From 424dca0f3866c62e5c51cc8b2a080d680fddbe7f Mon Sep 17 00:00:00 2001 From: Jiffin Tony Thottan Date: Tue, 20 Oct 2020 11:43:58 +0530 Subject: [PATCH] rgw: add support to consume user given ca cert for vault Currently RGW can authenticate with vault via SSL using system certs. With this patch user can provide custom ca cert and location of the file can be specified in ceph.conf like this : rgw_crypt_require_ssl = Fixes: https://tracker.ceph.com/issues/47776 Signed-off-by: Jiffin Tony Thottan --- src/common/options/rgw.yaml.in | 8 ++++++++ src/rgw/rgw_http_client.cc | 3 +++ src/rgw/rgw_http_client.h | 6 ++++++ src/rgw/rgw_kms.cc | 4 ++++ 4 files changed, 21 insertions(+) diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in index a14953594fe..847e0fdacef 100644 --- a/src/common/options/rgw.yaml.in +++ b/src/common/options/rgw.yaml.in @@ -2385,6 +2385,14 @@ options: services: - rgw with_legacy: true +# TLS certs options +- name: rgw_crypt_vault_ssl_cacert + type: str + level: advanced + desc: Path for custom ca certificate for accessing vault server + services: + - rgw + with_legacy: true - name: rgw_crypt_kmip_addr type: str level: advanced diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc index 302f2558a22..d90b904d4f3 100644 --- a/src/rgw/rgw_http_client.cc +++ b/src/rgw/rgw_http_client.cc @@ -614,6 +614,9 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data) curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L); dout(20) << "ssl verification is set to off" << dendl; + } else if (!ca_path.empty()) { + curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str()); + dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl; } curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data); curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout); diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h index 39a366be0ab..5782be6da5c 100644 --- a/src/rgw/rgw_http_client.h +++ b/src/rgw/rgw_http_client.h @@ -40,6 +40,8 @@ class RGWHTTPClient : public RGWIOProvider, bool verify_ssl; // Do not validate self signed certificates, default to false + string ca_path; + std::atomic stopped { 0 }; @@ -172,6 +174,10 @@ public: void *get_io_user_info() override { return user_info; } + + void set_ca_path(const string& _ca_path) { + ca_path = _ca_path; + } }; diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc index 92c593ed640..687adb7700b 100644 --- a/src/rgw/rgw_kms.cc +++ b/src/rgw/rgw_kms.cc @@ -254,6 +254,10 @@ protected: secret_req.set_verify_ssl(cct->_conf->rgw_crypt_vault_verify_ssl); + if (!cct->_conf->rgw_crypt_vault_ssl_cacert.empty()) { + secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert); + } + res = secret_req.process(null_yield); if (res < 0) { ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl; -- 2.39.5