DRAFT: Confluent Flink (Cloud) CLI: Trust custom certificates (or disable certificate validation)

[justinrlee]

Note: for now, not submitting an actual PR; to use this, clone this specific branch, and build manually.

Release Notes

Adds support for trusting custom CA certificates (or skipping certificate validation) when connecting to Confluent Cloud Flink services (Gateway and Language Server).

Useful for working around current Flink multi-environment limitations.

Breaking Changes

• None

New Features

• Two (hidden) flags on confluent flink (and child subcommands)

confluent flink --insecure-skip-verify

confluent flink --certificate-authority-path <path-to-custom-truststore-pem>

For example, either of these will work if there's a MITM proxy in front of Flink:

confluent flink shell --insecure-skip-verify

confluent flink shell --certificate-authority-path /Users/justinlee/work/nginx/ca.crt

Bug Fixes

• None

Checklist

• I have successfully built and used a custom CLI binary, without linter issues from this PR.
• I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
• I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
• I have verified this PR in Confluent Platform on-premises environment, if applicable.
• I have attached manual CLI verification results or screenshots in the Test & Review section below.
• I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Confluent Platform
  • Check this box if the feature is enabled for certain organizations only

What

Blast Radius

References

Test & Review

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Pull request overview

This PR adds support for custom TLS certificate handling in Confluent Flink CLI connections to both the Gateway and Language Server. It introduces two hidden flags (--insecure-skip-verify and --certificate-authority-path) to enable connections through MITM proxies or custom certificate authorities, addressing current Flink multi-environment limitations.

Key Changes:

• Added TLS configuration support throughout the Flink client stack (Gateway and LSP websocket connections)
• Implemented GetEnrichedCACertPool utility function to load and merge custom CA certificates with system certificates
• Updated function signatures across multiple layers to thread tls.Config through the connection initialization chain

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/utils/cert_utils.go	Adds new utility function to create enriched CA certificate pools from custom certificate files
pkg/flink/lsp/lsp_completer_ws.go	Updates LSP websocket client to accept and use TLS configuration
pkg/flink/internal/store/store_utils_test.go	Updates test instantiations to include new TLS config parameter
pkg/flink/internal/store/store_test.go	Updates test instantiations to include new TLS config parameter
pkg/flink/app/application.go	Threads TLS config through to LSP client initialization
pkg/cmd/authenticated_cli_command.go	Reads TLS flags and constructs TLS config for Gateway client
pkg/ccloudv2/utils.go	Updates HTTP client creation to accept and apply TLS configuration
pkg/ccloudv2/flink_gateway.go	Updates Gateway client constructor to accept TLS config parameter
internal/flink/command_shell.go	Implements TLS flag handling for shell command execution paths
internal/flink/command.go	Registers new hidden persistent flags for TLS configuration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

[nitpick] Corrected spelling of 'certificates' to 'certificate' in warning message for consistency with line 172's wording.

Suggested change

	log.CliLogger.Warnf("Unable to load system certificates; continuing with custom certificates only")
	log.CliLogger.Warnf("Unable to load system certificate; continuing with custom certificate only")