mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove TLS skip verify in wss/watch endpoint (#472)

Browse Source 
* Move heal and watch to tenant details view on operator-ui

* TLS skip verify in wss/watch endpoint

Use insecure: true in the meantime so the wss/watch endpoint works while
we add support for custotm TLS transport in the S3 client library.

Removed "InsecureSkipVerify: true" from s3AdminClient and s3Client HTTP clients

- We preserve the insecure parameter in the  `newS3Config` and  `NewAdminClientWithInsecure` functions for debugging and testing purposes.
- By default InsecureSkipVerify is false, therefore in order for Operator-Console to verify the TLS connections to MinIO tenants with self-signed certificates it requires the `ca.crt` or the `public.crt` of the tenant to exists under `~/.console/certs/CAs` which is the right way to do it.

Co-authored-by: Cesar Nieto <ces.nietor@gmail.com>
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
This commit is contained in:
Lenin Alevski
2020-12-07 13:49:00 -06:00
committed by GitHub
parent 5bcf245ed9
commit 4005c20f7e
6 changed files with 17 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
restapi/admin_tenants.go
View File

@@ -230,13 +230,13 @@ func GetTenantServiceURL(mi *operator.Tenant) (svcURL string) {
return fmt.Sprintf("%s://%s", scheme, net.JoinHostPort(svc, strconv.Itoa(port)))
}
func getTenantAdminClient(ctx context.Context, client K8sClientI, tenant *operator.Tenant, svcURL string, insecure bool) (*madmin.AdminClient, error) {
func getTenantAdminClient(ctx context.Context, client K8sClientI, tenant *operator.Tenant, svcURL string) (*madmin.AdminClient, error) {
tenantCreds, err := getTenantCreds(ctx, client, tenant)
if err != nil {
return nil, err
}
sessionToken := ""
mAdmin, pErr := NewAdminClientWithInsecure(svcURL, tenantCreds.accessKey, tenantCreds.secretKey, sessionToken, insecure)
mAdmin, pErr := NewAdminClientWithInsecure(svcURL, tenantCreds.accessKey, tenantCreds.secretKey, sessionToken, false)
if pErr != nil {
return nil, pErr.Cause
}
@@ -1059,13 +1059,12 @@ func getTenantUsageResponse(session *models.Principal, params admin_api.GetTenan
minTenant.EnsureDefaults()
svcURL := GetTenantServiceURL(minTenant)
// getTenantAdminClient will use all certificates under ~/.console/certs/CAs to trust the TLS connections with MinIO tenants
mAdmin, err := getTenantAdminClient(
ctx,
k8sClient,
minTenant,
svcURL,
true,
)
if err != nil {
return nil, prepareError(err, errorUnableToGetTenantUsage)