From be23b1456469fa0a546e1c29ab81c60f43964d8d Mon Sep 17 00:00:00 2001
From: Denis Kirillov <d.kirillov@yadro.com>
Date: Fri, 8 Nov 2024 12:07:19 +0300
Subject: [PATCH] [#52] Support TLS for s3-gw

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
---
 Dockerfile              |  2 ++
 Dockerfile.custom       |  2 ++
 Dockerfile.local        |  2 ++
 docker-compose.yml      |  1 +
 s3-gw/s3-gw-config.yaml |  5 +++++
 s3-gw/s3-gw-tls.crt     | 22 ++++++++++++++++++++++
 s3-gw/s3-gw-tls.key     | 27 +++++++++++++++++++++++++++
 7 files changed, 61 insertions(+)
 create mode 100644 s3-gw/s3-gw-tls.crt
 create mode 100644 s3-gw/s3-gw-tls.key

diff --git a/Dockerfile b/Dockerfile
index 2285f78..54c2662 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -49,6 +49,8 @@ COPY ./s3-gw/rules.json /config/bearer-rules.json
 COPY ./s3-gw/regions.json /config/regions.json
 COPY ./s3-gw/s3-gw-config.yaml /config/s3-gw-config.yaml
 COPY ./s3-gw/s3-gw-wallet.json /config/s3-gw-wallet.json
+COPY ./s3-gw/s3-gw-tls.crt /config/s3-gw-tls.crt
+COPY ./s3-gw/s3-gw-tls.key /config/s3-gw-tls.key
 COPY ./s3-gw/user-wallet.json /config/user-wallet.json
 COPY ./sn/cli-cfg.yaml /config/cli-cfg-sn.yaml
 COPY ./sn/wallet.json /config/wallet-sn.json
diff --git a/Dockerfile.custom b/Dockerfile.custom
index c7c2109..92d4618 100644
--- a/Dockerfile.custom
+++ b/Dockerfile.custom
@@ -49,6 +49,8 @@ COPY ./s3-gw/rules.json /config/bearer-rules.json
 COPY ./s3-gw/regions.json /config/regions.json
 COPY ./s3-gw/s3-gw-config.yaml /config/s3-gw-config.yaml
 COPY ./s3-gw/s3-gw-wallet.json /config/s3-gw-wallet.json
+COPY ./s3-gw/s3-gw-tls.crt /config/s3-gw-tls.crt
+COPY ./s3-gw/s3-gw-tls.key /config/s3-gw-tls.key
 COPY ./s3-gw/user-wallet.json /config/user-wallet.json
 COPY ./sn/cli-cfg.yaml /config/cli-cfg-sn.yaml
 COPY ./sn/wallet.json /config/wallet-sn.json
diff --git a/Dockerfile.local b/Dockerfile.local
index a463d30..b66c3c9 100644
--- a/Dockerfile.local
+++ b/Dockerfile.local
@@ -34,6 +34,8 @@ COPY ./s3-gw/rules.json /config/bearer-rules.json
 COPY ./s3-gw/regions.json /config/regions.json
 COPY ./s3-gw/s3-gw-config.yaml /config/s3-gw-config.yaml
 COPY ./s3-gw/s3-gw-wallet.json /config/s3-gw-wallet.json
+COPY ./s3-gw/s3-gw-tls.crt /config/s3-gw-tls.crt
+COPY ./s3-gw/s3-gw-tls.key /config/s3-gw-tls.key
 COPY ./s3-gw/user-wallet.json /config/user-wallet.json
 COPY ./sn/cli-cfg.yaml /config/cli-cfg-sn.yaml
 COPY ./sn/wallet.json /config/wallet-sn.json
diff --git a/docker-compose.yml b/docker-compose.yml
index 5dbed75..a708b60 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -25,6 +25,7 @@ services:
       - "30333:30333" # RPC
       - "8080:8080"   # FrostFS API RPC
       - "8084:8084"   # S3 Gateway
+      - "8184:8184"   # S3 Gateway with TLS
       - "16513:16513" # Control service
 
 volumes:
diff --git a/s3-gw/s3-gw-config.yaml b/s3-gw/s3-gw-config.yaml
index f61728b..9a4f953 100644
--- a/s3-gw/s3-gw-config.yaml
+++ b/s3-gw/s3-gw-config.yaml
@@ -11,6 +11,11 @@ peers:
 
 server:
   - address: 0.0.0.0:8084
+  - address: 0.0.0.0:8184
+    tls:
+      enabled: true
+      cert_file: /config/s3-gw-tls.crt
+      key_file: /config/s3-gw-tls.key
 
 logger:
   level: debug
diff --git a/s3-gw/s3-gw-tls.crt b/s3-gw/s3-gw-tls.crt
new file mode 100644
index 0000000..c286881
--- /dev/null
+++ b/s3-gw/s3-gw-tls.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpDCCAowCCQDXZEH0aQRqFzANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMC
+UlUxFjAUBgNVBAgMDVN0LlBldGVyc2J1cmcxGTAXBgNVBAcMEFNhaW50IFBldGVy
+c2J1cmcxDjAMBgNVBAoMBU5TUENDMREwDwYDVQQLDAhOZW8gU1BDQzERMA8GA1UE
+AwwIbnNwY2MucnUxGzAZBgkqhkiG9w0BCQEWDG9wc0Buc3BjYy5ydTAeFw0yMDA3
+MTMxNTQyMzZaFw0zMDA3MTExNTQyMzZaMIGTMQswCQYDVQQGEwJSVTEWMBQGA1UE
+CAwNU3QuUGV0ZXJzYnVyZzEZMBcGA1UEBwwQU2FpbnQgUGV0ZXJzYnVyZzEOMAwG
+A1UECgwFTlNQQ0MxETAPBgNVBAsMCE5lbyBTUENDMREwDwYDVQQDDAhuc3BjYy5y
+dTEbMBkGCSqGSIb3DQEJARYMb3BzQG5zcGNjLnJ1MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwqo2l4fS0U6wZCLh7VjQn1LXN8pZlVaA62C+g1SwoWV2
+Q5qM8FDihWj3UBO3F+6vUVJl8N5S0JroxxU6L48Wmshei145SLSl/F28tsk7Bbuz
+NOchonlelW77Xr6l7cDJBWUWGkDoq6a/S6w6jjCGhZq+X0gyS5nZ4HTouVNv2oFK
+eeJGtueLsS4zoVovrHdLSYdZH9/yC+E1WVCzQB+vdUF/vJLTuULgqncLV0sELmRl
++xsnnAV/REJswtCmKgrmAv9pMebBw5EEgROTGazdToWdD5X44xTlHjUb1bMuF9tL
+YtUMdLxXceXZFhYhiTBO7ev9awKaNYslbxh+goJo1wIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBDEGhAyOtfsNwbZ0oZIw06e0JXCmri+8jsn5Ly/yHU0+ecHgMA5AAQ
+AG2QRpZZtZCtD/Cj4i6nSTWbRhS0FgqY998p5Lnh/AXTZHBx0t3LKJupN59CIjCK
+1eMEfQChoAZg66oO/obAFkq72gj8gpagMY9vFNVcszmse3FWrvlKmO1TwTEh+CzM
+7wbmiL/ujm0lIf44pp0U4qYFcSimSDqbwOfeDPif9lMinzylDxMfaAKBHBHPj5Vt
+fX8dgf6MIqyz51u/2G0gHfXMDxXec8huYKt2EtPyavh6kFxxGvcA15m6seJTcu+h
+6WzeQFa2NBg7Z3ai4DiPXirNtcHWeqxK
+-----END CERTIFICATE-----
diff --git a/s3-gw/s3-gw-tls.key b/s3-gw/s3-gw-tls.key
new file mode 100644
index 0000000..bd29be5
--- /dev/null
+++ b/s3-gw/s3-gw-tls.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwqo2l4fS0U6wZCLh7VjQn1LXN8pZlVaA62C+g1SwoWV2Q5qM
+8FDihWj3UBO3F+6vUVJl8N5S0JroxxU6L48Wmshei145SLSl/F28tsk7BbuzNOch
+onlelW77Xr6l7cDJBWUWGkDoq6a/S6w6jjCGhZq+X0gyS5nZ4HTouVNv2oFKeeJG
+tueLsS4zoVovrHdLSYdZH9/yC+E1WVCzQB+vdUF/vJLTuULgqncLV0sELmRl+xsn
+nAV/REJswtCmKgrmAv9pMebBw5EEgROTGazdToWdD5X44xTlHjUb1bMuF9tLYtUM
+dLxXceXZFhYhiTBO7ev9awKaNYslbxh+goJo1wIDAQABAoIBAEIp3mJEjPgNOdDf
+NlEYpdfxLStOQIKMo0bdXAOBToOc28SAjDTGGSflFGIIQWwF+Vq3meRzfExgyouY
+AG3XwYQcZF4USX4XwG71YUXzQXdiY7ewc3Mos2gxD4kVXYpgwzJtOET2GN72zwAm
+asSXY7GXdesmu8mMYkxzEAKlhFgMj+bGE/4QQUBKG9ylGIdo07zmU6rAsVhnwQTb
+LE3cf+AxCeTVA7OsJCUUR4S9qsgXUN1WeaV8LNg0lYx8UTu1xlbrpSjx7B4eYy6J
+FGJWuT9b3X+cBLcGk3BzheUAfqBG2UFDxUCt0grqmmTBkB850MtCDhffhPjxxrD7
+KrwAcpECgYEA6HApn2VtWI/tDYCbNix6yxeqq73fO3ng6yFry1u7EYvl8hJXBgR4
+b6kAVc3y/9pZO/5D23dHl1PQtnU5401/j6dQrb8A2TMqZ1vA8XIdIMjOiVjZtYMF
+nXzmf78PEbw9jWlDVARJdAwkJeuDI4/HVvgiDAh3zxx5F8uDVP16/r8CgYEA1mXS
+9owfLIPtPSxyMJoGU0jP7OP+HVwlKkXpvg7uBtINKSDW4UU4rnpIGW5MohR3ACWO
+ReFliOnGA5FXBp9GzkbJ+wIYovPIsGuBdxSsBlPY1S0yPlo30hr7E6cK3B3EuxDg
+SkbJcWp2EwXYEIyEcopbVUTTlBO3wmBFgm/Ps+kCgYA/+Kar9OlMR4hRgAS3uzQs
+cx4I2F/46YlKjU8yj9ODd8JYhk2nHVHcQWITO3RWkEyg41DftQtiDbJSlR7SfUDP
+U5gzyW69WISiH7GRgfucS0f0qxx4BVBlULvLitTl5631HnRmSivBIZpNSW01O1v8
+hpwwPaBjww1czCkgGgdg1wKBgQCkaSdTW/bX+z9lpvzWWnc5TN/uSJRpTW1Osphh
+4C8WWeQvwvglfiDOZAWAQv5PWKQ9H4+v9P4Y9TSdLcpv0JrKuqxPabcc1xfyei6o
+89hLbecc6vDZsfOWkowx8Oo6DDX+Qh3Nt+TorXxocBXV8vvqnkEV7ZbWuhwz2gHT
+2gyMaQKBgEE7rNzm8Q03IqQ08eYaRw8gWz8EpLeVebrGqtoH9AR5cd4OeTeZAEqc
+iPehXctke2pUgS47XgG98G7Yg3E9UuOYM+H2nzQCoT7jrM0dZrVGZ0ty7z1a8QGe
+UrjaAC/cyIGdszhf0Rf3qA7450nit9Txh+ilLiumgnUezl+eJXyI
+-----END RSA PRIVATE KEY-----