Allow setting S3 certificate authority (CA) list #17748
Comments
|
#17826 is trying to fix the issue. Are you willing to help with testing? |
|
I'm not sure if #17826 addresses this issue. I'm completely ignorant of the code structure, but I think src/object_store/src/object/s3.rs#L660 is what was tripping me up. let conn = hyper_rustls::HttpsConnectorBuilder::new()
.with_webpki_roots() // <-- prevents using a self-signed CA cert for Minio as object store for RisingWave itself
.https_or_http()
.enable_all_versions()
.wrap_connector(http); |
Oh, I got the problem. Do you mean you are using a s3 service which needs a custom cert to connect to? cc @wcy-fdu |
|
Yes, sorry I was clear before. We're running Minio as a separate deployment in k8s that's enforcing all connections are over https. The certificate it serves is signed by a custom/internal CA certificate. The When I configure the following in helm, I get certificate validation errors: state_store:
minio:
enabled: true
endpoint: https://minio.example.internal
bucket: risingwave |
|
This looks to be resolved by #18011 |
Is your feature request related to a problem? Please describe.
Our minio cluster is served over https using a certificate signed by an internal CA. If I understand the code correctly, the S3 state-store compiles in the Mozilla CA list and can't be overridden.
Describe the solution you'd like
It would be very helpful if I could set the common
SSL_CERT_FILEenvironment variable or another config parameter to have RisingWave use the specified file or the system CA list for the S3 connector.Describe alternatives you've considered
I'm currently running the software with a custom Traefik route and a
hostAliasin Kubernetes to proxy the connection. e.g. RisingWave (http) -> Traefik -> (https) MinioAdditional context
No response
The text was updated successfully, but these errors were encountered: