Skip to content

Commit

Permalink
Merge pull request ManageIQ#1081 from bdunne/ssl_verify
Browse files Browse the repository at this point in the history
Add a CRD field to replace InsecureSkipVerify=true
  • Loading branch information
Fryguy authored Apr 23, 2024
2 parents d142b3b + 485c443 commit 5a376e9
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 3 deletions.
10 changes: 10 additions & 0 deletions manageiq-operator/api/v1alpha1/helpers/miq-components/cr.go
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,14 @@ func memcachedSlabPageSize(cr *miqv1alpha1.ManageIQ) string {
}
}

func oidcOAuthIntrospectionSSLVerify(cr *miqv1alpha1.ManageIQ) bool {
if cr.Spec.OIDCOAuthIntrospectionSSLVerify == nil {
return true
} else {
return *cr.Spec.OIDCOAuthIntrospectionSSLVerify
}
}

func orchestratorImage(cr *miqv1alpha1.ManageIQ) string {
if cr.Spec.OrchestratorImage == "" {
return orchestratorImageNamespace(cr) + "/" + orchestratorImageName(cr) + ":" + orchestratorImageTag(cr)
Expand Down Expand Up @@ -351,6 +359,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
varEnableApplicationLocalLogin := enableApplicationLocalLogin(cr)
varEnableSSO := enableSSO(cr)
varEnforceWorkerResourceConstraints := enforceWorkerResourceConstraints(cr)
varOIDCOAuthIntrospectionSSLVerify := oidcOAuthIntrospectionSSLVerify(cr)

cr.Spec.AppName = appName(cr)
cr.Spec.BackupLabelName = backupLabelName(cr)
Expand All @@ -370,6 +379,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
cr.Spec.MemcachedMaxConnection = memcachedMaxConnection(cr)
cr.Spec.MemcachedMaxMemory = memcachedMaxMemory(cr)
cr.Spec.MemcachedSlabPageSize = memcachedSlabPageSize(cr)
cr.Spec.OIDCOAuthIntrospectionSSLVerify = &varOIDCOAuthIntrospectionSSLVerify
cr.Spec.OrchestratorImage = orchestratorImage(cr)
cr.Spec.OrchestratorInitialDelay = orchestratorInitialDelay(cr)
cr.Spec.PostgresqlImage = postgresqlImage(cr)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ func Ingress(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*networkingv1.In

func HttpdConfigMap(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, client client.Client) (*corev1.ConfigMap, controllerutil.MutateFn, error) {
if cr.Spec.HttpdAuthenticationType == "openid-connect" && cr.Spec.OIDCProviderURL != "" && cr.Spec.OIDCOAuthIntrospectionURL == "" {
introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL)
introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL, *cr.Spec.OIDCOAuthIntrospectionSSLVerify)
if err != nil {
return nil, nil, err
}
Expand Down Expand Up @@ -659,9 +659,9 @@ func tlsSecretName(cr *miqv1alpha1.ManageIQ) string {
return secretName
}

func fetchIntrospectionUrl(providerUrl string) (string, error) {
func fetchIntrospectionUrl(providerUrl string, sslVerify bool) (string, error) {
customTransport := http.DefaultTransport.(*http.Transport).Clone()
customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: !sslVerify}
client := &http.Client{Transport: customTransport}
errMsg := fmt.Sprintf("failed to get the OIDCOAuthIntrospectionURL from %s", providerUrl)

Expand Down
6 changes: 6 additions & 0 deletions manageiq-operator/api/v1alpha1/manageiq_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,12 @@ type ManageIQSpec struct {
// +optional
OIDCOAuthIntrospectionURL string `json:"oidcAuthIntrospectionURL,omitempty"`

// Enable or disable SSL verification for OIDC authentication introspection
// Only used with the openid-connect authentication type.
// If not specified, defaults to true
// +optional
OIDCOAuthIntrospectionSSLVerify *bool `json:"oidcOAuthIntrospectionSSLVerify,omitempty"`

// URL for the OIDC provider
// Only used with the openid-connect authentication type
// +optional
Expand Down
5 changes: 5 additions & 0 deletions manageiq-operator/api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,12 @@ spec:
Secret name containing the OIDC client id and secret
Only used with the openid-connect authentication type
type: string
oidcOAuthIntrospectionSSLVerify:
description: |-
Enable or disable SSL verification for OIDC authentication introspection
Only used with the openid-connect authentication type.
If not specified, defaults to true
type: boolean
oidcProviderURL:
description: |-
URL for the OIDC provider
Expand Down

0 comments on commit 5a376e9

Please sign in to comment.