From 5fad17a3e698579619ee9167626b01d4bf4b6a1e Mon Sep 17 00:00:00 2001
From: vidya sagar m <mvsr222@gmail.com>
Date: Wed, 20 May 2026 13:27:46 +0530
Subject: [PATCH] trusted certs support in CCCL

---
 f5_cccl/utils/mgmt.py | 56 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 53 insertions(+), 3 deletions(-)

diff --git a/f5_cccl/utils/mgmt.py b/f5_cccl/utils/mgmt.py
index 12f967f..503900c 100644
--- a/f5_cccl/utils/mgmt.py
+++ b/f5_cccl/utils/mgmt.py
@@ -16,9 +16,59 @@
 #
 """Wrapper functions for the f5-sdk"""
 
+import logging
+import os
+import tempfile
+
 from f5.bigip import ManagementRoot
 
+LOGGER = logging.getLogger(__name__)
+
+
+def mgmt_root(host, username, password, port, token, trusted_certs=''):
+    """Create a BIG-IP Management Root object.
+
+    Args:
+        host: BIG-IP hostname or IP address
+        username: BIG-IP admin username
+        password: BIG-IP admin password
+        port: BIG-IP management port (default: 443)
+        token: Token type for authentication (e.g., "tmos")
+        trusted_certs: Optional PEM-encoded CA certificate bundle for TLS
+                       verification. If provided, SSL verification is enabled
+                       using these certificates. If empty, SSL verification is
+                       disabled (insecure, for backward compatibility).
 
-def mgmt_root(host, username, password, port, token):
-    """Create a BIG-IP Management Root object"""
-    return ManagementRoot(host, username, password, port=port, token=token)
+    Returns:
+        ManagementRoot: A connected BIG-IP management object
+    """
+    if trusted_certs:
+        # Write trusted certs to a temporary file for use with ManagementRoot.
+        # The temp file must persist for the lifetime of the ManagementRoot
+        # session so delete=False is used.
+        cert_file = tempfile.NamedTemporaryFile(
+            mode='w', suffix='.pem', delete=False)
+        try:
+            cert_file.write(trusted_certs)
+            cert_file.flush()
+            cert_file.close()
+            LOGGER.info(
+                "SSL verification enabled with trusted certificate(s) "
+                "from Secret")
+            return ManagementRoot(
+                host, username, password, port=port, token=token,
+                verify=cert_file.name)
+        except Exception as e:
+            LOGGER.error(
+                "Failed to configure SSL verification with trusted "
+                "certs: %s", e)
+            # Clean up temp file on error
+            try:
+                os.unlink(cert_file.name)
+            except OSError:
+                pass
+            raise
+    else:
+        # Backward compatibility: SSL verification disabled (insecure)
+        return ManagementRoot(
+            host, username, password, port=port, token=token)