From: Jiffin Tony Thottan <jthottan@redhat.com>
Date: Mon, 19 Oct 2020 18:12:58 +0000 (+0530)
Subject: rgw: add seperate option for verify ssl for vault KMS engine
X-Git-Tag: v17.1.0~2207^2~4
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4a93faa2eec8077edb4c35a20b6b66bc610a6e4a;p=ceph.git

rgw: add seperate option for verify ssl for vault KMS engine

Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
---

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index 9a7398d5f6dc..a14953594fee 100644
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -2376,6 +2376,15 @@ options:
   - rgw_crypt_vault_auth
   - rgw_crypt_vault_addr
   with_legacy: true
+# Enable TLS authentication rgw and vault
+- name: rgw_crypt_vault_verify_ssl
+  type: bool
+  level: advanced
+  desc: Should RGW verify the vault server SSL certificate.
+  default: true
+  services:
+  - rgw
+  with_legacy: true
 - name: rgw_crypt_kmip_addr
   type: str
   level: advanced
diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc
index 8542d483d482..92c593ed6409 100644
--- a/src/rgw/rgw_kms.cc
+++ b/src/rgw/rgw_kms.cc
@@ -252,6 +252,8 @@ protected:
       secret_req.append_header("X-Vault-Namespace", vault_namespace);
     }
 
+    secret_req.set_verify_ssl(cct->_conf->rgw_crypt_vault_verify_ssl);
+
     res = secret_req.process(null_yield);
     if (res < 0) {
       ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;