned this Jan 22, 2026
@blp blp added the Pipeline manager Pipeline manager (API, API server, runner, compiler server) label Jan 22, 2026
Copilot AI review requested due to automatic review settings January 22, 2026 19:35
@blp blp added security Issues that are critical for security rust Pull requests that update Rust code labels Jan 22, 2026
Copilot AI reviewed Jan 22, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the pipeline manager’s TLS configuration to support an additional private certificate authority (CA) for pipeline connections in multihost environments.

Changes:

  • Add a new --private-ca-cert-path configuration option and canonicalization to support a second CA chain.
  • Introduce ca_cert_paths() helper to aggregate all configured CA bundles.
  • Update awc_client and reqwest_client construction to load and trust both the existing HTTPS CA and the new private CA when HTTPS is enabled.

crates/pipeline-manager/src/config.rs
pub https_tls_key_path: Option<String>,

/// Path to an additional TLS x509 certificate PEM file (e.g.,
/// `/path/to/tls.crt`). The pipeline will connect to servers whose keys
Copy link

Copilot AI Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment refers to 'The pipeline will connect...', but this option is part of CommonConfig used by the pipeline manager and its HTTP clients; consider rephrasing to 'The pipeline manager will connect...' (or similar) for consistency with the neighboring docs and actual usage.

Suggested change
/// `/path/to/tls.crt`). The pipeline will connect to servers whose keys
/// `/path/to/tls.crt`). The pipeline manager will connect to servers whose keys

Copilot uses AI. Check for mistakes.
crates/pipeline-manager/src/config.rs
Comment on lines +446 to +450
if self.https_config().is_some() {
let mut builder = reqwest::ClientBuilder::new()
.https_only(true) // Only connect to HTTPS
.add_root_certificate(root_cert) // Add our own TLS certificate which is used
.tls_built_in_root_certs(false) // Other TLS certificates are not used
.build()
.expect("HTTPS client should be built")
.tls_built_in_root_certs(false); // Other TLS certificates are not used
for path in self.ca_cert_paths() {
Copy link

Copilot AI Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new private_ca_cert_path is only used when https_config() returns Some(_), but the field’s doc comment above does not mention that it is only honored when HTTPS is enabled; it would be clearer to explicitly state this dependency in the documentation (or adjust the condition if it is meant to be usable independently of --https-tls-cert-path).

Copilot uses AI. Check for mistakes.
@blp blp added this pull request to the merge queue Jan 22, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 22, 2026
@blp blp enabled auto-merge January 22, 2026 22:52
@blp blp added this pull request to the merge queue Jan 22, 2026
Merged via the queue into main with commit 9768983 Jan 23, 2026
1 check passed
@blp blp deleted the coordinator branch January 23, 2026 01:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mihaibudiu mihaibudiu mihaibudiu approved these changes

@gz gz Awaiting requested review from gz

@snkas snkas Awaiting requested review from snkas

Assignees

@blp blp

Labels

Pipeline manager Pipeline manager (API, API server, runner, compiler server) rust Pull requests that update Rust code security Issues that are critical for security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@blp @mihaibudiu