add TLS support for swift

grafana · Jan 12, 2024 · 0a946a2 · 0a946a2
1 parent 5559b26
commit 0a946a2
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/docs/sources/configure/_index.md b/docs/sources/configure/_index.md
@@ -5134,6 +5134,16 @@ The `swift_storage_config` block configures the connection to OpenStack Object S
 # is received on a request.
 # CLI flag: -<prefix>.swift.request-timeout
 [request_timeout: <duration> | default = 5s]
+
+# Set to false to skip verifying the certificate chain and hostname.
+# Set to true to skip verifying the certificate chain and hostname.
+# CLI flag: -<prefix>.swift.insecure-skip-verify
+[insecure_skip_verify: <boolean> | default = false]
+
+# Path to the trusted CA file that signed the SSL certificate of the S3
+# endpoint.
+# CLI flag: -<prefix>.swift.ca-file
+[ca_file: <string> | default = ""]
 ```
 
 ### cos_storage_config

diff --git a/pkg/storage/bucket/swift/config.go b/pkg/storage/bucket/swift/config.go
@@ -26,6 +26,16 @@ type Config struct {
 	MaxRetries        int           `yaml:"max_retries"`
 	ConnectTimeout    time.Duration `yaml:"connect_timeout"`
 	RequestTimeout    time.Duration `yaml:"request_timeout"`
+	HTTPConfig        HTTPConfig    `yaml:"http_config"`
+}
+
+// HTTPConfig stores the http.Transport configuration
+type HTTPConfig struct {
+	Timeout               time.Duration `yaml:"timeout"`
+	IdleConnTimeout       time.Duration `yaml:"idle_conn_timeout"`
+	ResponseHeaderTimeout time.Duration `yaml:"response_header_timeout"`
+	InsecureSkipVerify    bool          `yaml:"insecure_skip_verify"`
+	CAFile                string        `yaml:"ca_file"`
 }
 
 // RegisterFlags registers the flags for Swift storage
@@ -54,6 +64,11 @@ func (cfg *Config) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) {
 	f.IntVar(&cfg.MaxRetries, prefix+"swift.max-retries", 3, "Max retries on requests error.")
 	f.DurationVar(&cfg.ConnectTimeout, prefix+"swift.connect-timeout", 10*time.Second, "Time after which a connection attempt is aborted.")
 	f.DurationVar(&cfg.RequestTimeout, prefix+"swift.request-timeout", 5*time.Second, "Time after which an idle request is aborted. The timeout watchdog is reset each time some data is received, so the timeout triggers after X time no data is received on a request.")
+	f.DurationVar(&cfg.HTTPConfig.IdleConnTimeout, prefix+"swift.http.idle-conn-timeout", 90*time.Second, "The maximum amount of time an idle connection will be held open.")
+	f.DurationVar(&cfg.HTTPConfig.Timeout, prefix+"swift.http.timeout", 0, "Timeout specifies a time limit for requests made by swift Client.")
+	f.DurationVar(&cfg.HTTPConfig.ResponseHeaderTimeout, prefix+"swift.http.response-header-timeout", 0, "If non-zero, specifies the amount of time to wait for a server's response headers after fully writing the request.")
+	f.BoolVar(&cfg.HTTPConfig.InsecureSkipVerify, prefix+"swift.http.insecure-skip-verify", false, "Set to true to skip verifying the certificate chain and hostname.")
+	f.StringVar(&cfg.HTTPConfig.CAFile, prefix+"swift.http.ca-file", "", "Path to the trusted CA file that signed the SSL certificate of the swift endpoint.")
 }
 
 func (cfg *Config) Validate() error {

diff --git a/pkg/storage/chunk/client/openstack/swift_object_client.go b/pkg/storage/chunk/client/openstack/swift_object_client.go
@@ -3,10 +3,13 @@ package openstack
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"flag"
 	"fmt"
 	"io"
 	"net/http"
+	"os"
 	"time"
 
 	"github.com/ncw/swift"
@@ -76,6 +79,23 @@ func NewSwiftObjectClient(cfg SwiftConfig, hedgingCfg hedging.Config) (*SwiftObj
 }
 
 func createConnection(cfg SwiftConfig, hedgingCfg hedging.Config, hedging bool) (*swift.Connection, error) {
+	tlsConfig := &tls.Config{}
+
+	tlsConfig = &tls.Config{
+		InsecureSkipVerify: cfg.HTTPConfig.InsecureSkipVerify,
+	}
+	if cfg.HTTPConfig.CAFile != "" {
+		tlsConfig.RootCAs = x509.NewCertPool()
+		data, err := os.ReadFile(cfg.HTTPConfig.CAFile)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.RootCAs.AppendCertsFromPEM(data)
+	}
+
+	newTransport := defaultTransport.(*http.Transport)
+	newTransport.TLSClientConfig = tlsConfig
+
 	// Create a connection
 	c := &swift.Connection{
 		AuthVersion:    cfg.AuthVersion,
@@ -94,7 +114,7 @@ func createConnection(cfg SwiftConfig, hedgingCfg hedging.Config, hedging bool)
 		Domain:         cfg.DomainName,
 		DomainId:       cfg.DomainID,
 		Region:         cfg.RegionName,
-		Transport:      defaultTransport,
+		Transport:      newTransport,
 	}
 
 	switch {