Adds option to disable SSL certificate validation while connecting to S3

.gitignore

@@ -18,4 +18,5 @@ main
 out/
 .build/
 .idea/
+.vscode/
 *.iml

README.md

@@ -668,15 +668,16 @@ snapshots:
 
 ##### Configuration Options
 
-| Key            | Type                                             | Required/*Default*           | Description                                                                                                       |
-| -------------- | ------------------------------------------------ | ---------------------------- | ----------------------------------------------------------------------------------------------------------------- |
-| `endpoint`     | String                                           | **required**                 | S3 compatible storage endpoint (ex: my-storage.example.com)                                                       |
-| `bucket`       | String                                           | **required**                 | bucket to store snapshots in                                                                                      |
-| `accessKeyId`  | [Secret](#secrets-and-external-property-sources) | *env://S3_ACCESS_KEY_ID*     | specifies the access key                                                                                          |
-| `accessKey`    | [Secret](#secrets-and-external-property-sources) | *env://S3_SECRET_ACCESS_KEY* | specifies the secret access key; **must resolve to non-empty value if accessKeyId resolves to a non-empty value** |
-| `sessionToken` | [Secret](#secrets-and-external-property-sources) | *env://S3_SESSION_TOKEN*     | specifies the session token                                                                                       |
-| `region`       | [Secret](#secrets-and-external-property-sources) |                              | S3 region if it is required                                                                                       |
-| `insecure`     | Boolean                                          | *false*                      | whether to connect using https (false) or not                                                                     |
+| Key             | Type                                             | Required/*Default*           | Description                                                                                                       |
+| --------------- | ------------------------------------------------ | ---------------------------- | ----------------------------------------------------------------------------------------------------------------- |
+| `endpoint`      | String                                           | **required**                 | S3 compatible storage endpoint (ex: my-storage.example.com)                                                       |
+| `bucket`        | String                                           | **required**                 | bucket to store snapshots in                                                                                      |
+| `accessKeyId`   | [Secret](#secrets-and-external-property-sources) | *env://S3_ACCESS_KEY_ID*     | specifies the access key                                                                                          |
+| `accessKey`     | [Secret](#secrets-and-external-property-sources) | *env://S3_SECRET_ACCESS_KEY* | specifies the secret access key; **must resolve to non-empty value if accessKeyId resolves to a non-empty value** |
+| `sessionToken`  | [Secret](#secrets-and-external-property-sources) | *env://S3_SESSION_TOKEN*     | specifies the session token                                                                                       |
+| `region`        | [Secret](#secrets-and-external-property-sources) |                              | S3 region if it is required                                                                                       |
+| `insecure`      | Boolean                                          | *false*                      | whether to connect using https (false) or not                                                                     |
+| `skipSSLVerify` | Boolean                                          | *false*                      | disable SSL certificate validation (true) or not                                                                    
 
 Any common [snapshot configuration option](#snapshot-configuration) overrides the global snapshot-configuration.
 

internal/agent/snapshot-agent-config_test.go

@@ -143,6 +143,7 @@ func TestReadCompleteConfig(t *testing.T) {
 					SessionToken: "test-s3-token",
 					Region:       "test-s3-region",
 					Insecure:     true,
+					SkipSSLVerify: true,
 				},
 			},
 		},

internal/agent/storage/s3.go

@@ -2,14 +2,17 @@ package storage
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
 	"github.com/Argelbargel/vault-raft-snapshot-agent/internal/agent/config/secret"
 	"github.com/Argelbargel/vault-raft-snapshot-agent/internal/agent/logging"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
-	"io"
-	"strings"
-	"time"
 )
 
 type S3StorageConfig struct {
@@ -21,6 +24,7 @@ type S3StorageConfig struct {
 	SessionToken            secret.Secret `default:"env://S3_SESSION_TOKEN"`
 	Region                  secret.Secret
 	Insecure                bool
+	SkipSSLVerify           bool
 	Empty                   bool
 }
 
@@ -71,9 +75,10 @@ func (conf S3StorageConfig) createClient(ctx context.Context) (*minio.Client, er
 	}
 
 	client, err := minio.New(conf.Endpoint, &minio.Options{
-		Creds:  credentials.NewStaticV4(accessKeyId, accessKey, sessionToken),
-		Secure: !conf.Insecure,
-		Region: region,
+		Creds:     credentials.NewStaticV4(accessKeyId, accessKey, sessionToken),
+		Secure:    !conf.Insecure,
+		Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: conf.SkipSSLVerify}},
+		Region:    region,
 	})
 	if err != nil {
 		return nil, err

testdata/complete.yaml

@@ -82,5 +82,6 @@ snapshots:
       sessionToken: test-s3-token
       region: test-s3-region
       insecure: true
+      skipSSLVerify: true