add tls authentication for httpendpoint (#3780)

Signed-off-by: yaron2 <schneider.yaron@live.com>
2023-10-03 19:39:16 -07:00 · 2023-10-03 19:39:16 -07:00 · 42f857ed4e
parent da0ffcfe11
commit 42f857ed4e
2 changed files with 60 additions and 0 deletions
--- a/daprdocs/content/en/developing-applications/building-blocks/service-invocation/howto-invoke-non-dapr-endpoints.md
+++ b/daprdocs/content/en/developing-applications/building-blocks/service-invocation/howto-invoke-non-dapr-endpoints.md
@ -79,6 +79,52 @@ localhost:3500/v1.0/invoke/<appID>/method/<my-method>
 curl http://localhost:3602/v1.0/invoke/orderprocessor/method/checkout
 ```

+## TLS authentication
+
+Using the [HTTPEndpoint resource]({{< ref httpendpoints-schema.md >}}) allows you to use any combination of a root certificate, client certificate and private key according to the authentication requirements of the remote endpoint.
+
+### Example using root certificate
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: HTTPEndpoint
+metadata:
+  name: "external-http-endpoint-tls"
+spec:
+  baseUrl: https://service-invocation-external:443
+  headers:
+  - name: "Accept-Language"
+    value: "en-US"
+  clientTLS:
+    rootCA:
+      secretKeyRef:
+        name: dapr-tls-client
+        key: ca.crt
+```
+
+### Example using client certificate and private key
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: HTTPEndpoint
+metadata:
+  name: "external-http-endpoint-tls"
+spec:
+  baseUrl: https://service-invocation-external:443
+  headers:
+  - name: "Accept-Language"
+    value: "en-US"
+  clientTLS:
+    certificate:
+      secretKeyRef:
+        name: dapr-tls-client
+        key: tls.crt
+    privateKey:
+      secretKeyRef:
+        name: dapr-tls-key
+        key: tls.key
+```
+
 ## Related Links

 - [HTTPEndpoint reference]({{< ref httpendpoints-schema.md >}})
--- a/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md
+++ b/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md
@ -27,6 +27,19 @@ spec:
    secretKeyRef:
      name: <REPLACE-WITH-SECRET-NAME>
      key: <REPLACE-WITH-SECRET-KEY>
+  clientTLS:
+    rootCA:
+      secretKeyRef:
+        name: <REPLACE-WITH-SECRET-NAME>
+        key: <REPLACE-WITH-SECRET-KEY>
+    certificate:
+      secretKeyRef:
+        name: <REPLACE-WITH-SECRET-NAME>
+        key: <REPLACE-WITH-SECRET-KEY>
+    privateKey:
+      secretKeyRef:
+        name: <REPLACE-WITH-SECRET-NAME>
+        key: <REPLACE-WITH-SECRET-KEY>
 scopes: # Optional
  - <REPLACE-WITH-SCOPED-APPIDS>
 auth: # Optional
@ -39,6 +52,7 @@ auth: # Optional
 |--------------------|:--------:|---------|---------|
 | baseUrl            | Y        | Base URL of the non-Dapr endpoint | `"https://api.github.com"`, `"http://api.github.com"`
 | headers            | N        | HTTP request headers for service invocation | `name: "Accept-Language" value: "en-US"` <br/> `name: "Authorization" secretKeyRef.name: "my-secret" secretKeyRef.key: "myGithubToken" `
+| clientTLS          | N        | Enables TLS authentication to an endpoint with any standard combination of root certificate, client certificate and private key

 ## Related links