diff --git a/Documentation/CRDs/Cluster/external-cluster/external-cluster.md b/Documentation/CRDs/Cluster/external-cluster/external-cluster.md index adc7405f2545..471122b8c03f 100644 --- a/Documentation/CRDs/Cluster/external-cluster/external-cluster.md +++ b/Documentation/CRDs/Cluster/external-cluster/external-cluster.md @@ -37,7 +37,7 @@ python3 create-external-cluster-resources.py --rbd-data-pool-name -- * `--alias-rbd-data-pool-name`: Provides an alias for the RBD data pool name, necessary if a special character is present in the pool name such as a period or underscore * `--rgw-endpoint`: (optional) The RADOS Gateway endpoint in the format `:` or `:`. * `--rgw-pool-prefix`: (optional) The prefix of the RGW pools. If not specified, the default prefix is `default` -* `--rgw-tls-cert-path`: (optional) RADOS Gateway endpoint TLS certificate file path +* `--rgw-tls-cert-path`: (optional) RADOS Gateway endpoint TLS certificate (or intermediate signing certificate) file path * `--rgw-skip-tls`: (optional) Ignore TLS certification validation when a self-signed certificate is provided (NOT RECOMMENDED) * `--rbd-metadata-ec-pool-name`: (optional) Provides the name of erasure coded RBD metadata pool, used for creating ECRBDStorageClass. * `--monitoring-endpoint`: (optional) Ceph Manager prometheus exporter endpoints (comma separated list of IP entries of active and standby mgrs) diff --git a/deploy/examples/create-external-cluster-resources.py b/deploy/examples/create-external-cluster-resources.py index 268176c4f607..d059a1456462 100644 --- a/deploy/examples/create-external-cluster-resources.py +++ b/deploy/examples/create-external-cluster-resources.py @@ -377,7 +377,7 @@ def gen_arg_parser(cls, args_to_parse=None): "--rgw-tls-cert-path", default="", required=False, - help="RADOS Gateway endpoint TLS certificate", + help="RADOS Gateway endpoint TLS certificate (or intermediate signing certificate)", ) output_group.add_argument( "--rgw-skip-tls", diff --git a/pkg/operator/ceph/object/s3-handlers.go b/pkg/operator/ceph/object/s3-handlers.go index a40614c700d3..13eccb8261d1 100644 --- a/pkg/operator/ceph/object/s3-handlers.go +++ b/pkg/operator/ceph/object/s3-handlers.go @@ -199,12 +199,18 @@ func (s *S3Agent) DeleteObjectInBucket(bucketname string, key string) (bool, err func BuildTransportTLS(tlsCert []byte, insecure bool) *http.Transport { //nolint:gosec // is enabled only for testing - tlsConfig := &tls.Config{MinVersion: tls.VersionTLS12, InsecureSkipVerify: insecure} + tlsConfig := &tls.Config{InsecureSkipVerify: insecure} + var caCertPool *x509.CertPool + var err error + caCertPool, err = x509.SystemCertPool() + if err != nil { + logger.Warningf("failed to load system cert pool; continuing without loading system certs") + caCertPool = x509.NewCertPool() // start with empty cert pool instead + } if len(tlsCert) > 0 { - caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(tlsCert) - tlsConfig.RootCAs = caCertPool } + tlsConfig.RootCAs = caCertPool return &http.Transport{ TLSClientConfig: tlsConfig, diff --git a/pkg/operator/ceph/object/s3-handlers_test.go b/pkg/operator/ceph/object/s3-handlers_test.go index 308575397550..f7f20fe0ccaf 100644 --- a/pkg/operator/ceph/object/s3-handlers_test.go +++ b/pkg/operator/ceph/object/s3-handlers_test.go @@ -53,7 +53,7 @@ func TestNewS3Agent(t *testing.T) { insecure := true s3Agent, err := newS3Agent(accessKey, secretKey, endpoint, debug, nil, insecure) assert.NoError(t, err) - assert.Nil(t, s3Agent.Client.Config.HTTPClient.Transport.(*http.Transport).TLSClientConfig.RootCAs) + assert.NotNil(t, s3Agent.Client.Config.HTTPClient.Transport.(*http.Transport).TLSClientConfig.RootCAs) // still includes sys certs assert.True(t, s3Agent.Client.Config.HTTPClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify) assert.False(t, *s3Agent.Client.Config.DisableSSL) })