Demonstrate index management with a custom CA cert

Author: brantburnett

.editorconfig

@@ -13,7 +13,7 @@ indent_size = 2
 [nuget.config]
 indent_size = 2
 
-[*.{yaml,yml}]
+[*.{yaml,yml,json}]
 indent_size = 2
 
 [*.cs]

src/Couchbase.Aspire.Hosting.Indices/CouchbaseIndicesBuilderExtensions.cs

@@ -82,7 +82,7 @@ public static IResourceBuilder<CouchbaseIndexManagerResource> WithIndices(this I
             }
             catch (IOException ex)
             {
-                throw new DistributedApplicationException($"Index definition path '{path}' is invalid.", ex);
+                throw new InvalidOperationException($"Index definition path '{path}' is invalid.", ex);
             }
         }
 

src/Couchbase.Aspire.Hosting.Indices/README.md

@@ -46,6 +46,28 @@ var myService = builder.AddProject<Projects.MyService>()
 Index definition files are JSON or YAML files that define the indexes to be created on a Couchbase bucket. They may be referenced by directory
 or by individual file. See [couchbase-index-manager Documentation](https://github.com/brantburnett/couchbase-index-manager/tree/main/packages/couchbase-index-manager-cli#definition-files) for details on the file format.
 
+## Using with a secure Couchbase cluster
+
+If your Couchbase cluster uses TLS/SSL, you may need to configure the index manager to trust the cluster's certificate.
+
+```csharp
+var certAuthorityCollection = builder.AddCertificateAuthorityCollection("couchbase-cert-authority")
+    .WithCertificate(certificateWithPrivateKey);
+
+var couchbase = builder.AddCouchbase("couchbase");
+var bucket = couchbase.AddBucket("mybucket")
+    .WithRootCertificateAuthority(certAuthorityCollection); // Use the certificate for the Couchbase cluster
+
+var bucketIndices = bucket.AddIndexManager("mybucket-indices")
+    .WithIndices("../indices")
+    .WithCertificateAuthorityCollection(certAuthorityCollection); // Trust the certificate for index management
+
+var myService = builder.AddProject<Projects.MyService>()
+    .WithReference(bucket)
+    .WaitFor(bucket)
+    .WaitForCompletion(bucketIndices);
+```
+
 ## Feedback & contributing
 
 https://github.com/couchbaselabs/couchbase-aspire

src/Couchbase.Aspire.Hosting/CouchbaseClusterBuilderExtensions.cs

@@ -530,6 +530,32 @@ public static IResourceBuilder<CouchbaseClusterResource> WithRootCertificationAu
         return builder.WithAnnotation(annotation, ResourceAnnotationMutationBehavior.Replace);
     }
 
+    /// <summary>
+    /// Enables TLS for cluster communications using a root certification authority.
+    /// </summary>
+    /// <param name="builder">Builder for the couchbase cluster.</param>
+    /// <param name="certAuthorityCollection">Collection that includes the certificate. Must include a private key.</param>
+    /// <param name="trustCertificate">If the certificate must be explicitly trusted for initialization and health check operations.</param>
+    /// <returns>The <paramref name="builder"/>.</returns>
+    /// <remarks>
+    /// The root certificate must be trusted by any application connecting to the cluster. It must also be trusted
+    /// by the host running Aspire if <paramref name="trustCertificate"/> is <c>false</c>.
+    /// </remarks>
+    public static IResourceBuilder<CouchbaseClusterResource> WithRootCertificationAuthority(this IResourceBuilder<CouchbaseClusterResource> builder,
+        IResourceBuilder<CertificateAuthorityCollection> certAuthorityCollection, bool trustCertificate = false)
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+        ArgumentNullException.ThrowIfNull(certAuthorityCollection);
+
+        var certificate = certAuthorityCollection.Resource.Certificates.FirstOrDefault(p => p.HasPrivateKey);
+        if (certificate is null)
+        {
+            throw new InvalidOperationException($"{nameof(certAuthorityCollection)} must include a certificate with a private key.");
+        }
+
+        return builder.WithRootCertificationAuthority(certificate, trustCertificate: trustCertificate);
+    }
+
     /// <summary>
     /// Sets the lifetime behavior of the Couchbase cluster.
     /// </summary>

tests/Aspire.Test.AppHost/AppHost.cs

@@ -1,21 +1,16 @@
 using Couchbase.Aspire.Hosting;
 using Couchbase.KeyValue;
 using Couchbase.Management.Buckets;
+using Microsoft.Extensions.Configuration;
 
 var builder = DistributedApplication.CreateBuilder(args);
 
 var couchbasePassword = builder.AddParameter("couchbase-password", "password", secret: true);
 
 var couchbase = builder.AddCouchbase("couchbase", password: couchbasePassword)
     .WithManagementPort(8091) // Optional fixed port number for the primary node
-    .WithSecureManagementPort(18091) // Optional fixed port number for the primary node
     .WithCouchbaseEdition(CouchbaseEdition.Enterprise); // Optional edition, default is Enterprise
 
-// Uncomment this section to test building a secure cluster. Note that the test web app will not be
-// able to connect unless the certificate is trusted on the host machine.
-// var certificate = Aspire.Test.AppHost.Helpers.LoadCACertificate("CouchbaseCA.pfx");
-// couchbase.WithRootCertificationAuthority(certificate, trustCertificate: true);
-
 var couchbaseGroup1 = couchbase.AddServerGroup("couchbase-group1")
     .WithServices(CouchbaseServices.Data | CouchbaseServices.Query | CouchbaseServices.Index | CouchbaseServices.Search)
     .WithReplicas(2);
@@ -30,7 +25,9 @@
     .WithMinimumDurabilityLevel(DurabilityLevel.MajorityAndPersistToActive)
     .WithEvictionPolicy(EvictionPolicyType.FullEviction)
     .WithCompressionMode(CompressionMode.Active)
-    .WithReplicas(0)
+    .WithReplicas(0);
+
+var testIndices = testBucket.AddIndexManager("test-indices")
     .WithIndices("test-indices");
 
 var cacheBucket = couchbase.AddBucket("cache-bucket", bucketName: "cache")
@@ -45,6 +42,21 @@
 builder.AddProject<Projects.Aspire_Test_WebApp>("aspire-test-webapp")
     .WithExternalHttpEndpoints()
     .WithHttpHealthCheck("/health")
-    .WithReference(testBucket).WaitFor(testBucket);
+    .WithReference(testBucket).WaitFor(testBucket)
+    .WaitForCompletion(testIndices);
+
+if (builder.Configuration.GetValue("COUCHBASE_SECURE", false))
+{
+    // Note that the test web app will not be able to connect unless the certificate is trusted on the host machine.
+    var certAuthorityCollection = builder.AddCertificateAuthorityCollection("couchbase-cert-authority")
+        .WithCertificate(Aspire.Test.AppHost.Helpers.LoadCACertificate("CouchbaseCA.pfx"));
+
+    couchbase
+        .WithSecureManagementPort(18091) // Optional fixed port number for the primary node
+        .WithRootCertificationAuthority(certAuthorityCollection, trustCertificate: true);
+
+    // Trust the Couchbase CA for the index manager
+    testIndices.WithCertificateAuthorityCollection(certAuthorityCollection);
+}
 
 builder.Build().Run();

tests/Aspire.Test.AppHost/Properties/launchSettings.json

@@ -13,6 +13,20 @@
         "ASPIRE_DASHBOARD_MCP_ENDPOINT_URL": "https://localhost:23063",
         "ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL": "https://localhost:22041"
       }
+    },
+    "https+couchbases": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "https://localhost:17182;http://localhost:15107",
+      "environmentVariables": {
+        "COUCHBASE_SECURE": "true",
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "DOTNET_ENVIRONMENT": "Development",
+        "ASPIRE_DASHBOARD_OTLP_ENDPOINT_URL": "https://localhost:21071",
+        "ASPIRE_DASHBOARD_MCP_ENDPOINT_URL": "https://localhost:23063",
+        "ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL": "https://localhost:22041"
+      }
     }
   }
 }