mirror
/
s3proxy
kopia lustrzana https://github.com/gaul/s3proxy
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność
Strona: SSL support
Strony
Client compatibility list Home Middleware eventual consistency Middleware alias blobstore Middleware bucket locator Middleware large object mocking Middleware read only Middleware regex Middleware sharded backend SSL support Storage backend compatibility Storage backend examples Tips Using S3Proxy in Java projects
4 SSL support
Yann Defretin edytuje tę stronę 2023-04-21 20:49:11 +02:00
Spis treści

S3Proxy has SSL support working both with Docker or without Docker.

You first need to configure a keystore holding your certificates and pass it to S3Proxy.

Create a keystore

To setup the keystore, do

$ keytool -keystore keystore.jks -alias aws -genkey -keyalg RSA

Use *.s3.amazonaws.com as the CN if you wish to proxy access to Amazon S3 itself. Applications will reject the self-signed certificate, unless you import it to the application's trusted store. If the application is written in Java, you can do:

$ keytool -exportcert -keystore keystore.jks -alias aws -rfc > aws.crt
$ keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -import -alias aws -file aws.crt -trustcacerts

SSL without Docker

S3Proxy can listen on HTTPS by setting the secure-endpoint An example:

s3proxy.secure-endpoint=https://0.0.0.0:443
s3proxy.keystore-path=keystore.jks
s3proxy.keystore-password=password

SSL with Docker

You need to configure the following environment variables:

  • S3PROXY_SECURE_ENDPOINT ;
  • S3PROXY_KEYSTORE_PATH ;
  • S3PROXY_KEYSTORE_PASSWORD.

SSL with Kubernetes

You need to create or update the secret with your S3Proxy configuration, example:

apiVersion: v1
kind: Secret
metadata:
  name: s3proxy
  namespace: default
stringData:
  [...]
  S3PROXY_SECURE_ENDPOINT: "https://0.0.0.0:443"
  S3PROXY_KEYSTORE_PATH: "tls/keystore.jks"
  S3PROXY_KEYSTORE_PASSWORD: password

You also need to create a secret that will contain the keystore file:

kubectl create -n default secret generic s3proxy-keystore --from-file=keystore.jks -o yaml

Then you will have a deployment like this:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: s3proxy
  namespace: default
  labels:
    app: s3proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: s3proxy
  template:
    metadata:
      labels:
        app: s3proxy
    spec:
      containers:
        - name: s3proxy
          image: gaul/s3proxy
          ports:
            - name: https
              containerPort: 443
          envFrom:
            - secretRef:
                name: s3proxy
          resources:
            requests:
              cpu: 1
              memory: "1Gi"
            limits:
              memory: "1Gi"
          volumeMounts:
          - name: keystore
            mountPath: /opt/s3proxy/tls
      volumes:
        - name: keystore
          secret:
            secretName: s3proxy-keystore
            items:
              - key: keystore.jks
                path: keystore.jks