fix: minio ssl compatible issue (#31607)

issue: https://github.com/milvus-io/milvus/issues/30709 Signed-off-by: yhmo <yihua.mo@zilliz.com>
2024-03-27 14:41:20 +08:00 · 2024-03-27 14:41:20 +08:00 · 5be395354c
parent 5d752498e7
commit 5be395354c
6 changed files with 30 additions and 14 deletions
--- a/configs/milvus.yaml
+++ b/configs/milvus.yaml
@ -68,8 +68,8 @@ minio:
  port: 9000 # Port of MinIO/S3
  accessKeyID: minioadmin # accessKeyID of MinIO/S3
  secretAccessKey: minioadmin # MinIO/S3 encryption string
+  useSSL: false # Access to MinIO/S3 with SSL
  ssl:
-    enabled: false # Access to MinIO/S3 with SSL
    tlsCACert: /path/to/public.crt # path to your CACert file, ignore when it is empty
  bucketName: a-bucket # Bucket name in MinIO/S3
  rootPath: files # The root path where the message is stored in MinIO/S3
--- a/internal/core/src/storage/ChunkManager.cpp
+++ b/internal/core/src/storage/ChunkManager.cpp
@ -53,17 +53,22 @@ generateConfig(const StorageConfig& storage_config) {
    Aws::Client::ClientConfiguration config = g_config;
    config.endpointOverride = ConvertToAwsString(storage_config.address);

+    // Three cases:
+    // 1. no ssl, verifySSL=false
+    // 2. self-signed certificate, verifySSL=false
+    // 3. CA-signed certificate, verifySSL=true
    if (storage_config.useSSL) {
        config.scheme = Aws::Http::Scheme::HTTPS;
+        config.verifySSL = true;
+        if (!storage_config.sslCACert.empty()) {
+            config.caPath = ConvertToAwsString(storage_config.sslCACert);
+            config.verifySSL = false;
+        }
    } else {
        config.scheme = Aws::Http::Scheme::HTTP;
+        config.verifySSL = false;
    }

-    if (!storage_config.sslCACert.empty()) {
-        config.caPath = ConvertToAwsString(storage_config.sslCACert);
-    }
-    config.verifySSL = false;
-
    if (!storage_config.region.empty()) {
        config.region = ConvertToAwsString(storage_config.region);
    }
--- a/internal/core/src/storage/MinioChunkManager.cpp
+++ b/internal/core/src/storage/MinioChunkManager.cpp
@ -322,17 +322,22 @@ MinioChunkManager::MinioChunkManager(const StorageConfig& storage_config)
    Aws::Client::ClientConfiguration config = g_config;
    config.endpointOverride = ConvertToAwsString(storage_config.address);

+    // Three cases:
+    // 1. no ssl, verifySSL=false
+    // 2. self-signed certificate, verifySSL=false
+    // 3. CA-signed certificate, verifySSL=true
    if (storage_config.useSSL) {
        config.scheme = Aws::Http::Scheme::HTTPS;
+        config.verifySSL = true;
+        if (!storage_config.sslCACert.empty()) {
+            config.caPath = ConvertToAwsString(storage_config.sslCACert);
+            config.verifySSL = false;
+        }
    } else {
        config.scheme = Aws::Http::Scheme::HTTP;
+        config.verifySSL = false;
    }

-    if (!storage_config.sslCACert.empty()) {
-        config.caPath = ConvertToAwsString(storage_config.sslCACert);
-    }
-    config.verifySSL = false;
-
    config.requestTimeoutMs = storage_config.requestTimeoutMs == 0
                                  ? DEFAULT_CHUNK_MANAGER_REQUEST_TIMEOUT_MS
                                  : storage_config.requestTimeoutMs;
--- a/internal/proxy/accesslog/minio_handler.go
+++ b/internal/proxy/accesslog/minio_handler.go
@ -108,6 +108,9 @@ func newMinioClient(ctx context.Context, cfg config) (*minio.Client, error) {
 		creds = credentials.NewStaticV4(cfg.accessKeyID, cfg.secretAccessKeyID, "")
 	}

+	// We must set the cert path by os environment variable "SSL_CERT_FILE",
+	// because the minio.DefaultTransport() need this path to read the file content,
+	// we shouldn't read this file by ourself.
 	if cfg.useSSL && len(cfg.sslCACert) > 0 {
 		err := os.Setenv("SSL_CERT_FILE", cfg.sslCACert)
 		if err != nil {
@ -123,6 +126,7 @@ func newMinioClient(ctx context.Context, cfg config) (*minio.Client, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	var bucketExists bool
 	// check valid in first query
 	checkBucketFn := func() error {
--- a/internal/storage/minio_object_storage.go
+++ b/internal/storage/minio_object_storage.go
@ -107,6 +107,9 @@ func newMinioClient(ctx context.Context, c *config) (*minio.Client, error) {
 		}
 	}

+	// We must set the cert path by os environment variable "SSL_CERT_FILE",
+	// because the minio.DefaultTransport() need this path to read the file content,
+	// we shouldn't read this file by ourself.
 	if c.useSSL && len(c.sslCACert) > 0 {
 		err := os.Setenv("SSL_CERT_FILE", c.sslCACert)
 		if err != nil {
--- a/pkg/util/paramtable/service_param.go
+++ b/pkg/util/paramtable/service_param.go
@ -1095,9 +1095,8 @@ func (p *MinioConfig) Init(base *BaseTable) {
 	p.SecretAccessKey.Init(base.mgr)

 	p.UseSSL = ParamItem{
-		Key:          "minio.ssl.enabled",
-		FallbackKeys: []string{"minio.useSSL"},
-		Version:      "2.3.12",
+		Key:          "minio.useSSL",
+		Version:      "2.0.0",
 		DefaultValue: "false",
 		PanicIfEmpty: true,
 		Doc:          "Access to MinIO/S3 with SSL",