flipt-io
diff --git a/‎flipt-client-csharp/README.md
Lines changed: 130 additions & 0 deletions b/‎flipt-client-csharp/README.md
Lines changed: 130 additions & 0 deletions
diff --git a/‎flipt-client-csharp/src/FliptClient/Models/ClientOptions.cs
Lines changed: 7 additions & 0 deletions b/‎flipt-client-csharp/src/FliptClient/Models/ClientOptions.cs
Lines changed: 7 additions & 0 deletions
diff --git a/‎flipt-client-csharp/src/FliptClient/Models/TlsConfig.cs
Lines changed: 190 additions & 0 deletions b/‎flipt-client-csharp/src/FliptClient/Models/TlsConfig.cs
Lines changed: 190 additions & 0 deletions
diff --git a/‎flipt-client-csharp/tests/FliptClient.Tests/FliptClientTests.cs
Lines changed: 15 additions & 0 deletions b/‎flipt-client-csharp/tests/FliptClient.Tests/FliptClientTests.cs
Lines changed: 15 additions & 0 deletions
@@ -123,6 +123,136 @@ The `FliptClient` supports the following authentication strategies:
 - [Client Token Authentication](https://docs.flipt.io/authentication/using-tokens)
 - [JWT Authentication](https://docs.flipt.io/authentication/using-jwts)
 
+### TLS Configuration
+
+The `FliptClient` supports configuring TLS settings for secure connections to Flipt servers. This is useful when:
+
+- Connecting to Flipt servers with self-signed certificates
+- Using custom Certificate Authorities (CAs)
+- Implementing mutual TLS authentication
+- Testing with insecure connections (development only)
+
+#### Basic TLS with Custom CA Certificate
+
+```csharp
+using FliptClient;
+using FliptClient.Models;
+
+// Using a CA certificate file
+var tlsConfig = TlsConfig.WithCaCertFile("/path/to/ca.pem");
+
+var options = new ClientOptions
+{
+    Url = "https://flipt.example.com",
+    TlsConfig = tlsConfig,
+    Authentication = new Authentication { ClientToken = "your-token" }
+};
+
+using var client = new FliptClient(options);
+```
+
+```csharp
+// Using CA certificate data directly
+var caCertData = File.ReadAllText("/path/to/ca.pem");
+var tlsConfig = TlsConfig.WithCaCertData(caCertData);
+
+var options = new ClientOptions
+{
+    Url = "https://flipt.example.com",
+    TlsConfig = tlsConfig,
+    Authentication = new Authentication { ClientToken = "your-token" }
+};
+
+using var client = new FliptClient(options);
+```
+
+#### Mutual TLS Authentication
+
+```csharp
+// Using certificate and key files
+var tlsConfig = TlsConfig.WithMutualTls("/path/to/client.pem", "/path/to/client.key");
+
+var options = new ClientOptions
+{
+    Url = "https://flipt.example.com",
+    TlsConfig = tlsConfig,
+    Authentication = new Authentication { ClientToken = "your-token" }
+};
+
+using var client = new FliptClient(options);
+```
+
+```csharp
+// Using certificate and key data directly
+var clientCertData = File.ReadAllText("/path/to/client.pem");
+var clientKeyData = File.ReadAllText("/path/to/client.key");
+
+var tlsConfig = TlsConfig.WithMutualTlsData(clientCertData, clientKeyData);
+
+var options = new ClientOptions
+{
+    Url = "https://flipt.example.com",
+    TlsConfig = tlsConfig,
+    Authentication = new Authentication { ClientToken = "your-token" }
+};
+
+using var client = new FliptClient(options);
+```
+
+#### Advanced TLS Configuration
+
+```csharp
+// Full TLS configuration with all options
+var tlsConfig = new TlsConfig
+{
+    CaCertFile = "/path/to/ca.pem",
+    ClientCertFile = "/path/to/client.pem",
+    ClientKeyFile = "/path/to/client.key",
+    InsecureSkipVerify = false
+};
+
+var options = new ClientOptions
+{
+    Url = "https://flipt.example.com",
+    TlsConfig = tlsConfig,
+    Authentication = new Authentication { ClientToken = "your-token" }
+};
+
+using var client = new FliptClient(options);
+```
+
+#### Development Mode (Insecure)
+
+**⚠️ WARNING: Only use this in development environments!**
+
+```csharp
+// Skip certificate verification (NOT for production)
+var tlsConfig = TlsConfig.Insecure();
+
+var options = new ClientOptions
+{
+    Url = "https://localhost:8443",
+    TlsConfig = tlsConfig,
+    Authentication = new Authentication { ClientToken = "your-token" }
+};
+
+using var client = new FliptClient(options);
+```
+
+#### TLS Configuration Options
+
+The `TlsConfig` class supports the following properties:
+
+- `CaCertFile`: Path to custom CA certificate file (PEM format)
+- `CaCertData`: Raw CA certificate content (PEM format) - takes precedence over `CaCertFile`
+- `InsecureSkipVerify`: Skip certificate verification (development only)
+- `ClientCertFile`: Client certificate file for mutual TLS (PEM format)
+- `ClientKeyFile`: Client private key file for mutual TLS (PEM format)
+- `ClientCertData`: Raw client certificate content (PEM format) - takes precedence over `ClientCertFile`
+- `ClientKeyData`: Raw client private key content (PEM format) - takes precedence over `ClientKeyFile`
+
+> **Note**: When both file paths and data are provided, the data properties take precedence. For example, if both `CaCertFile` and `CaCertData` are set, `CaCertData` will be used.
+
 ### Error Strategies
 
 The `FliptClient` supports the following error strategies:
 
@@ -73,6 +73,13 @@ public class ClientOptions
         [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
         [JsonPropertyName("snapshot")]
         public string? Snapshot { get; set; }
+
+        /// <summary>
+        /// Gets or sets TLS configuration for connecting to servers with custom certificates.
+        /// </summary>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+        [JsonPropertyName("tls_config")]
+        public TlsConfig? TlsConfig { get; set; }
     }
 
     [JsonConverter(typeof(LowercaseEnumConverter<ErrorStrategy>))]
 
@@ -0,0 +1,190 @@
+using System.Text.Json.Serialization;
+
+namespace FliptClient.Models
+{
+    /// <summary>
+    /// Configuration for TLS connections to Flipt servers.
+    /// Provides options for custom CA certificates, client certificates for mutual TLS,
+    /// and insecure mode for development.
+    /// </summary>
+    public class TlsConfig
+    {
+        /// <summary>
+        /// Gets or sets the path to the CA certificate file (PEM format).
+        /// </summary>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+        [JsonPropertyName("ca_cert_file")]
+        public string? CaCertFile { get; set; }
+
+        /// <summary>
+        /// Gets or sets the CA certificate content (PEM format).
+        /// Takes precedence over CaCertFile if both are provided.
+        /// </summary>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+        [JsonPropertyName("ca_cert_data")]
+        public string? CaCertData { get; set; }
+
+        /// <summary>
+        /// Gets or sets whether to skip certificate verification.
+        /// WARNING: Only use this in development environments!
+        /// </summary>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+        [JsonPropertyName("insecure_skip_verify")]
+        public bool? InsecureSkipVerify { get; set; }
+
+        /// <summary>
+        /// Gets or sets the path to the client certificate file for mutual TLS (PEM format).
+        /// </summary>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+        [JsonPropertyName("client_cert_file")]
+        public string? ClientCertFile { get; set; }
+
+        /// <summary>
+        /// Gets or sets the path to the client private key file for mutual TLS (PEM format).
+        /// </summary>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+        [JsonPropertyName("client_key_file")]
+        public string? ClientKeyFile { get; set; }
+
+        /// <summary>
+        /// Gets or sets the client certificate content for mutual TLS (PEM format).
+        /// Takes precedence over ClientCertFile if both are provided.
+        /// </summary>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+        [JsonPropertyName("client_cert_data")]
+        public string? ClientCertData { get; set; }
+
+        /// <summary>
+        /// Gets or sets the client private key content for mutual TLS (PEM format).
+        /// Takes precedence over ClientKeyFile if both are provided.
+        /// </summary>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+        [JsonPropertyName("client_key_data")]
+        public string? ClientKeyData { get; set; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="TlsConfig"/> class.
+        /// </summary>
+        public TlsConfig()
+        {
+        }
+
+        /// <summary>
+        /// Creates a TLS configuration for insecure connections (development only).
+        /// WARNING: Only use this in development environments!
+        /// </summary>
+        /// <returns>A TLS configuration with certificate verification disabled.</returns>
+        public static TlsConfig Insecure()
+        {
+            return new TlsConfig
+            {
+                InsecureSkipVerify = true
+            };
+        }
+
+        /// <summary>
+        /// Creates a TLS configuration with a custom CA certificate file.
+        /// </summary>
+        /// <param name="caCertFile">Path to the CA certificate file (PEM format).</param>
+        /// <returns>A TLS configuration with the specified CA certificate.</returns>
+        /// <exception cref="ValidationException">Thrown when the CA certificate file does not exist.</exception>
+        public static TlsConfig WithCaCertFile(string caCertFile)
+        {
+            if (string.IsNullOrWhiteSpace(caCertFile))
+            {
+                throw new ValidationException("CA certificate file path cannot be null or empty");
+            }
+
+            if (!File.Exists(caCertFile))
+            {
+                throw new ValidationException($"CA certificate file does not exist: {caCertFile}");
+            }
+
+            return new TlsConfig
+            {
+                CaCertFile = caCertFile
+            };
+        }
+
+        /// <summary>
+        /// Creates a TLS configuration with CA certificate data.
+        /// </summary>
+        /// <param name="caCertData">CA certificate content in PEM format.</param>
+        /// <returns>A TLS configuration with the specified CA certificate data.</returns>
+        /// <exception cref="ValidationException">Thrown when the CA certificate data is null or empty.</exception>
+        public static TlsConfig WithCaCertData(string caCertData)
+        {
+            if (string.IsNullOrWhiteSpace(caCertData))
+            {
+                throw new ValidationException("CA certificate data cannot be null or empty");
+            }
+
+            return new TlsConfig
+            {
+                CaCertData = caCertData
+            };
+        }
+
+        /// <summary>
+        /// Creates a TLS configuration for mutual TLS using certificate files.
+        /// </summary>
+        /// <param name="clientCertFile">Path to the client certificate file (PEM format).</param>
+        /// <param name="clientKeyFile">Path to the client private key file (PEM format).</param>
+        /// <returns>A TLS configuration for mutual TLS.</returns>
+        /// <exception cref="ValidationException">Thrown when certificate files are invalid or do not exist.</exception>
+        public static TlsConfig WithMutualTls(string clientCertFile, string clientKeyFile)
+        {
+            if (string.IsNullOrWhiteSpace(clientCertFile))
+            {
+                throw new ValidationException("Client certificate file path cannot be null or empty");
+            }
+
+            if (string.IsNullOrWhiteSpace(clientKeyFile))
+            {
+                throw new ValidationException("Client key file path cannot be null or empty");
+            }
+
+            if (!File.Exists(clientCertFile))
+            {
+                throw new ValidationException($"Client certificate file does not exist: {clientCertFile}");
+            }
+
+            if (!File.Exists(clientKeyFile))
+            {
+                throw new ValidationException($"Client key file does not exist: {clientKeyFile}");
+            }
+
+            return new TlsConfig
+            {
+                ClientCertFile = clientCertFile,
+                ClientKeyFile = clientKeyFile
+            };
+        }
+
+        /// <summary>
+        /// Creates a TLS configuration for mutual TLS using certificate data.
+        /// </summary>
+        /// <param name="clientCertData">Client certificate content in PEM format.</param>
+        /// <param name="clientKeyData">Client private key content in PEM format.</param>
+        /// <returns>A TLS configuration for mutual TLS.</returns>
+        /// <exception cref="ValidationException">Thrown when certificate data is null or empty.</exception>
+        public static TlsConfig WithMutualTlsData(string clientCertData, string clientKeyData)
+        {
+            if (string.IsNullOrWhiteSpace(clientCertData))
+            {
+                throw new ValidationException("Client certificate data cannot be null or empty");
+            }
+
+            if (string.IsNullOrWhiteSpace(clientKeyData))
+            {
+                throw new ValidationException("Client key data cannot be null or empty");
+            }
+
+            return new TlsConfig
+            {
+                ClientCertData = clientCertData,
+                ClientKeyData = clientKeyData
+            };
+        }
+    }
+}
@@ -35,6 +35,21 @@ public FliptClientTests(ITestOutputHelper output)
                 Authentication = new Authentication { ClientToken = authToken }
             };
 
+            // Configure TLS if HTTPS URL is provided
+            if (fliptUrl.StartsWith("https://"))
+            {
+                string? caCertPath = Environment.GetEnvironmentVariable("FLIPT_CA_CERT_PATH");
+                if (!string.IsNullOrEmpty(caCertPath))
+                {
+                    options.TlsConfig = TlsConfig.WithCaCertFile(caCertPath);
+                }
+                else
+                {
+                    // Fallback to insecure for local testing
+                    options.TlsConfig = TlsConfig.Insecure();
+                }
+            }
+
             _client = new FliptClient(options);
         }