Make InsecureSkipVerify controlled by a CR field

ManageIQ · Apr 17, 2024 · 485c443 · 485c443
1 parent 30ecf37
commit 485c443
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 3 deletions.
diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/cr.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/cr.go
@@ -218,6 +218,14 @@ func memcachedSlabPageSize(cr *miqv1alpha1.ManageIQ) string {
 	}
 }
 
+func oidcOAuthIntrospectionSSLVerify(cr *miqv1alpha1.ManageIQ) bool {
+	if cr.Spec.OIDCOAuthIntrospectionSSLVerify == nil {
+		return true
+	} else {
+		return *cr.Spec.OIDCOAuthIntrospectionSSLVerify
+	}
+}
+
 func orchestratorImage(cr *miqv1alpha1.ManageIQ) string {
 	if cr.Spec.OrchestratorImage == "" {
 		return orchestratorImageNamespace(cr) + "/" + orchestratorImageName(cr) + ":" + orchestratorImageTag(cr)
@@ -351,6 +359,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
 		varEnableApplicationLocalLogin := enableApplicationLocalLogin(cr)
 		varEnableSSO := enableSSO(cr)
 		varEnforceWorkerResourceConstraints := enforceWorkerResourceConstraints(cr)
+		varOIDCOAuthIntrospectionSSLVerify := oidcOAuthIntrospectionSSLVerify(cr)
 
 		cr.Spec.AppName = appName(cr)
 		cr.Spec.BackupLabelName = backupLabelName(cr)
@@ -370,6 +379,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
 		cr.Spec.MemcachedMaxConnection = memcachedMaxConnection(cr)
 		cr.Spec.MemcachedMaxMemory = memcachedMaxMemory(cr)
 		cr.Spec.MemcachedSlabPageSize = memcachedSlabPageSize(cr)
+		cr.Spec.OIDCOAuthIntrospectionSSLVerify = &varOIDCOAuthIntrospectionSSLVerify
 		cr.Spec.OrchestratorImage = orchestratorImage(cr)
 		cr.Spec.OrchestratorInitialDelay = orchestratorInitialDelay(cr)
 		cr.Spec.PostgresqlImage = postgresqlImage(cr)

diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go
@@ -150,7 +150,7 @@ func Ingress(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*networkingv1.In
 
 func HttpdConfigMap(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, client client.Client) (*corev1.ConfigMap, controllerutil.MutateFn, error) {
 	if cr.Spec.HttpdAuthenticationType == "openid-connect" && cr.Spec.OIDCProviderURL != "" && cr.Spec.OIDCOAuthIntrospectionURL == "" {
-		introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL)
+		introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL, *cr.Spec.OIDCOAuthIntrospectionSSLVerify)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -659,9 +659,9 @@ func tlsSecretName(cr *miqv1alpha1.ManageIQ) string {
 	return secretName
 }
 
-func fetchIntrospectionUrl(providerUrl string) (string, error) {
+func fetchIntrospectionUrl(providerUrl string, sslVerify bool) (string, error) {
 	customTransport := http.DefaultTransport.(*http.Transport).Clone()
-	customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: !sslVerify}
 	client := &http.Client{Transport: customTransport}
 	errMsg := fmt.Sprintf("failed to get the OIDCOAuthIntrospectionURL from %s", providerUrl)
 

diff --git a/manageiq-operator/api/v1alpha1/manageiq_types.go b/manageiq-operator/api/v1alpha1/manageiq_types.go
@@ -235,6 +235,12 @@ type ManageIQSpec struct {
 	// +optional
 	OIDCOAuthIntrospectionURL string `json:"oidcAuthIntrospectionURL,omitempty"`
 
+	// Enable or disable SSL verification for OIDC authentication introspection
+	// Only used with the openid-connect authentication type.
+	// If not specified, defaults to true
+	// +optional
+	OIDCOAuthIntrospectionSSLVerify *bool `json:"oidcOAuthIntrospectionSSLVerify,omitempty"`
+
 	// URL for the OIDC provider
 	// Only used with the openid-connect authentication type
 	// +optional

diff --git a/manageiq-operator/api/v1alpha1/zz_generated.deepcopy.go b/manageiq-operator/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/manageiq-operator/config/crd/bases/manageiq.org_manageiqs.yaml b/manageiq-operator/config/crd/bases/manageiq.org_manageiqs.yaml
@@ -228,6 +228,12 @@ spec:
                   Secret name containing the OIDC client id and secret
                   Only used with the openid-connect authentication type
                 type: string
+              oidcOAuthIntrospectionSSLVerify:
+                description: |-
+                  Enable or disable SSL verification for OIDC authentication introspection
+                  Only used with the openid-connect authentication type.
+                  If not specified, defaults to true
+                type: boolean
               oidcProviderURL:
                 description: |-
                   URL for the OIDC provider