From 5cb158d3130ac4f68d2923c198fa602116fe33f9 Mon Sep 17 00:00:00 2001
From: Johannes 'fish' Ziemke <github@freigeist.org>
Date: Thu, 27 Feb 2020 21:02:07 +0100
Subject: [PATCH] minio: Set secure=true to enable TLS by default (#3168)

* minio: Set secure=true to enable TLS by default

Not using TLS is a security concern, especially if using cloud storage
like S3. This should be set to secure to avoid people unknowingly not
using TLS.

To make the bundled minio still work, I've submitted
https://github.com/kubeflow/manifests/pull/950 to set secure=false in
this case explicitly.

* minio: secure=false in GCP & standalone manifests
---
 backend/src/apiserver/client_manager.go                         | 2 +-
 .../chart/kubeflow-pipelines/templates/pipeline.yaml            | 2 ++
 .../base/pipeline/ml-pipeline-apiserver-deployment.yaml         | 2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/backend/src/apiserver/client_manager.go b/backend/src/apiserver/client_manager.go
index 03bcb68a1df..97f38c81ec7 100644
--- a/backend/src/apiserver/client_manager.go
+++ b/backend/src/apiserver/client_manager.go
@@ -324,7 +324,7 @@ func initMinioClient(initConnectionTimeout time.Duration) storage.ObjectStoreInt
 	minioServiceRegion := common.GetStringConfigWithDefault(
 		"ObjectStoreConfig.Region", os.Getenv(minioServiceRegion))
 	minioServiceSecure := common.GetBoolConfigWithDefault(
-		"ObjectStoreConfig.Secure", common.GetBoolFromStringWithDefault(os.Getenv(minioServiceSecure), false))
+		"ObjectStoreConfig.Secure", common.GetBoolFromStringWithDefault(os.Getenv(minioServiceSecure), true))
 	accessKey := common.GetStringConfigWithDefault("ObjectStoreConfig.AccessKey", "")
 	secretKey := common.GetStringConfigWithDefault("ObjectStoreConfig.SecretAccessKey", "")
 	bucketName := common.GetStringConfigWithDefault("ObjectStoreConfig.BucketName", os.Getenv(pipelineBucketName))
diff --git a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml
index a4c0cf49842..41e31a31210 100644
--- a/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml
+++ b/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml
@@ -666,6 +666,8 @@ spec:
             {{ if .Values.managedstorage.enabled }}
             - name: OBJECTSTORECONFIG_BUCKETNAME
               value: '{{ tpl .Values.managedstorage.gcsBucketName . }}'
+            - name: OBJECTSTORECONFIG_SECURE
+              value: "false"
             - name: DBCONFIG_DBNAME
               {{ if .Values.managedstorage.databaseNamePrefix }}
               value: '{{ .Values.managedstorage.databaseNamePrefix }}_pipeline'
diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml
index ff92d56fc56..d01dbb842de 100644
--- a/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml
+++ b/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml
@@ -19,6 +19,8 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: OBJECTSTORECONFIG_SECURE
+          value: "false"
         image: gcr.io/ml-pipeline/api-server:0.1.27
         imagePullPolicy: IfNotPresent
         name: ml-pipeline-api-server