From: Jiffin Tony Thottan Date: Tue, 20 Oct 2020 06:13:58 +0000 (+0530) Subject: rgw: add support to consume user given ca cert for vault X-Git-Tag: v17.1.0~2207^2~3 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=424dca0f3866c62e5c51cc8b2a080d680fddbe7f;p=ceph.git rgw: add support to consume user given ca cert for vault Currently RGW can authenticate with vault via SSL using system certs. With this patch user can provide custom ca cert and location of the file can be specified in ceph.conf like this : rgw_crypt_require_ssl = Fixes: https://tracker.ceph.com/issues/47776 Signed-off-by: Jiffin Tony Thottan --- diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in index a14953594fee..847e0fdacef9 100644 --- a/src/common/options/rgw.yaml.in +++ b/src/common/options/rgw.yaml.in @@ -2385,6 +2385,14 @@ options: services: - rgw with_legacy: true +# TLS certs options +- name: rgw_crypt_vault_ssl_cacert + type: str + level: advanced + desc: Path for custom ca certificate for accessing vault server + services: + - rgw + with_legacy: true - name: rgw_crypt_kmip_addr type: str level: advanced diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc index 302f2558a227..d90b904d4f3b 100644 --- a/src/rgw/rgw_http_client.cc +++ b/src/rgw/rgw_http_client.cc @@ -614,6 +614,9 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data) curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L); dout(20) << "ssl verification is set to off" << dendl; + } else if (!ca_path.empty()) { + curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str()); + dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl; } curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data); curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout); diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h index 39a366be0abb..5782be6da5cc 100644 --- a/src/rgw/rgw_http_client.h +++ b/src/rgw/rgw_http_client.h @@ -40,6 +40,8 @@ class RGWHTTPClient : public RGWIOProvider, bool verify_ssl; // Do not validate self signed certificates, default to false + string ca_path; + std::atomic stopped { 0 }; @@ -172,6 +174,10 @@ public: void *get_io_user_info() override { return user_info; } + + void set_ca_path(const string& _ca_path) { + ca_path = _ca_path; + } }; diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc index 92c593ed6409..687adb7700b8 100644 --- a/src/rgw/rgw_kms.cc +++ b/src/rgw/rgw_kms.cc @@ -254,6 +254,10 @@ protected: secret_req.set_verify_ssl(cct->_conf->rgw_crypt_vault_verify_ssl); + if (!cct->_conf->rgw_crypt_vault_ssl_cacert.empty()) { + secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert); + } + res = secret_req.process(null_yield); if (res < 0) { ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;