Skip to content

Commit

Permalink
rgw: inject tls certs for bucket notification and topic operations
Browse files Browse the repository at this point in the history 
The certs for accessing TLS enabled RGW is saved as secrets and inject
them if controllers for notification and topics if request is sent to
TLS enabled RGW endpoint.

Signed-off-by: Jiffin Tony Thottan <thottanjiffin@gmail.com>
  • Loading branch information
@thotz
thotz committed Jan 12, 2022
1 parent 511c250 commit 84ca546
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 3 deletions.
7 changes: 5 additions & 2 deletions pkg/operator/ceph/object/notification/provisioner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,11 @@ func newS3Agent(p provisioner) (*object.S3Agent, error) {
if err != nil {
return nil, errors.Wrapf(err, "failed to get owner credentials for %q", p.owner)
}

return object.NewS3Agent(accessKey, secretKey, objContext.Endpoint, objContext.ZoneGroup, logger.LevelAt(capnslog.DEBUG), objContext.Context.KubeConfig.CertData)
tlsCert, _, err := object.GetTlsCaCert(objContext, &objStore.Spec)
if err != nil {
return nil, errors.Wrapf(err, "failed to get TLS certificate for the object store")
}
return object.NewS3Agent(accessKey, secretKey, objContext.Endpoint, objContext.ZoneGroup, logger.LevelAt(capnslog.DEBUG), tlsCert)
}

// TODO: convert all rules without restrictions once the AWS SDK supports that
Expand Down
7 changes: 6 additions & 1 deletion pkg/operator/ceph/object/topic/provisioner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ package topic
import (
"context"
"crypto/hmac"

// #nosec G505 sha1 is needed for v2 signatures
"crypto/sha1"
"encoding/base64"
Expand Down Expand Up @@ -86,7 +87,10 @@ func createSNSClient(p provisioner, objectStoreName types.NamespacedName) (*sns.
}
tlsEnabled := objStore.Spec.IsTLSEnabled()
if tlsEnabled {
tlsCert := objContext.Context.KubeConfig.CertData
tlsCert, _, err := object.GetTlsCaCert(objContext, &objStore.Spec)
if err != nil {
return nil, errors.Wrapf(err, "failed to get TLS certificate for the object store")
}
if len(tlsCert) > 0 {
client.Transport = object.BuildTransportTLS(tlsCert, false)
}
Expand All @@ -99,6 +103,7 @@ func createSNSClient(p provisioner, objectStoreName types.NamespacedName) (*sns.
WithEndpoint(objContext.Endpoint).
WithMaxRetries(3).
WithDisableSSL(!tlsEnabled).
WithHTTPClient(&client).
WithLogLevel(logLevel),
)
if err != nil {
Expand Down

0 comments on commit 84ca546

Please sign in to comment.