Using linstor-gateway with an SSL key-secured controller

[cduchenoy]

• cluster info

$ linstor n l -p
+----------------------------------------------------------+
| Node      | NodeType | Addresses                | State  |
|==========================================================|
| vc-swarm1 | COMBINED | 192.168.90.21:3367 (SSL) | Online |
| vc-swarm2 | COMBINED | 192.168.90.22:3367 (SSL) | Online |
| vc-swarm3 | COMBINED | 192.168.90.23:3367 (SSL) | Online |
+----------------------------------------------------------+

• test SSL api

$ curl -s --cert /etc/linstor/ssl/clients.uncrypted.pem \
              --key /etc/linstor/ssl/clients.uncrypted.pem \
              --cacert /etc/linstor/ssl/ca.crt --http1.1 \
              --insecure https://192.168.90.21:3371/v1/controller/version | jq
{
  "version": "0.1",
  "git_hash": "07890a5c51382267c7015a07a9c5b4a9ee9a0ae8",
  "build_time": "2023-03-17T23:16:03+00:00",
  "rest_api_version": "1.17.0"
}

• linstor-gateway config

$ cat /etc/linstor-gateway/linstor-gateway.toml
linstor.controllers = ["https://192.168.90.21:3371","https://192.168.90.22:3371","https://192.168.90.23:3371"]

• check health

$ linstor-gateway check-health
[!] LINSTOR
    ✗ No connection to a LINSTOR controller
      Get "https://192.168.90.21:3371/v1/controller/version": x509: cannot validate certificate for 192.168.90.21 because it doesn't contain any IP SANs
      Make sure that either
      • the --controllers command line option, or
      • the LS_CONTROLLERS environment variable, or
      • the linstor.controllers key in your configuration file (/etc/linstor-gateway/linstor-gateway.toml)
      contain an URL to a LINSTOR controller, or that the LINSTOR controller is running on this machine.
[✓] drbd-reactor
[✓] Resource Agents
[✓] iSCSI
[✓] NVMe-oF
[✓] NFS

FATA[0000] Health check failed: found 1 issues 

HACK Solution (use an revserse proxy)

$ cat /etc/linstor-gateway/linstor-gateway.toml
linstor.controllers = ["http://127.0.0.1:3369"]

$ cat /etc/haproxy/haproxy.cfg
...
frontend LINSTOR-IN
    bind            127.0.0.1:3369
    mode            http
    log             global
    option          http-keep-alive
    default_backend LINSTOR-CONTROLLERS
 
backend LINSTOR-CONTROLLERS
    mode                http
    timeout connect     30s
    timeout server      30s
    retries             3
    option              httpchk OPTIONS /health
    server       vc-swarm1 192.168.90.21:3371 ssl check inter 5s verify none crt /etc/linstor/ssl/clients.uncrypted.pem ca-file /etc/linstor/ssl/clients.uncrypted.pem
    server       vc-swarm2 192.168.90.22:3371 ssl check inter 5s verify none crt /etc/linstor/ssl/clients.uncrypted.pem ca-file /etc/linstor/ssl/clients.uncrypted.pem
    server       vc-swarm3 192.168.90.23:3371 ssl check inter 5s verify none crt /etc/linstor/ssl/clients.uncrypted.pem ca-file /etc/linstor/ssl/clients.uncrypted.pem

• check health

$ linstor-gateway check-health
[✓] LINSTOR
[✓] drbd-reactor
[✓] Resource Agents
[✓] iSCSI
[✓] NVMe-oF
[✓] NFS

[chrboe]

Hi, thanks for the report. This is indeed a missing feature.

We are working on a feature where LINSTOR Gateway honors an existing linstor-client.conf, which should fix this.

In the meantime, there is a workaround you can use. golinstor, which LINSTOR Gateway uses under the hood, respects some environment variables.
I have not tested this, but setting LS_USER_CERTIFICATE et al should work as expected.