Merge pull request #37730 from thotz/rgwkmsvaultsslsupport

rgw: extending existing ssl support for vault KMS
2025-01-04 02:02:36 +00:00 · 2021-04-19 07:37:29 -04:00 · 2021-04-19 07:37:29 -04:00 · b040f25b71
commit b040f25b71
parent 149ad529c4 c2af1cdc13
5 changed files with 91 additions and 1 deletions
--- a/doc/radosgw/vault.rst
+++ b/doc/radosgw/vault.rst
@ -400,6 +400,19 @@ Or, when using the transit secret engine::
 In the example above, the Gateway would only fetch transit encryption keys under
 ``https://vault-server:8200/v1/transit``.

+You can use custom ssl certs to authenticate with vault with help of
+following options::
+
+  rgw crypt vault verify ssl = true
+  rgw crypt vault ssl cacert = /etc/ceph/vault.ca
+  rgw crypt vault ssl clientcert = /etc/ceph/vault.crt
+  rgw crypt vault ssl clientkey = /etc/ceph/vault.key
+
+where vault.ca is CA certificate and vault.key/vault.crt are private key and ssl
+ceritificate generated for RGW to access the vault server. It highly recommended to
+set this option true, setting false is very dangerous and need to avoid since this
+runs in very secured enviroments.
+
 Transit engine compatibility support
 ------------------------------------
 The transit engine has compatibility support for previous
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@ -2376,6 +2376,37 @@ options:
  - rgw_crypt_vault_auth
  - rgw_crypt_vault_addr
  with_legacy: true
+# Enable TLS authentication rgw and vault
+- name: rgw_crypt_vault_verify_ssl
+  type: bool
+  level: advanced
+  desc: Should RGW verify the vault server SSL certificate.
+  default: true
+  services:
+  - rgw
+  with_legacy: true
+# TLS certs options
+- name: rgw_crypt_vault_ssl_cacert
+  type: str
+  level: advanced
+  desc: Path for custom ca certificate for accessing vault server
+  services:
+  - rgw
+  with_legacy: true
+- name: rgw_crypt_vault_ssl_clientcert
+  type: str
+  level: advanced
+  desc: Path for custom client certificate for accessing vault server
+  services:
+  - rgw
+  with_legacy: true
+- name: rgw_crypt_vault_ssl_clientkey
+  type: str
+  level: advanced
+  desc: Path for private key required for client cert
+  services:
+  - rgw
+  with_legacy: true
 - name: rgw_crypt_kmip_addr
  type: str
  level: advanced
--- a/src/rgw/rgw_http_client.cc
+++ b/src/rgw/rgw_http_client.cc
@ -614,6 +614,21 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data)
    curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L);
    curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L);
    dout(20) << "ssl verification is set to off" << dendl;
+  } else {
+    if (!ca_path.empty()) {
+      curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str());
+      dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl;
+    }
+    if (!client_cert.empty()) {
+      if (!client_key.empty()) {
+	curl_easy_setopt(easy_handle, CURLOPT_SSLCERT, client_cert.c_str());
+	curl_easy_setopt(easy_handle, CURLOPT_SSLKEY, client_key.c_str());
+	dout(20) << "using custom client cert " << client_cert.c_str()
+	  << " and private key " << client_key.c_str() << dendl;
+      } else {
+	dout(5) << "private key is missing for client certificate" << dendl;
+      }
+    }
  }
  curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data);
  curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout);
@ -1262,7 +1277,7 @@ void *RGWHTTPManager::reqs_thread_entry()
              << cct->_conf->rgw_curl_low_speed_limit << " Bytes per second during " << cct->_conf->rgw_curl_low_speed_time << " seconds." << dendl;
          default:
            dout(20) << "ERROR: msg->data.result=" << result << " req_data->id=" << id << " http_status=" << http_status << dendl;
-            dout(20) << "ERROR: curl error: " << curl_easy_strerror((CURLcode)result) << dendl;
+            dout(20) << "ERROR: curl error: " << curl_easy_strerror((CURLcode)result) << " req_data->error_buf=" << req_data->error_buf << dendl;
 	    break;
        }
      }
--- a/src/rgw/rgw_http_client.h
+++ b/src/rgw/rgw_http_client.h
@ -40,6 +40,12 @@ class RGWHTTPClient : public RGWIOProvider,

  bool verify_ssl; // Do not validate self signed certificates, default to false

+  string ca_path;
+
+  string client_cert;
+
+  string client_key;
+
  std::atomic<unsigned> stopped { 0 };


@ -172,6 +178,18 @@ public:
  void *get_io_user_info() override {
    return user_info;
  }
+
+  void set_ca_path(const string& _ca_path) {
+    ca_path = _ca_path;
+  }
+
+  void set_client_cert(const string& _client_cert) {
+    client_cert = _client_cert;
+  }
+
+  void set_client_key(const string& _client_key) {
+    client_key = _client_key;
+  }
 };


--- a/src/rgw/rgw_kms.cc
+++ b/src/rgw/rgw_kms.cc
@ -252,6 +252,19 @@ protected:
      secret_req.append_header("X-Vault-Namespace", vault_namespace);
    }

+    secret_req.set_verify_ssl(cct->_conf->rgw_crypt_vault_verify_ssl);
+
+    if (!cct->_conf->rgw_crypt_vault_ssl_cacert.empty()) {
+      secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert);
+    }
+
+    if (!cct->_conf->rgw_crypt_vault_ssl_clientcert.empty()) {
+      secret_req.set_client_cert(cct->_conf->rgw_crypt_vault_ssl_clientcert);
+    }
+    if (!cct->_conf->rgw_crypt_vault_ssl_clientkey.empty()) {
+      secret_req.set_client_key(cct->_conf->rgw_crypt_vault_ssl_clientkey);
+    }
+
    res = secret_req.process(null_yield);
    if (res < 0) {
      ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;