rgw: read tls secret hint for insecure tls

If the admin wants to use insecure TLS to validate connections to rgw internally, the TLS secret can have another entry "insecureSkipVerify" and set it to "true". Signed-off-by: Sébastien Han <seb@redhat.com>
rook · Oct 21, 2021 · c5f16b3 · c5f16b3
1 parent 91f7bc5
commit c5f16b3
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 10 deletions.
diff --git a/pkg/operator/ceph/object/bucket/provisioner.go b/pkg/operator/ceph/object/bucket/provisioner.go
@@ -55,6 +55,7 @@ type Provisioner struct {
 	endpoint             string
 	additionalConfigData map[string]string
 	tlsCert              []byte
+	insecureTLS          bool
 	adminOpsClient       *admin.API
 }
 
@@ -606,7 +607,7 @@ func (p *Provisioner) setTlsCaCert() error {
 	}
 	p.tlsCert = make([]byte, 0)
 	if objStore.Spec.Gateway.SecurePort == p.storePort {
-		p.tlsCert, err = cephObject.GetTlsCaCert(p.objectContext, &objStore.Spec)
+		p.tlsCert, p.insecureTLS, err = cephObject.GetTlsCaCert(p.objectContext, &objStore.Spec)
 		if err != nil {
 			return err
 		}
@@ -621,8 +622,7 @@ func (p *Provisioner) setAdminOpsAPIClient() error {
 		Timeout: cephObject.HttpTimeOut,
 	}
 	if p.tlsCert != nil {
-		insecure := false
-		httpClient.Transport = cephObject.BuildTransportTLS(p.tlsCert, insecure)
+		httpClient.Transport = cephObject.BuildTransportTLS(p.tlsCert, p.insecureTLS)
 	}
 
 	// Fetch the ceph object store

diff --git a/pkg/operator/ceph/object/rgw.go b/pkg/operator/ceph/object/rgw.go
@@ -22,6 +22,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"reflect"
+	"strconv"
 	"syscall"
 
 	"github.com/banzaicloud/k8s-objectmatcher/patch"
@@ -61,6 +62,10 @@ type rgwConfig struct {
 
 var updateDeploymentAndWait = mon.UpdateCephDeploymentAndWait
 
+var (
+	insecureSkipVerify = "insecureSkipVerify"
+)
+
 func (c *clusterConfig) createOrUpdateStore(realmName, zoneGroupName, zoneName string) error {
 	logger.Infof("creating object store %q in namespace %q", c.store.Name, c.store.Namespace)
 
@@ -320,7 +325,8 @@ func BuildDNSEndpoint(domainName string, port int32, secure bool) string {
 }
 
 // GetTLSCACert fetch cacert for internal RGW requests
-func GetTlsCaCert(objContext *Context, objectStoreSpec *cephv1.ObjectStoreSpec) ([]byte, error) {
+func GetTlsCaCert(objContext *Context, objectStoreSpec *cephv1.ObjectStoreSpec) ([]byte, bool, error) {
+	var insecureTLS bool
 	ctx := objContext.clusterInfo.Context
 	var (
 		tlsCert []byte
@@ -330,21 +336,30 @@ func GetTlsCaCert(objContext *Context, objectStoreSpec *cephv1.ObjectStoreSpec)
 	if objectStoreSpec.Gateway.SSLCertificateRef != "" {
 		tlsSecretCert, err := objContext.Context.Clientset.CoreV1().Secrets(objContext.clusterInfo.Namespace).Get(ctx, objectStoreSpec.Gateway.SSLCertificateRef, metav1.GetOptions{})
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to get secret %s containing TLS certificate defined in %s", objectStoreSpec.Gateway.SSLCertificateRef, objContext.Name)
+			return nil, false, errors.Wrapf(err, "failed to get secret %s containing TLS certificate defined in %s", objectStoreSpec.Gateway.SSLCertificateRef, objContext.Name)
 		}
 		if tlsSecretCert.Type == v1.SecretTypeOpaque {
 			tlsCert = tlsSecretCert.Data[certKeyName]
 		} else if tlsSecretCert.Type == v1.SecretTypeTLS {
 			tlsCert = tlsSecretCert.Data[v1.TLSCertKey]
 		}
+		// If the secret contains an indication that the TLS connection should be insecure, then
+		// let's apply it to the client.
+		insecureTLSStr, ok := tlsSecretCert.Data[insecureSkipVerify]
+		if ok {
+			insecureTLS, err = strconv.ParseBool(string(insecureTLSStr))
+			if err != nil {
+				return nil, false, errors.Wrap(err, "failed to parse insecure tls bool option")
+			}
+		}
 	} else if objectStoreSpec.GetServiceServingCert() != "" {
 		tlsCert, err = ioutil.ReadFile(ServiceServingCertCAFile)
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to fetch TLS certificate from %q", ServiceServingCertCAFile)
+			return nil, false, errors.Wrapf(err, "failed to fetch TLS certificate from %q", ServiceServingCertCAFile)
 		}
 	}
 
-	return tlsCert, nil
+	return tlsCert, insecureTLS, nil
 }
 
 // Allow overriding this function for unit tests to mock the admin ops api
@@ -356,12 +371,11 @@ func genObjectStoreHTTPClient(objContext *Context, spec *cephv1.ObjectStoreSpec)
 	tlsCert := []byte{}
 	if spec.IsTLSEnabled() {
 		var err error
-		tlsCert, err = GetTlsCaCert(objContext, spec)
+		tlsCert, insecureTLS, err := GetTlsCaCert(objContext, spec)
 		if err != nil {
 			return nil, tlsCert, errors.Wrapf(err, "failed to fetch CA cert to establish TLS connection with object store %q", nsName)
 		}
-		insecure := false
-		c.Transport = BuildTransportTLS(tlsCert, insecure)
+		c.Transport = BuildTransportTLS(tlsCert, insecureTLS)
 	}
 	return c, tlsCert, nil
 }