Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add custom certificate CA support for object store #4820

Open
clyang82 opened this issue Nov 1, 2021 · 4 comments
Open

Add custom certificate CA support for object store #4820

clyang82 opened this issue Nov 1, 2021 · 4 comments
Labels
component: store help wanted stale

Comments

@clyang82
Copy link
Contributor

clyang82 commented Nov 1, 2021

Is your proposal related to a problem?

Currently, the implementation of connecting with object store is short of tls configuration.

thanos/pkg/objstore/s3/s3.go

Line 150 in 2695ecd

TLSClientConfig: &tls.Config{InsecureSkipVerify: config.HTTPConfig.InsecureSkipVerify},

for my case, I would need the ability to set a custom CA somewhere so that I can connect the external object store. for a workaround, i have to disable tls verification by

type: S3
config:
  bucket: ""
  endpoint: ""
  access_key: ""
  insecure: false
  signature_version2: false
  encrypt_sse: false
  secret_key: ""
  http_config:
    insecure_skip_verify: true

(Write your answer here.)

Describe the solution you'd like

Support configuring certificate CA in http_config

(Describe your proposed solution here.)

Describe alternatives you've considered

(Write your answer here.)

Additional context

(Write your answer here.)
@clyang82
Copy link
Contributor Author

clyang82 commented Dec 6, 2021

/assign @clyang82

@clyang82 clyang82 mentioned this issue Dec 13, 2021
Merged
2 tasks
@clyang82
Copy link
Contributor Author

clyang82 commented Dec 20, 2021
edited
Loading

List the tasks for this issue:

  • Support custom CA for S3
  • Support custom CA for Azure
  • Support custom CA for GCS GCS is using inline a Service Account
  • Update e2e test to enable secure access to MinIO with TLS
  • Update kube-thanos to support mount CA certs by secret

This was referenced Dec 20, 2021
Merged
Merged
Merged
@quchangl-github
Copy link

@clyang82 I got the update, Azure storage account doesn't support client key access - https://docs.microsoft.com/en-us/answers/questions/807958/where-to-find-the-client-ca-and-key.html.
So I don't think Azure storage can be accessed by customized CA. I saw your update here , GCS is using an inline a Service Account, I think Azure storage has a similar situation, it's using a storage account. Thanks.

@stale
Copy link

stale bot commented Sep 21, 2022

Hello 👋 Looks like there was no activity on this issue for the last two months.
Do you mind updating us on the status? Is this still reproducible or needed? If yes, just comment on this PR or push a commit. Thanks! 🤗
If there will be no activity in the next two weeks, this issue will be closed (we can always reopen an issue if we need!). Alternatively, use remind command if you wish to be reminded at some point in future.

@stale stale bot added the stale label Sep 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: store help wanted stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hanjm @clyang82 @quchangl-github