allow S3 client to skip SSL verification

JamesClonk · JamesClonk · commit d97af30548e8 · 2021-04-01T11:32:44.000+02:00
diff --git a/README.md b/README.md
@@ -83,6 +83,8 @@ Possible JSON properties:
 - `disable_web`: optional, disable web interface and api
 - `disable_metrics`: optional, disable Prometheus metrics endpoint
 - `unprotected_metrics`: optional, disable HTTP basic auth protection for Prometheus metrics endpoint
+- `s3.disable_ssl`: optional, S3 client connections will use HTTP instead of HTTPS
+- `s3.skip_ssl_verification`: optional, S3 client will still use HTTPS but skips certificate verification
 - `s3.service_label`: optional, defines which service label backman will look for to find the S3-compatible object storage
 - `s3.bucket_name`: optional, bucket to use on S3 storage, backman will use service-instance/binding-name if not configured
 - `s3.encryption_key`: optional, defines the key which will be used to encrypt and decrypt backups as they are stored on the S3 can also be passed as an environment variable with the name `BACKMAN_ENCRYPTION_KEY`
diff --git a/config/config.go b/config/config.go
@@ -29,11 +29,12 @@ type Config struct {
 }
 
 type S3Config struct {
-	DisableSSL    bool   `json:"disable_ssl"`
-	ServiceLabel  string `json:"service_label"`
-	ServiceName   string `json:"service_name"`
-	BucketName    string `json:"bucket_name"`
-	EncryptionKey string `json:"encryption_key"`
+	DisableSSL          bool   `json:"disable_ssl"`
+	SkipSSLVerification bool   `json:"skip_ssl_verification"`
+	ServiceLabel        string `json:"service_label"`
+	ServiceName         string `json:"service_name"`
+	BucketName          string `json:"bucket_name"`
+	EncryptionKey       string `json:"encryption_key"`
 }
 
 type ServiceConfig struct {
@@ -131,6 +132,9 @@ func Get() *Config {
 			if envConfig.S3.DisableSSL {
 				config.S3.DisableSSL = envConfig.S3.DisableSSL
 			}
+			if envConfig.S3.SkipSSLVerification {
+				config.S3.SkipSSLVerification = envConfig.S3.SkipSSLVerification
+			}
 			if len(envConfig.S3.ServiceLabel) > 0 {
 				config.S3.ServiceLabel = envConfig.S3.ServiceLabel
 			}
diff --git a/manifest.yml b/manifest.yml
@@ -23,7 +23,7 @@ applications:
 
   # ### push either as docker image
   docker:
-    image: jamesclonk/backman:1.25.1 # choose version from https://hub.docker.com/r/jamesclonk/backman/tags, or 'latest'
+    image: jamesclonk/backman:1.26.0 # choose version from https://hub.docker.com/r/jamesclonk/backman/tags, or 'latest'
   # ### or as buildpack/src
   # buildpacks:
   # - https://github.com/cloudfoundry/apt-buildpack
diff --git a/s3/client.go b/s3/client.go
@@ -1,6 +1,11 @@
 package s3
 
 import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"time"
+
 	cfenv "github.com/cloudfoundry-community/go-cfenv"
 	"github.com/minio/minio-go/v6"
 	"github.com/swisscom/backman/config"
@@ -53,6 +58,24 @@ func New(app *cfenv.App) *Client {
 		log.Fatalf("%v", err)
 	}
 
+	if config.Get().S3.SkipSSLVerification {
+		log.Debugln("disabling S3 client SSL verification ...")
+		minioClient.SetCustomTransport(&http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+		})
+	}
+
 	// check if bucket exists and is accessible and if not create it, or fail
 	exists, errBucketExists := minioClient.BucketExists(bucketName)
 	if errBucketExists == nil && exists {
