From c2e67de3f76dececda19a09d0e1c51c937ce0afa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Han?= <seb@redhat.com>
Date: Thu, 21 Oct 2021 17:10:14 +0200
Subject: [PATCH] rgw: read tls secret hint for insecure tls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the admin wants to use insecure TLS to validate connections to rgw
internally, the TLS secret can have another entry "insecureSkipVerify"
and set it to "true".

Signed-off-by: Sébastien Han <seb@redhat.com>
---
 .../ceph/object/bucket/provisioner.go         |  6 ++--
 pkg/operator/ceph/object/rgw.go               | 28 ++++++++++++++-----
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/pkg/operator/ceph/object/bucket/provisioner.go b/pkg/operator/ceph/object/bucket/provisioner.go
index a1d773c9eef3c..4607e65ad99ed 100644
--- a/pkg/operator/ceph/object/bucket/provisioner.go
+++ b/pkg/operator/ceph/object/bucket/provisioner.go
@@ -55,6 +55,7 @@ type Provisioner struct {
 	endpoint             string
 	additionalConfigData map[string]string
 	tlsCert              []byte
+	insecureTLS          bool
 	adminOpsClient       *admin.API
 }
 
@@ -606,7 +607,7 @@ func (p *Provisioner) setTlsCaCert() error {
 	}
 	p.tlsCert = make([]byte, 0)
 	if objStore.Spec.Gateway.SecurePort == p.storePort {
-		p.tlsCert, err = cephObject.GetTlsCaCert(p.objectContext, &objStore.Spec)
+		p.tlsCert, p.insecureTLS, err = cephObject.GetTlsCaCert(p.objectContext, &objStore.Spec)
 		if err != nil {
 			return err
 		}
@@ -621,8 +622,7 @@ func (p *Provisioner) setAdminOpsAPIClient() error {
 		Timeout: cephObject.HttpTimeOut,
 	}
 	if p.tlsCert != nil {
-		insecure := false
-		httpClient.Transport = cephObject.BuildTransportTLS(p.tlsCert, insecure)
+		httpClient.Transport = cephObject.BuildTransportTLS(p.tlsCert, p.insecureTLS)
 	}
 
 	// Fetch the ceph object store
diff --git a/pkg/operator/ceph/object/rgw.go b/pkg/operator/ceph/object/rgw.go
index 495b51f6f02d3..848fccdefefce 100644
--- a/pkg/operator/ceph/object/rgw.go
+++ b/pkg/operator/ceph/object/rgw.go
@@ -22,6 +22,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"reflect"
+	"strconv"
 	"syscall"
 
 	"github.com/banzaicloud/k8s-objectmatcher/patch"
@@ -61,6 +62,10 @@ type rgwConfig struct {
 
 var updateDeploymentAndWait = mon.UpdateCephDeploymentAndWait
 
+var (
+	insecureSkipVerify = "insecureSkipVerify"
+)
+
 func (c *clusterConfig) createOrUpdateStore(realmName, zoneGroupName, zoneName string) error {
 	logger.Infof("creating object store %q in namespace %q", c.store.Name, c.store.Namespace)
 
@@ -320,7 +325,8 @@ func BuildDNSEndpoint(domainName string, port int32, secure bool) string {
 }
 
 // GetTLSCACert fetch cacert for internal RGW requests
-func GetTlsCaCert(objContext *Context, objectStoreSpec *cephv1.ObjectStoreSpec) ([]byte, error) {
+func GetTlsCaCert(objContext *Context, objectStoreSpec *cephv1.ObjectStoreSpec) ([]byte, bool, error) {
+	var insecureTLS bool
 	ctx := objContext.clusterInfo.Context
 	var (
 		tlsCert []byte
@@ -330,21 +336,30 @@ func GetTlsCaCert(objContext *Context, objectStoreSpec *cephv1.ObjectStoreSpec)
 	if objectStoreSpec.Gateway.SSLCertificateRef != "" {
 		tlsSecretCert, err := objContext.Context.Clientset.CoreV1().Secrets(objContext.clusterInfo.Namespace).Get(ctx, objectStoreSpec.Gateway.SSLCertificateRef, metav1.GetOptions{})
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to get secret %s containing TLS certificate defined in %s", objectStoreSpec.Gateway.SSLCertificateRef, objContext.Name)
+			return nil, false, errors.Wrapf(err, "failed to get secret %s containing TLS certificate defined in %s", objectStoreSpec.Gateway.SSLCertificateRef, objContext.Name)
 		}
 		if tlsSecretCert.Type == v1.SecretTypeOpaque {
 			tlsCert = tlsSecretCert.Data[certKeyName]
 		} else if tlsSecretCert.Type == v1.SecretTypeTLS {
 			tlsCert = tlsSecretCert.Data[v1.TLSCertKey]
 		}
+		// If the secret contains an indication that the TLS connection should be insecure, then
+		// let's apply it to the client.
+		insecureTLSStr, ok := tlsSecretCert.Data[insecureSkipVerify]
+		if ok {
+			insecureTLS, err = strconv.ParseBool(string(insecureTLSStr))
+			if err != nil {
+				return nil, false, errors.Wrap(err, "failed to parse insecure tls bool option")
+			}
+		}
 	} else if objectStoreSpec.GetServiceServingCert() != "" {
 		tlsCert, err = ioutil.ReadFile(ServiceServingCertCAFile)
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to fetch TLS certificate from %q", ServiceServingCertCAFile)
+			return nil, false, errors.Wrapf(err, "failed to fetch TLS certificate from %q", ServiceServingCertCAFile)
 		}
 	}
 
-	return tlsCert, nil
+	return tlsCert, insecureTLS, nil
 }
 
 // Allow overriding this function for unit tests to mock the admin ops api
@@ -356,12 +371,11 @@ func genObjectStoreHTTPClient(objContext *Context, spec *cephv1.ObjectStoreSpec)
 	tlsCert := []byte{}
 	if spec.IsTLSEnabled() {
 		var err error
-		tlsCert, err = GetTlsCaCert(objContext, spec)
+		tlsCert, insecureTLS, err := GetTlsCaCert(objContext, spec)
 		if err != nil {
 			return nil, tlsCert, errors.Wrapf(err, "failed to fetch CA cert to establish TLS connection with object store %q", nsName)
 		}
-		insecure := false
-		c.Transport = BuildTransportTLS(tlsCert, insecure)
+		c.Transport = BuildTransportTLS(tlsCert, insecureTLS)
 	}
 	return c, tlsCert, nil
 }