Feature Request: Custom CA Certificate Support for Self-Signed Certificates
Summary
The COSI driver cannot use private CA certificates for TLS connections. The only options are full system CA validation or completely disabling TLS verification, which is insecure.
Affected Files
pkg/config/config.gopkg/clients/s3/s3.gopkg/clients/iam/iam.gopkg/clients/admin/admin.gohelm/cosi-driver/values.yamlhelm/cosi-driver/templates/deployment.yaml
Current Behavior
TLS configuration only supports a binary toggle:
// pkg/clients/s3/s3.go (identical in iam.go and admin.go)
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: config.DisableTLSCertificateChecking},
}# values.yaml
disableTLSCertificateCheck: false
Security Concerns
- All-or-Nothing TLS: Users with self-signed certificates must disable ALL TLS verification
- MITM Vulnerability: Disabling TLS verification exposes connections to man-in-the-middle attacks
- No Private CA Support: Enterprise environments with internal CAs cannot securely connect
Feature Request: Custom CA Certificate Support for Self-Signed Certificates
Summary
The COSI driver cannot use private CA certificates for TLS connections. The only options are full system CA validation or completely disabling TLS verification, which is insecure.
Affected Files
pkg/config/config.gopkg/clients/s3/s3.gopkg/clients/iam/iam.gopkg/clients/admin/admin.gohelm/cosi-driver/values.yamlhelm/cosi-driver/templates/deployment.yamlCurrent Behavior
TLS configuration only supports a binary toggle:
Security Concerns