PBM-1525 test SSL_CERT_FILE env var with PBM

pbm-functional/pytest/Dockerfile

@@ -1,27 +1,7 @@
 ARG PSMDB=percona/percona-server-mongodb
 ARG GO_VER=bullseye
 
-FROM alpine AS x509
-USER root
-ENV EASYRSA_DN=org
-ENV EASYRSA_REQ_COUNTRY=US
-ENV EASYRSA_REQ_PROVINCE=California
-ENV EASYRSA_REQ_CITY=SanFrancisco
-ENV EASYRSA_REQ_ORG=Percona
-ENV EASYRSA_REQ_EMAIL=pbm@percona.com
-RUN apk add --no-cache bash git openssl && cd ~ && \
-    git clone https://github.com/OpenVPN/easy-rsa.git && \
-    cd easy-rsa/easyrsa3/ && \
-    ./easyrsa init-pki && \
-    ./easyrsa --req-cn=Percona --batch build-ca nopass && \
-    ./easyrsa --req-ou=server --subject-alt-name=DNS:localhost,DNS:rscfg01,DNS:rs101,IP:127.0.0.1 --batch build-server-full psmdb nopass && \
-    ./easyrsa --req-ou=client --batch build-client-full pbm nopass && \
-    mkdir -p /etc/x509 && \
-    cp pki/ca.crt /etc/x509/ca.crt && \
-    cat pki/issued/psmdb.crt pki/private/psmdb.key > /etc/x509/psmdb.pem && \
-    cat pki/issued/pbm.crt pki/private/pbm.key > /etc/x509/pbm.pem 
-
-FROM pykmip/local AS pykmip
+FROM easyrsa/local AS easyrsa
 
 FROM golang:$GO_VER AS builder
 ARG PBM_BRANCH=dev
@@ -52,11 +32,13 @@ RUN yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noar
     mkdir -p /opt/mongodb && tar -C /opt/mongodb --transform='s,^/*[^/]*,,S' -xzvf mongo-ce.tgz || true && rm -rf mongo-ce.tgz || true
 COPY --from=builder /pbm-new/ /pbm-new/
 COPY --from=builder /pbm-old/ /pbm-old/
-COPY --from=pykmip /etc/mongod.pem /etc/pykmip/mongod.pem
-COPY --from=pykmip /root/easy-rsa/easyrsa3/pki/ca.crt /etc/pykmip/ca.crt
-COPY --from=x509 /etc/x509/ /etc/x509/
+COPY --from=easyrsa /etc/pykmip/mongod.pem /etc/pykmip/mongod.pem
+COPY --from=easyrsa /etc/x509/ca.crt /etc/pykmip/ca.crt
+COPY --from=easyrsa /etc/x509/ /etc/x509/
+COPY --from=easyrsa /etc/nginx-minio/ca.crt /etc/nginx-minio/ca.crt
 COPY conf/supervisord.d/ /etc/supervisord.d/
 COPY conf/pbm/minio.yaml /etc/pbm.conf
+COPY conf/pbm/pbm-1525.yaml /etc/pbm-1525.conf
 COPY conf/pbm/pbm-1043.yaml /etc/pbm-1043.conf
 COPY conf/pbm/pbm-1211.yaml /etc/pbm-1211.conf
 COPY conf/pbm/filesystem-profile.yaml /etc/pbm-fs-profile.conf
@@ -71,6 +53,7 @@ RUN echo -e 'vaulttoken' > /etc/vault/token && \
     chown -R mongodb /etc/pykmip && chmod 400 /etc/pykmip/mongod.pem && \
     chown -R mongodb /etc/vault && chmod 400 /etc/vault/token && \
     chown -R mongodb /etc/x509 && chmod 400 /etc/x509/* && \
+    chown -R mongodb /etc/nginx-minio && \
     if [ -f "/usr/bin/mongosh" ] ; then \
         ln -s /usr/bin/mongosh /usr/bin/mongo ; \
     fi && \

pbm-functional/pytest/Dockerfile-easyrsa

@@ -0,0 +1,35 @@
+FROM alpine
+USER root
+ENV EASYRSA_DN=org
+ENV EASYRSA_REQ_COUNTRY=US
+ENV EASYRSA_REQ_PROVINCE=California
+ENV EASYRSA_REQ_CITY=SanFrancisco
+ENV EASYRSA_REQ_ORG=Percona
+ENV EASYRSA_REQ_EMAIL=pbm@percona.com
+RUN apk add --no-cache bash git openssl && cd ~ && \
+    git clone https://github.com/OpenVPN/easy-rsa.git && \
+    cd easy-rsa/easyrsa3/ && \
+    ./easyrsa init-pki && \
+    ./easyrsa --req-cn=Percona --batch build-ca nopass 
+WORKDIR /root/easy-rsa/easyrsa3
+#For X509 authorization
+RUN ./easyrsa --req-ou=server --subject-alt-name=DNS:localhost,DNS:rscfg01,DNS:rs101,IP:127.0.0.1 --batch build-server-full psmdb nopass && \
+    ./easyrsa --req-ou=client --batch build-client-full pbm nopass && \
+    mkdir -p /etc/x509 && \
+    cp pki/ca.crt /etc/x509/ && \
+    cat pki/issued/psmdb.crt pki/private/psmdb.key > /etc/x509/psmdb.pem && \
+    cat pki/issued/pbm.crt pki/private/pbm.key > /etc/x509/pbm.pem
+#For pykmip server
+RUN ./easyrsa --batch build-server-full pykmip nopass && \
+    ./easyrsa --batch build-client-full mongod nopass && \
+    mkdir -p /etc/pykmip && \
+    cp pki/ca.crt /etc/pykmip/ && \
+    cat pki/issued/mongod.crt pki/private/mongod.key > /etc/pykmip/mongod.pem && \
+    cp pki/issued/pykmip.crt /etc/pykmip/ && \
+    cp pki/private/pykmip.key /etc/pykmip/
+#For nginx proxy to minio 
+RUN ./easyrsa --req-ou=server --subject-alt-name=DNS:nginx-minio --batch build-server-full nginx-minio nopass && \
+    mkdir -p /etc/nginx-minio && \
+    cp pki/ca.crt /etc/nginx-minio/ && \
+    cp pki/issued/nginx-minio.crt /etc/nginx-minio/ && \
+    cp pki/private/nginx-minio.key /etc/nginx-minio/

pbm-functional/pytest/Dockerfile-nginx

@@ -1,3 +1,6 @@
+FROM easyrsa/local AS easyrsa
+
 FROM nginx:stable-alpine
 COPY conf/nginx.conf /etc/nginx/nginx.conf
-EXPOSE 21114 12111 12112
+COPY --from=easyrsa /etc/nginx-minio/ /etc/nginx-minio/
+EXPOSE 21114 12111 12112 15250

pbm-functional/pytest/Dockerfile-pykmip

@@ -1,13 +1,8 @@
+FROM easyrsa/local AS easyrsa
+
 FROM python:3.11-alpine
 USER root
 RUN apk add --no-cache libffi-dev build-base bash git openssl && cd ~ && \
-    git clone https://github.com/OpenVPN/easy-rsa.git && \
-    cd easy-rsa/easyrsa3/ && \
-    ./easyrsa init-pki && \
-    ./easyrsa --req-cn=Percona --batch build-ca nopass && \
-    ./easyrsa --batch build-server-full pykmip nopass && \
-    ./easyrsa --batch build-client-full mongod nopass && \
-    cat pki/issued/mongod.crt pki/private/mongod.key > /etc/mongod.pem && \
     pip install --upgrade --no-cache-dir --break-system-packages pip && \
     pip install --upgrade --no-cache-dir --break-system-packages setuptools && \
     pip install --no-cache-dir --break-system-packages pykmip && cd ~ && \
@@ -20,15 +15,17 @@ RUN apk add --no-cache libffi-dev build-base bash git openssl && cd ~ && \
     database_path=/etc/pykmip/pykmip.database\n\
     hostname=pykmip\n\
     port=5696\n\
-    certificate_path=/root/easy-rsa/easyrsa3/pki/issued/pykmip.crt\n\
-    key_path=/root/easy-rsa/easyrsa3/pki/private/pykmip.key\n\
-    ca_path=/root/easy-rsa/easyrsa3/pki/ca.crt\n\
+    certificate_path=/etc/pykmip/pykmip.crt\n\
+    key_path=/etc/pykmip/pykmip.key\n\
+    ca_path=/etc/pykmip/ca.crt\n\
     auth_suite=TLS1.2\n\
     policy_path=/root/PyKMIP/examples/\n\
     enable_tls_client_auth=True\n\
     tls_cipher_suites= TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\n\
     logging_level=DEBUG\n\
     ' > /etc/pykmip/server.conf
 
+COPY --from=easyrsa /etc/pykmip/ /etc/pykmip/
+
 EXPOSE 5696
 CMD /root/PyKMIP/bin/run_server.py

pbm-functional/pytest/cluster.py

@@ -373,10 +373,10 @@ def create(self):
         Cluster.log("The cluster was prepared in {} seconds".format(duration))
 
     # setups pbm from default config-file, minio as storage
-    def setup_pbm(self):
+    def setup_pbm(self,file="/etc/pbm.conf"):
         host = self.pbm_cli
         n = testinfra.get_host("docker://" + host)
-        result = n.check_output('pbm config --file=/etc/pbm.conf --out=json')
+        result = n.check_output('pbm config --file=' + file + ' --out=json')
         Cluster.log("Setup PBM:\n" + result)
         time.sleep(5)
 
@@ -460,7 +460,7 @@ def make_restore(self, name, **kwargs):
             time.sleep(1)
         Cluster.log("Restore started")
         timeout=kwargs.get('timeout', 240)
-        result = n.run('timeout ' + str(timeout) + ' pbm restore ' + name + ' --wait')
+        result = n.run('SSL_CERT_FILE=/etc/nginx-minio/ca.crt timeout ' + str(timeout) + ' pbm restore ' + name + ' --wait')
 
         if result.rc == 0 and "Error" not in result.stdout:
             Cluster.log(result.stdout)

pbm-functional/pytest/conf/nginx.conf

@@ -117,4 +117,32 @@ http {
             proxy_pass http://minio:9000$request_uri;
         }
     }
+
+    server {
+        listen       15250 ssl;
+        server_name  nginx-minio;
+
+        ssl_certificate /etc/nginx-minio/nginx-minio.crt;
+        ssl_certificate_key /etc/nginx-minio/nginx-minio.key;
+
+        ignore_invalid_headers off;
+        client_max_body_size 0;
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        location / {
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_connect_timeout 300;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            chunked_transfer_encoding off;
+
+            proxy_pass http://minio:9000/;
+        }
+    }
+
 }

pbm-functional/pytest/conf/pbm/pbm-1525.yaml

@@ -0,0 +1,9 @@
+storage:
+    type: s3
+    s3:
+      endpointUrl: https://nginx-minio:15250
+      bucket: bcp
+      prefix: pbme2etest
+      credentials:
+        access-key-id: "minio1234"
+        secret-access-key: "minio1234"

pbm-functional/pytest/conf/supervisord.d/pbm-agent.ini

@@ -1,5 +1,6 @@
 [program:pbm-agent]
 command=/usr/bin/pbm-agent --mongodb-uri "%(ENV_PBM_MONGODB_URI)s"
+environment=SSL_CERT_FILE="/etc/nginx-minio/ca.crt"
 autorestart=false
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0

pbm-functional/pytest/docker-compose.yaml

@@ -53,6 +53,7 @@ services:
       - test
     depends_on:
       - minio
+      - easyrsa
 
   createbucket:
     container_name: createbucket
@@ -73,6 +74,8 @@ services:
     hostname: pykmip
     networks:
       - test
+    depends_on:
+      - easyrsa
 
   vault:
     image: hashicorp/vault
@@ -129,7 +132,14 @@ services:
       - "PERCONA_TELEMETRY_URL=https://check-dev.percona.com/v1/telemetry/GenericReport"
     command: /bin/bash
     depends_on:
-      - pykmip
+      - easyrsa
+
+  easyrsa:
+    image: easyrsa/local
+    build:
+      dockerfile: ./Dockerfile-easyrsa
+      context: .
+    command: /bin/bash
 
   golang_reports:
     image: golang:bullseye
@@ -144,9 +154,9 @@ networks:
     name: test
 
 volumes:
-  backups: 
+  backups:
     name: backups
-  fs: 
+  fs:
     name: fs
   keytabs:
     name: keytabs

pbm-functional/pytest/test_PBM-1525.py

@@ -0,0 +1,32 @@
+import pytest
+import time
+
+from cluster import Cluster
+
+@pytest.fixture(scope="package")
+def config():
+    return {"_id": "rs1", "members": [{"host": "rs101"}]}
+
+@pytest.fixture(scope="package")
+def cluster(config):
+    return Cluster(config)
+
+@pytest.fixture(scope="function")
+def start_cluster(cluster, request):
+    try:
+        cluster.destroy()
+        cluster.create()
+        cluster.setup_pbm('/etc/pbm-1525.conf')
+        yield True
+    finally:
+        if request.config.getoption("--verbose"):
+            cluster.get_logs()
+        cluster.destroy()
+
+@pytest.mark.parametrize('backup_type',['logical','physical'])
+def test_s3_custom_ssl_PBM_T296(start_cluster, cluster, backup_type):
+    cluster.check_pbm_status()
+    backup=cluster.make_backup(backup_type)
+    cluster.make_restore(backup,restart_cluster=True, check_pbm_status=True)
+    Cluster.log('Finished succesfully')
+