Support both http and http. If https is enabled, http will be disabled.

client/client.go

@@ -17,6 +17,7 @@ package client
 import (
 	"errors"
 	"log"
+	"net/url"
 	"strings"
 
 	"github.com/opensds/opensds/pkg/utils/constants"
@@ -26,6 +27,11 @@ const (
 	OpensdsEndpoint = "OPENSDS_ENDPOINT"
 )
 
+var (
+	httpsEnabled bool
+	cacert       string
+)
+
 // Client is a struct for exposing some operations of opensds resources.
 type Client struct {
 	*ProfileMgr
@@ -41,6 +47,8 @@ type Client struct {
 // Config is a struct that defines some options for calling the Client.
 type Config struct {
 	Endpoint    string
+	CACert      string
+	EnableHTTPS bool
 	AuthOptions AuthOptions
 }
 
@@ -52,6 +60,22 @@ func NewClient(c *Config) *Client {
 		log.Printf("Warnning: OpenSDS Endpoint is not specified using the default value(%s)", c.Endpoint)
 	}
 
+	if c.EnableHTTPS {
+		if c.CACert == "" {
+			log.Printf("If https is enabled, CA cert file should be provided.")
+			return nil
+		}
+
+		u, _ := url.Parse(c.Endpoint)
+		if u.Scheme != "https" {
+			log.Printf("If https is enabled, the scheme of the url should be https.")
+			return nil
+		}
+
+		httpsEnabled = true
+		cacert = c.CACert
+	}
+
 	var r Receiver
 	switch c.AuthOptions.(type) {
 	case *NoAuthOptions:

client/receiver.go

@@ -96,7 +96,11 @@ func customVerify(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
 
 func request(url string, method string, headers HeaderOption, input interface{}, output interface{}) error {
 	req := httplib.NewBeegoRequest(url, strings.ToUpper(method))
-	req.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true, VerifyPeerCertificate: customVerify})
+
+	if httpsEnabled && cacert != "" {
+		req.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true, VerifyPeerCertificate: customVerify})
+	}
+
 	// Set the request timeout a little bit longer upload snapshot to cloud temporarily.
 	req.SetTimeout(time.Minute*6, time.Minute*6)
 	// init body

cmd/osdslet/osdslet.go

@@ -53,5 +53,5 @@ func main() {
 	c.Brain = c.NewController()
 
 	// Start OpenSDS northbound REST service.
-	api.Run(CONF.OsdsLet.ApiEndpoint, CONF.OsdsLet.BeegoHTTPSKeyFile, CONF.OsdsLet.BeegoHTTPSCertFile)
+	api.Run(CONF.OsdsLet)
 }

pkg/api/router.go

@@ -31,6 +31,7 @@ import (
 	"github.com/opensds/opensds/pkg/api/filter/accesslog"
 	"github.com/opensds/opensds/pkg/api/filter/auth"
 	"github.com/opensds/opensds/pkg/api/filter/context"
+	cfg "github.com/opensds/opensds/pkg/utils/config"
 	"github.com/opensds/opensds/pkg/utils/constants"
 )
 
@@ -41,7 +42,7 @@ const (
 	StatusAccepted = http.StatusAccepted
 )
 
-func Run(host, key, cert string) {
+func Run(osdsletCfg cfg.OsdsLet) {
 
 	// add router for v1beta api
 	ns :=
@@ -51,6 +52,12 @@ func Run(host, key, cert string) {
 				if ctx.Input.Scheme() != "http" && ctx.Input.Scheme() != "https" {
 					return false
 				}
+
+				if osdsletCfg.EnableHTTPS == true {
+					if ctx.Input.Scheme() != "https" || osdsletCfg.BeegoHTTPSCertFile == "" || osdsletCfg.BeegoHTTPSKeyFile == "" {
+						return false
+					}
+				}
 				return true
 			}),
 
@@ -116,30 +123,33 @@ func Run(host, key, cert string) {
 	beego.Router("/", &VersionPortal{}, "get:ListVersions")
 	beego.Router("/:apiVersion", &VersionPortal{}, "get:GetVersion")
 
-	// beego https config
-	beego.BConfig.Listen.EnableHTTP = false
-	beego.BConfig.Listen.EnableHTTPS = true
-	strs := strings.Split(host, ":")
-	beego.BConfig.Listen.HTTPSAddr = strs[AddressIdx]
-	beego.BConfig.Listen.HTTPSPort, _ = strconv.Atoi(strs[PortIdx])
-	beego.BConfig.Listen.HTTPSCertFile = cert
-	beego.BConfig.Listen.HTTPSKeyFile = key
+	if osdsletCfg.EnableHTTPS == true {
+		// beego https config
+		beego.BConfig.Listen.EnableHTTP = false
+		beego.BConfig.Listen.EnableHTTPS = true
+		strs := strings.Split(osdsletCfg.ApiEndpoint, ":")
+		beego.BConfig.Listen.HTTPSAddr = strs[AddressIdx]
+		beego.BConfig.Listen.HTTPSPort, _ = strconv.Atoi(strs[PortIdx])
+		beego.BConfig.Listen.HTTPSCertFile = osdsletCfg.BeegoHTTPSCertFile
+		beego.BConfig.Listen.HTTPSKeyFile = osdsletCfg.BeegoHTTPSKeyFile
+		tlsConfig := &tls.Config{
+			MinVersion: tls.VersionTLS12,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			},
+		}
+
+		beego.BeeApp.Server.TLSConfig = tlsConfig
+	}
+
 	beego.BConfig.Listen.ServerTimeOut = constants.BeegoServerTimeOut
 	beego.BConfig.CopyRequestBody = true
 	beego.BConfig.EnableErrorsShow = false
 	beego.BConfig.EnableErrorsRender = false
 	beego.BConfig.WebConfig.AutoRender = false
-	tlsConfig := &tls.Config{
-		MinVersion: tls.VersionTLS12,
-		CipherSuites: []uint16{
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		},
-	}
-
-	beego.BeeApp.Server.TLSConfig = tlsConfig
 
 	// start service
-	beego.Run(host)
+	beego.Run(osdsletCfg.ApiEndpoint)
 }

pkg/utils/config/config_define.go

@@ -26,6 +26,7 @@ type OsdsLet struct {
 	Daemon             bool          `conf:"daemon,false"`
 	PolicyPath         string        `conf:"policy_path,/etc/opensds/policy.json"`
 	LogFlushFrequency  time.Duration `conf:"log_flush_frequency,5s"` // Default value is 5s
+	EnableHTTPS        bool          `conf:"enable_https,false"`
 	BeegoHTTPSCertFile string        `conf:"beego_https_cert_file,/opt/opensds-security/opensds/opensds-cert.pem"`
 	BeegoHTTPSKeyFile  string        `conf:"beego_https_key_file,/opt/opensds-security/opensds/opensds-key.pem"`
 }

pkg/utils/constants/constants.go

@@ -19,7 +19,7 @@ const (
 	// exactly precision to seconds.
 	TimeFormat = `2006-01-02T15:04:05`
 
-	DefaultOpensdsEndpoint = "https://localhost:50040"
+	DefaultOpensdsEndpoint = "http://localhost:50040"
 
 	// This is set for None Auth
 	DefaultTenantId = "e93b4c0934da416eb9c8d120c5d04d96"

script/devsds/lib/opensds.sh

@@ -21,14 +21,18 @@ set +o xtrace
 
 
 osds:opensds:configuration(){
-# Set global configuration.
+# Set global configuration. If https is enabled(True), the default value of cert file
+# is /opt/opensds-security/opensds/opensds-cert.pem, and key file is /opt/opensds-security/opensds/opensds-key.pem
 cat >> $OPENSDS_CONFIG_DIR/opensds.conf << OPENSDS_GLOBAL_CONFIG_DOC
 [osdslet]
 api_endpoint = 0.0.0.0:50040
 graceful = True
 log_file = /var/log/opensds/osdslet.log
 socket_order = inc
 auth_strategy = $OPENSDS_AUTH_STRATEGY
+enable_https = False
+beego_https_cert_file = ""
+beego_https_key_file = ""
 
 [osdsdock]
 api_endpoint = $HOST_IP:50050
@@ -61,7 +65,7 @@ osds::opensds::install(){
         $xtrace
     fi
     export OPENSDS_AUTH_STRATEGY=$OPENSDS_AUTH_STRATEGY
-    export OPENSDS_ENDPOINT=https://localhost:50040
+    export OPENSDS_ENDPOINT=http://localhost:50040
     build/out/bin/osdsctl profile create '{"name": "default", "description": "default policy"}'
     # Copy bash completion script to system.
     cp ${OPENSDS_DIR}/osdsctl/completion/osdsctl.bash_completion /etc/bash_completion.d/

test/e2e/e2e_test.go

@@ -31,7 +31,7 @@ import (
 
 var (
 	c = client.NewClient(&client.Config{
-		Endpoint:    "https://localhost:50040",
+		Endpoint:    "http://localhost:50040",
 		AuthOptions: client.NewNoauthOptions(constants.DefaultTenantId)})
 
 	localIqn  = "iqn.2017-10.io.opensds:volume:00000001"

test/e2e/e2ef_test.go

@@ -30,7 +30,7 @@ import (
 )
 
 var u = client.NewClient(&client.Config{
-	Endpoint:    "https://localhost:50040",
+	Endpoint:    "http://localhost:50040",
 	AuthOptions: client.NewNoauthOptions(constants.DefaultTenantId)})
 
 //init Create Profile

test/integration/client_test.go

@@ -27,7 +27,7 @@ import (
 )
 
 var c = client.NewClient(&client.Config{
-	Endpoint:    "https://localhost:50040",
+	Endpoint:    "http://localhost:50040",
 	AuthOptions: client.NewNoauthOptions(constants.DefaultTenantId)})
 
 func TestClientCreateProfile(t *testing.T) {