add tls authentication for httpendpoint (#3780)

yaron2 · web-flow · commit 42f857ed4e56 · 2023-10-03T19:39:16.000-07:00
Signed-off-by: yaron2 &lt;schneider.yaron@live.com&gt;
diff --git a/daprdocs/content/en/developing-applications/building-blocks/service-invocation/howto-invoke-non-dapr-endpoints.md b/daprdocs/content/en/developing-applications/building-blocks/service-invocation/howto-invoke-non-dapr-endpoints.md
@@ -79,6 +79,52 @@ localhost:3500/v1.0/invoke/<appID>/method/<my-method>
 curl http://localhost:3602/v1.0/invoke/orderprocessor/method/checkout
 ```
 
+## TLS authentication
+
+Using the [HTTPEndpoint resource]({{< ref httpendpoints-schema.md >}}) allows you to use any combination of a root certificate, client certificate and private key according to the authentication requirements of the remote endpoint.
+
+### Example using root certificate
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: HTTPEndpoint
+metadata:
+  name: "external-http-endpoint-tls"
+spec:
+  baseUrl: https://service-invocation-external:443
+  headers:
+  - name: "Accept-Language"
+    value: "en-US"
+  clientTLS:
+    rootCA:
+      secretKeyRef:
+        name: dapr-tls-client
+        key: ca.crt
+```
+
+### Example using client certificate and private key
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: HTTPEndpoint
+metadata:
+  name: "external-http-endpoint-tls"
+spec:
+  baseUrl: https://service-invocation-external:443
+  headers:
+  - name: "Accept-Language"
+    value: "en-US"
+  clientTLS:
+    certificate:
+      secretKeyRef:
+        name: dapr-tls-client
+        key: tls.crt
+    privateKey:
+      secretKeyRef:
+        name: dapr-tls-key
+        key: tls.key
+```
+
 ## Related Links
 
 - [HTTPEndpoint reference]({{< ref httpendpoints-schema.md >}})
diff --git a/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md b/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md
@@ -27,6 +27,19 @@ spec:
     secretKeyRef:
       name: <REPLACE-WITH-SECRET-NAME>
       key: <REPLACE-WITH-SECRET-KEY>
+  clientTLS:
+    rootCA:
+      secretKeyRef:
+        name: <REPLACE-WITH-SECRET-NAME>
+        key: <REPLACE-WITH-SECRET-KEY>
+    certificate:
+      secretKeyRef:
+        name: <REPLACE-WITH-SECRET-NAME>
+        key: <REPLACE-WITH-SECRET-KEY>
+    privateKey:
+      secretKeyRef:
+        name: <REPLACE-WITH-SECRET-NAME>
+        key: <REPLACE-WITH-SECRET-KEY>
 scopes: # Optional
   - <REPLACE-WITH-SCOPED-APPIDS>
 auth: # Optional
@@ -39,6 +52,7 @@ auth: # Optional
 |--------------------|:--------:|---------|---------|
 | baseUrl            | Y        | Base URL of the non-Dapr endpoint | `"https://api.github.com"`, `"http://api.github.com"`
 | headers            | N        | HTTP request headers for service invocation | `name: "Accept-Language" value: "en-US"` <br/> `name: "Authorization" secretKeyRef.name: "my-secret" secretKeyRef.key: "myGithubToken" `
+| clientTLS          | N        | Enables TLS authentication to an endpoint with any standard combination of root certificate, client certificate and private key
 
 ## Related links
 
