rgw: use insecure TLS for bucket health check

We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Closes: #8663 Signed-off-by: Sébastien Han <seb@redhat.com>
rook · Sep 14, 2021 · f123e51 · f123e51
1 parent 235d5a3
commit f123e51
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/pkg/operator/ceph/object/health.go b/pkg/operator/ceph/object/health.go
@@ -18,7 +18,9 @@ package object
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
+	"net/http"
 	"time"
 
 	"github.com/ceph/go-ceph/rgw/admin"
@@ -170,6 +172,11 @@ func (c *bucketChecker) checkObjectStoreHealth() error {
 	if err != nil {
 		return errors.Wrap(err, "failed to initialize s3 connection")
 	}
+	// Force the s3 client to use insecure TLS connection
+	s3client.Client.Config.HTTPClient.Transport = &http.Transport{
+		// #nosec G402 is enabled only for testing
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
 
 	// Force purge the s3 object before starting anything
 	cleanupObjectHealthCheck(s3client, c.objContext.UID)