Skip to content

Commit

Permalink
Merge pull request #772 from BlaineEXE/bp-rgw-sys-certs-to-odf-4.16
Browse files Browse the repository at this point in the history
DFBUGS-342: object: also use system certs for validating RGW cert
  • Loading branch information
BlaineEXE authored Nov 20, 2024
2 parents 2cd7c35 + 2c0c6d1 commit 9052714
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 5 deletions.
12 changes: 9 additions & 3 deletions pkg/operator/ceph/object/s3-handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,12 +199,18 @@ func (s *S3Agent) DeleteObjectInBucket(bucketname string, key string) (bool, err

func BuildTransportTLS(tlsCert []byte, insecure bool) *http.Transport {
//nolint:gosec // is enabled only for testing
tlsConfig := &tls.Config{MinVersion: tls.VersionTLS12, InsecureSkipVerify: insecure}
tlsConfig := &tls.Config{InsecureSkipVerify: insecure}
var caCertPool *x509.CertPool
var err error
caCertPool, err = x509.SystemCertPool()
if err != nil {
logger.Warningf("failed to load system cert pool; continuing without loading system certs")
caCertPool = x509.NewCertPool() // start with empty cert pool instead
}
if len(tlsCert) > 0 {
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(tlsCert)
tlsConfig.RootCAs = caCertPool
}
tlsConfig.RootCAs = caCertPool

return &http.Transport{
TLSClientConfig: tlsConfig,
Expand Down
2 changes: 1 addition & 1 deletion pkg/operator/ceph/object/s3-handlers_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func TestNewS3Agent(t *testing.T) {
insecure := true
s3Agent, err := newS3Agent(accessKey, secretKey, endpoint, debug, nil, insecure)
assert.NoError(t, err)
assert.Nil(t, s3Agent.Client.Config.HTTPClient.Transport.(*http.Transport).TLSClientConfig.RootCAs)
assert.NotNil(t, s3Agent.Client.Config.HTTPClient.Transport.(*http.Transport).TLSClientConfig.RootCAs) // still includes sys certs
assert.True(t, s3Agent.Client.Config.HTTPClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify)
assert.False(t, *s3Agent.Client.Config.DisableSSL)
})
Expand Down
2 changes: 1 addition & 1 deletion tests/scripts/github-action-helper.sh
Original file line number Diff line number Diff line change
Expand Up @@ -735,7 +735,7 @@ function install_minikube_with_none_driver() {
rm "$CNI_PLUGIN_TAR"

export MINIKUBE_HOME=$HOME CHANGE_MINIKUBE_NONE_USER=true KUBECONFIG=$HOME/.kube/config
sudo -E minikube start --kubernetes-version="$1" --driver=none --memory 6g --cpus=2 --addons ingress --cni=calico
minikube start --kubernetes-version="$1" --driver=none --memory 6g --cpus=2 --addons ingress --cni=calico
}

FUNCTION="$1"
Expand Down

0 comments on commit 9052714

Please sign in to comment.