rgw: add seperate option for verify ssl for vault KMS engine

author Jiffin Tony Thottan <jthottan@redhat.com>

Mon, 19 Oct 2020 18:12:58 +0000 (23:42 +0530)

committer Jiffin Tony Thottan <jthottan@redhat.com>

Fri, 16 Apr 2021 17:24:38 +0000 (22:54 +0530)
author Jiffin Tony Thottan <jthottan@redhat.com>
Mon, 19 Oct 2020 18:12:58 +0000 (23:42 +0530)
committer Jiffin Tony Thottan <jthottan@redhat.com>
Fri, 16 Apr 2021 17:24:38 +0000 (22:54 +0530)
diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in

index 9a7398d5f6dcfa26a0eb157918429007272d105e..a14953594feedd8e84ff78966508aa7b9271e55d 100644 (file)
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -2376,6 +2376,15 @@ options:
    - rgw_crypt_vault_auth
    - rgw_crypt_vault_addr
    with_legacy: true
+# Enable TLS authentication rgw and vault
+- name: rgw_crypt_vault_verify_ssl
+  type: bool
+  level: advanced
+  desc: Should RGW verify the vault server SSL certificate.
+  default: true
+  services:
+  - rgw
+  with_legacy: true
  - name: rgw_crypt_kmip_addr
    type: str
    level: advanced
diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc

index 8542d483d48270de4e39ec2247b56bb04f5e295b..92c593ed640974734df972f61739d2cea07f1a5f 100644 (file)
--- a/src/rgw/rgw_kms.cc
+++ b/src/rgw/rgw_kms.cc
@@ -252,6 +252,8 @@ protected:
        secret_req.append_header("X-Vault-Namespace", vault_namespace);
      }
  
+    secret_req.set_verify_ssl(cct->_conf->rgw_crypt_vault_verify_ssl);
+
      res = secret_req.process(null_yield);
      if (res < 0) {
        ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;
author	Jiffin Tony Thottan <jthottan@redhat.com>
	Mon, 19 Oct 2020 18:12:58 +0000 (23:42 +0530)
committer	Jiffin Tony Thottan <jthottan@redhat.com>
	Fri, 16 Apr 2021 17:24:38 +0000 (22:54 +0530)
src/common/options/rgw.yaml.in		patch \| blob \| history
src/rgw/rgw_kms.cc		patch \| blob \| history