rgw: add support to consume user given ca cert for vault

Currently RGW can authenticate with vault via SSL using system certs.
With this patch user can provide custom ca cert and location of the file
can be specified in ceph.conf like this :
	rgw_crypt_require_ssl = <file path>

Fixes: https://tracker.ceph.com/issues/47776
Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
(cherry picked from commit 424dca0f3866c62e5c51cc8b2a080d680fddbe7f)
Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
Conflicts:
	src/common/options/rgw.yaml.in
- added required changes in options.cc and legacy_config_opts.h

diff --git a/src/common/legacy_config_opts.h b/src/common/legacy_config_opts.h
index 75de330b6d1ba7cda042393e88d69511152593b2..5f81a7c414436af6f62f3557c7c20c08dc3ba957 100644 (file)
--- a/src/common/legacy_config_opts.h
+++ b/src/common/legacy_config_opts.h
@@ -1510,6 +1510,7 @@ OPTION(rgw_crypt_vault_prefix, OPT_STR) // Optional URL prefix to Vault secret p
 OPTION(rgw_crypt_vault_secret_engine, OPT_STR) // kv, transit or other supported secret engines
 OPTION(rgw_crypt_vault_namespace, OPT_STR) // Vault Namespace (only availabe in Vault Enterprise Version)
 OPTION(rgw_crypt_vault_verify_ssl, OPT_BOOL) // should we try to verify vault's ssl
+OPTION(rgw_crypt_vault_ssl_cacert, OPT_STR) // optional ca certificate for accessing vault
 
 OPTION(rgw_crypt_kmip_addr, OPT_STR) // kmip server address
 OPTION(rgw_crypt_kmip_ca_path, OPT_STR) // ca for kmip servers

diff --git a/src/common/options.cc b/src/common/options.cc
index bd6f3e6d74535db25d3121102665bcd8c96d626d..21ff3344c1f97090aec6fc04dc73ee795a538c56 100644 (file)
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -7179,6 +7179,10 @@ std::vector<Option> get_rgw_options() {
     .set_default(true)
     .set_description("Should RGW verify the vault server SSL certificate."),
 
+    Option("rgw_crypt_vault_ssl_cacert", Option::TYPE_STR, Option::LEVEL_ADVANCED)
+    .set_default("")
+    .set_description("Path for custom ca certificate for accessing vault server"),
+
     Option("rgw_crypt_kmip_addr", Option::TYPE_STR, Option::LEVEL_ADVANCED)
     .set_default("")
     .set_description("kmip server address"),

diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc
index 1ade7dfe8284b72c60435383f65250e1cfb42e56..925a4e11fbfb18148e19e985e9da0baf422a2e7d 100644 (file)
--- a/src/rgw/rgw_http_client.cc
+++ b/src/rgw/rgw_http_client.cc
@@ -564,6 +564,9 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data)
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L);
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L);
     dout(20) << "ssl verification is set to off" << dendl;
+  } else if (!ca_path.empty()) {
+    curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str());
+    dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl;
   }
   curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data);
   curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout);

diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h
index 840ff88fe97d91d97b0c211b1542c4c72253d0ef..265ae2615793a659e3c73938b7d58f17d7a321cd 100644 (file)
--- a/src/rgw/rgw_http_client.h
+++ b/src/rgw/rgw_http_client.h
@@ -40,6 +40,8 @@ class RGWHTTPClient : public RGWIOProvider
 
   bool verify_ssl; // Do not validate self signed certificates, default to false
 
+  string ca_path;
+
   std::atomic<unsigned> stopped { 0 };
 
 
@@ -171,6 +173,10 @@ public:
   void *get_io_user_info() override {
     return user_info;
   }
+
+  void set_ca_path(const string& _ca_path) {
+    ca_path = _ca_path;
+  }
 };
 
 

diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc
index 92c593ed640974734df972f61739d2cea07f1a5f..687adb7700b8d0145527b6c70a0e8c9537bb8578 100644 (file)
--- a/src/rgw/rgw_kms.cc
+++ b/src/rgw/rgw_kms.cc
@@ -254,6 +254,10 @@ protected:
 
     secret_req.set_verify_ssl(cct->_conf->rgw_crypt_vault_verify_ssl);
 
+    if (!cct->_conf->rgw_crypt_vault_ssl_cacert.empty()) {
+      secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert);
+    }
+
     res = secret_req.process(null_yield);
     if (res < 0) {
       ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;