Add option to pass custom CA certificate for S3 backend

cluster/validation.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/rancher/rke/log"
+	"github.com/rancher/rke/pki"
 	"github.com/rancher/rke/services"
 	"github.com/rancher/rke/util"
 	v3 "github.com/rancher/types/apis/management.cattle.io/v3"
@@ -147,6 +148,11 @@ func validateEtcdBackupOptions(c *Cluster) error {
 			if len(c.Services.Etcd.BackupConfig.S3BackupConfig.BucketName) == 0 {
 				return fmt.Errorf("etcd s3 backup backend bucketName can't be empty")
 			}
+			if len(c.Services.Etcd.BackupConfig.S3BackupConfig.EndpointCA) != 0 {
+				if isValid, err := pki.IsValidCertStr(c.Services.Etcd.BackupConfig.S3BackupConfig.EndpointCA); !isValid {
+					return fmt.Errorf("invalid S3 endpoint CA certificate: %v", err)
+				}
+			}
 		}
 	}
 	return nil

cmd/common.go

@@ -11,6 +11,7 @@ import (
 	"github.com/rancher/rke/cluster"
 	"github.com/rancher/rke/hosts"
 	"github.com/rancher/rke/log"
+	"github.com/rancher/rke/pki"
 	"github.com/rancher/rke/util"
 	v3 "github.com/rancher/types/apis/management.cattle.io/v3"
 	"github.com/sirupsen/logrus"
@@ -114,6 +115,7 @@ func setS3OptionsFromCLI(c *cli.Context) *v3.S3BackupConfig {
 	region := c.String("region")
 	accessKey := c.String("access-key")
 	secretKey := c.String("secret-key")
+	endpointCA := c.String("s3-endpoint-ca")
 	var s3BackupBackend = &v3.S3BackupConfig{}
 	if len(endpoint) != 0 {
 		s3BackupBackend.Endpoint = endpoint
@@ -130,6 +132,14 @@ func setS3OptionsFromCLI(c *cli.Context) *v3.S3BackupConfig {
 	if len(secretKey) != 0 {
 		s3BackupBackend.SecretKey = secretKey
 	}
+	if len(endpointCA) != 0 {
+		caStr, err := pki.ReadCertToStr(endpointCA)
+		if err != nil {
+			logrus.Warnf("Failed to read s3-endpoint-ca [%s]: %v", endpointCA, err)
+		} else {
+			s3BackupBackend.EndpointCA = caStr
+		}
+	}
 	return s3BackupBackend
 }
 

cmd/etcd.go

@@ -38,6 +38,10 @@ func EtcdCommand() cli.Command {
 			Usage: "Specify s3 endpoint url",
 			Value: s3Endpoint,
 		},
+		cli.StringFlag{
+			Name:  "s3-endpoint-ca",
+			Usage: "Specify a custom CA cert to connect to S3 endpoint",
+		},
 		cli.StringFlag{
 			Name:  "access-key",
 			Usage: "Specify s3 accessKey",

pki/util.go

@@ -20,7 +20,7 @@ import (
 	"time"
 
 	"github.com/rancher/rke/hosts"
-	"github.com/rancher/types/apis/management.cattle.io/v3"
+	v3 "github.com/rancher/types/apis/management.cattle.io/v3"
 	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/util/cert"
 )
@@ -744,3 +744,19 @@ func validateCAIssuer(rkeConfig *v3.RancherKubernetesEngineConfig, certBundle ma
 	}
 	return nil
 }
+
+func ReadCertToStr(file string) (string, error) {
+	certStr, err := ioutil.ReadFile(file)
+	if err != nil {
+		return "", fmt.Errorf("failed to read certificate [%s]: %v", file, err)
+	}
+	return string(certStr), nil
+}
+
+func IsValidCertStr(c string) (bool, error) {
+	_, err := cert.ParseCertsPEM([]byte(c))
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}

services/etcd.go

@@ -1,6 +1,7 @@
 package services
 
 import (
+	"encoding/base64"
 	"fmt"
 	"path"
 	"path/filepath"
@@ -366,7 +367,10 @@ func DownloadEtcdSnapshotFromS3(ctx context.Context, etcdHost *hosts.Host, prsMa
 		},
 		Image: etcdSnapshotImage,
 	}
-
+	if s3Backend.EndpointCA != "" {
+		caStr := base64.StdEncoding.EncodeToString([]byte(s3Backend.EndpointCA))
+		imageCfg.Cmd = append(imageCfg.Cmd, "--s3-endpoint-ca="+caStr)
+	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
 			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
@@ -552,6 +556,10 @@ func configS3BackupImgCmd(ctx context.Context, imageCfg *container.Config, bc *v
 			"--s3-bucketName=" + bc.S3BackupConfig.BucketName,
 			"--s3-region=" + bc.S3BackupConfig.Region,
 		}...)
+		if bc.S3BackupConfig.EndpointCA != "" {
+			caStr := base64.StdEncoding.EncodeToString([]byte(bc.S3BackupConfig.EndpointCA))
+			cmd = append(cmd, "--s3-endpoint-ca="+caStr)
+		}
 	}
 	imageCfg.Cmd = append(imageCfg.Cmd, cmd...)
 	return imageCfg