rgw: add support to consume user given ca cert for vault

Currently RGW can authenticate with vault via SSL using system certs.
With this patch user can provide custom ca cert and location of the file
can be specified in ceph.conf like this :
	rgw_crypt_require_ssl = <file path>

Fixes: https://tracker.ceph.com/issues/47776
Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index a14953594feedd8e84ff78966508aa7b9271e55d..847e0fdacef977668097bf7b420a01184d56f581 100644 (file)
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -2385,6 +2385,14 @@ options:
   services:
   - rgw
   with_legacy: true
+# TLS certs options
+- name: rgw_crypt_vault_ssl_cacert
+  type: str
+  level: advanced
+  desc: Path for custom ca certificate for accessing vault server
+  services:
+  - rgw
+  with_legacy: true
 - name: rgw_crypt_kmip_addr
   type: str
   level: advanced

diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc
index 302f2558a227f4ba54ea8de18eb0df5d4d4289a1..d90b904d4f3b67f532b1748625d20e0738e35d3a 100644 (file)
--- a/src/rgw/rgw_http_client.cc
+++ b/src/rgw/rgw_http_client.cc
@@ -614,6 +614,9 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data)
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L);
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L);
     dout(20) << "ssl verification is set to off" << dendl;
+  } else if (!ca_path.empty()) {
+    curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str());
+    dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl;
   }
   curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data);
   curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout);

diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h
index 39a366be0abb9facf7dc952fe235d0c32d985aeb..5782be6da5cc954e242fc139a1fc723fc8a9b78b 100644 (file)
--- a/src/rgw/rgw_http_client.h
+++ b/src/rgw/rgw_http_client.h
@@ -40,6 +40,8 @@ class RGWHTTPClient : public RGWIOProvider,
 
   bool verify_ssl; // Do not validate self signed certificates, default to false
 
+  string ca_path;
+
   std::atomic<unsigned> stopped { 0 };
 
 
@@ -172,6 +174,10 @@ public:
   void *get_io_user_info() override {
     return user_info;
   }
+
+  void set_ca_path(const string& _ca_path) {
+    ca_path = _ca_path;
+  }
 };
 
 

diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc
index 92c593ed640974734df972f61739d2cea07f1a5f..687adb7700b8d0145527b6c70a0e8c9537bb8578 100644 (file)
--- a/src/rgw/rgw_kms.cc
+++ b/src/rgw/rgw_kms.cc
@@ -254,6 +254,10 @@ protected:
 
     secret_req.set_verify_ssl(cct->_conf->rgw_crypt_vault_verify_ssl);
 
+    if (!cct->_conf->rgw_crypt_vault_ssl_cacert.empty()) {
+      secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert);
+    }
+
     res = secret_req.process(null_yield);
     if (res < 0) {
       ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;