Fix minio ssl compatible issue

Signed-off-by: yhmo <[email protected]>
yhmo · Mar 26, 2024 · 12f0e60 · 12f0e60
1 parent 73858b2
commit 12f0e60
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 14 deletions.
diff --git a/configs/milvus.yaml b/configs/milvus.yaml
@@ -68,8 +68,8 @@ minio:
  port: 9000 # Port of MinIO/S3
  accessKeyID: minioadmin # accessKeyID of MinIO/S3
  secretAccessKey: minioadmin # MinIO/S3 encryption string
+ useSSL: false # Access to MinIO/S3 with SSL
  ssl:
- enabled: false # Access to MinIO/S3 with SSL
  tlsCACert: /path/to/public.crt # path to your CACert file, ignore when it is empty
  bucketName: a-bucket # Bucket name in MinIO/S3
  rootPath: files # The root path where the message is stored in MinIO/S3

diff --git a/internal/core/src/storage/ChunkManager.cpp b/internal/core/src/storage/ChunkManager.cpp
@@ -53,17 +53,22 @@ generateConfig(const StorageConfig& storage_config) {
  Aws::Client::ClientConfiguration config = g_config;
  config.endpointOverride = ConvertToAwsString(storage_config.address);
 
+ // Three cases:
+ // 1. no ssl, verifySSL=false
+ // 2. self-signed certificate, verifySSL=false
+ // 3. CA-signed certificate, verifySSL=true
  if (storage_config.useSSL) {
  config.scheme = Aws::Http::Scheme::HTTPS;
+ config.verifySSL = true;
+ if (!storage_config.sslCACert.empty()) {
+ config.caPath = ConvertToAwsString(storage_config.sslCACert);
+ config.verifySSL = false;
+ }
  } else {
  config.scheme = Aws::Http::Scheme::HTTP;
+ config.verifySSL = false;
  }
 
- if (!storage_config.sslCACert.empty()) {
- config.caPath = ConvertToAwsString(storage_config.sslCACert);
- }
- config.verifySSL = false;
-
  if (!storage_config.region.empty()) {
  config.region = ConvertToAwsString(storage_config.region);
  }

diff --git a/internal/core/src/storage/MinioChunkManager.cpp b/internal/core/src/storage/MinioChunkManager.cpp
@@ -322,17 +322,22 @@ MinioChunkManager::MinioChunkManager(const StorageConfig& storage_config)
  Aws::Client::ClientConfiguration config = g_config;
  config.endpointOverride = ConvertToAwsString(storage_config.address);
 
+ // Three cases:
+ // 1. no ssl, verifySSL=false
+ // 2. self-signed certificate, verifySSL=false
+ // 3. CA-signed certificate, verifySSL=true
  if (storage_config.useSSL) {
  config.scheme = Aws::Http::Scheme::HTTPS;
+ config.verifySSL = true;
+ if (!storage_config.sslCACert.empty()) {
+ config.caPath = ConvertToAwsString(storage_config.sslCACert);
+ config.verifySSL = false;
+ }
  } else {
  config.scheme = Aws::Http::Scheme::HTTP;
+ config.verifySSL = false;
  }
 
- if (!storage_config.sslCACert.empty()) {
- config.caPath = ConvertToAwsString(storage_config.sslCACert);
- }
- config.verifySSL = false;
-
  config.requestTimeoutMs = storage_config.requestTimeoutMs == 0
  ? DEFAULT_CHUNK_MANAGER_REQUEST_TIMEOUT_MS
  : storage_config.requestTimeoutMs;

diff --git a/internal/proxy/accesslog/minio_handler.go b/internal/proxy/accesslog/minio_handler.go
@@ -108,6 +108,9 @@ func newMinioClient(ctx context.Context, cfg config) (*minio.Client, error) {
  creds = credentials.NewStaticV4(cfg.accessKeyID, cfg.secretAccessKeyID, "")
  }
 
+ // We must set the cert path by os environment variable "SSL_CERT_FILE",
+ // because the minio.DefaultTransport() need this path to read the file content,
+ // we shouldn't read this file by ourself.
  if cfg.useSSL && len(cfg.sslCACert) > 0 {
  err := os.Setenv("SSL_CERT_FILE", cfg.sslCACert)
  if err != nil {
@@ -123,6 +126,7 @@ func newMinioClient(ctx context.Context, cfg config) (*minio.Client, error) {
  if err != nil {
  return nil, err
  }
+
  var bucketExists bool
  // check valid in first query
  checkBucketFn := func() error {

diff --git a/internal/storage/minio_object_storage.go b/internal/storage/minio_object_storage.go
@@ -107,6 +107,9 @@ func newMinioClient(ctx context.Context, c *config) (*minio.Client, error) {
  }
  }
 
+ // We must set the cert path by os environment variable "SSL_CERT_FILE",
+ // because the minio.DefaultTransport() need this path to read the file content,
+ // we shouldn't read this file by ourself.
  if c.useSSL && len(c.sslCACert) > 0 {
  err := os.Setenv("SSL_CERT_FILE", c.sslCACert)
  if err != nil {

diff --git a/pkg/util/paramtable/service_param.go b/pkg/util/paramtable/service_param.go
@@ -1095,9 +1095,8 @@ func (p *MinioConfig) Init(base *BaseTable) {
  p.SecretAccessKey.Init(base.mgr)
 
  p.UseSSL = ParamItem{
- Key: "minio.ssl.enabled",
- FallbackKeys: []string{"minio.useSSL"},
- Version: "2.3.12",
+ Key: "minio.useSSL",
+ Version: "2.0.0",
  DefaultValue: "false",
  PanicIfEmpty: true,
  Doc: "Access to MinIO/S3 with SSL",