Add SSL support through minio kubernetes secret

canonical · Aug 3, 2022 · 789e501 · 789e501
1 parent daafd9f
commit 789e501
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 1 deletion.
diff --git a/config.yaml b/config.yaml
@@ -30,3 +30,7 @@ options:
     type: string
     default: ''
     description: "Service endpoint of gateway storage service. This value is optional when using S3 or Azure public API endpoints"
+  ssl-secret-name:
+    type: string
+    default: ''
+    description: "Name of kubernetes secret that holds the certificate information"
diff --git a/requirements.txt b/requirements.txt
@@ -4,4 +4,4 @@
 ops==1.4.0
 oci-image
 serialized-data-interface<0.4
-pytest-mock
+pytest-mock
diff --git a/src/charm.py b/src/charm.py
@@ -7,6 +7,7 @@
 from string import ascii_uppercase, digits
 from base64 import b64encode
 from hashlib import sha256
+from kubernetes import client
 
 from charms.prometheus_k8s.v0.prometheus_scrape import MetricsEndpointProvider
 from charms.grafana_k8s.v0.grafana_dashboard import GrafanaDashboardProvider
@@ -107,6 +108,13 @@ def main(self, event):
                             "configmap-hash": configmap_hash,
                             "MINIO_PROMETHEUS_AUTH_TYPE": "public",
                         },
+                        "volumeConfig": [
+                            {
+                                "name": "minio-ca-bundle",
+                                "mountPath": "/root/.minio/certs/",
+                                "files": self._get_ssl_config(),
+                            },
+                        ],
                     }
                 ],
                 "kubernetesResources": {
@@ -224,6 +232,37 @@ def _with_console_address(self, minio_args):
         console_port = str(self.model.config["console-port"])
         return [*minio_args, "--console-address", ":" + console_port]
 
+    def _get_ssl_config(self):
+        v1 = client.CoreV1Api()
+        self.model.unit.status = MaintenanceStatus(
+            f"Waiting for {self.config['ssl-secret-name']} to be created"
+        )
+        try:
+            ssl_bundle = v1.read_namespaced_secret(
+                name=self.model.config["ssl-secret-name"], namespace=self.model.name
+            ).data
+            return [
+                {
+                    "path": "private.key",
+                    "content": ssl_bundle["PRIVATE_KEY"],
+                },
+                {
+                    "path": "public.crt",
+                    "content": ssl_bundle["PUBLIC_CRT"],
+                },
+                {"path": "CA/root.cert", "content": ssl_bundle["ROOT_CERT"]},
+            ]
+        except client.rest.ApiException as err:
+            self.log.info(err)
+            self.model.unit.status = ActiveStatus()
+            return None
+        except KeyError as err:
+            self.log.info(err)
+            self.model.unit.status = BlockedStatus(
+                "SSL secret found with incorrect keys."
+            )
+            return None
+
 
 def _gen_pass() -> str:
     return "".join(choices(ascii_uppercase + digits, k=30))