ManageIQ · bdunne · Jul 2, 2024 · Feb 9, 2022 · Jul 2, 2024 · Jul 2, 2024
@@ -0,0 +1,31 @@
+---
+name: CI
+on:
+  push:
+  pull_request:
+  schedule:
+  - cron: 0 0 * * *
+  workflow_dispatch:
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version:
+        - '3.1'
+    steps:
+    - uses: actions/checkout@v4
+    - name: Before install
+      run: bin/before_install
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: "${{ matrix.ruby-version }}"
+        bundler-cache: true
+      timeout-minutes: 30
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: manageiq-operator/go.mod
+    - name: Run ruby tests
+      run: bundle exec rake
@@ -1,8 +1,10 @@
 # Deploy ManageIQ on OpenShift
 
-[![Build Status](https://travis-ci.com/ManageIQ/manageiq-pods.svg?branch=morphy)](https://travis-ci.com/ManageIQ/manageiq-pods)
+[![CI](https://github.com/ManageIQ/manageiq-pods/actions/workflows/ci.yaml/badge.svg)](https://github.com/ManageIQ/manageiq-pods/actions/workflows/ci.yaml)
 [![Join the chat at https://gitter.im/ManageIQ/manageiq-pods](https://badges.gitter.im/ManageIQ/manageiq-pods.svg)](https://gitter.im/ManageIQ/manageiq-pods?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
+[![Build history for master branch](https://buildstats.info/github/chart/ManageIQ/manageiq-pods?branch=master&buildCount=50&includeBuildsFromPullRequest=false&showstats=false)](https://github.com/ManageIQ/manageiq-pods/actions?query=branch%3Amaster)
+
 **This guide will demo deploying ManageIQ in OpenShift as its example use-case but this method could actually be used in a different container cluster environment**
 
 ## Purpose

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [ -n "$CI" ]; then
+  echo "== Installing operator-sdk =="
+  curl -L https://github.com/operator-framework/operator-sdk/releases/download/v0.18.2/operator-sdk-v0.18.2-$(uname -m)-linux-gnu -o /usr/local/bin/operator-sdk
+  chmod +x /usr/local/bin/operator-sdk
+fi
@@ -0,0 +1,5 @@
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec
@@ -204,6 +204,12 @@ spec:
                 description: Secret name containing the OIDC client id and secret
                   Only used with the openid-connect authentication type
                 type: string
+              oidcOAuthIntrospectionSSLVerify:
+                description: |-
+                  Enable or disable SSL verification for OIDC authentication introspection
+                  Only used with the openid-connect authentication type.
+                  If not specified, defaults to true
+                type: boolean
               oidcProviderURL:
                 description: URL for the OIDC provider Only used with the openid-connect
                   authentication type

@@ -211,6 +211,12 @@ type ManageIQSpec struct {
 	// +optional
 	OIDCOAuthIntrospectionURL string `json:"oidcAuthIntrospectionURL,omitempty"`
 
+	// Enable or disable SSL verification for OIDC authentication introspection
+	// Only used with the openid-connect authentication type.
+	// If not specified, defaults to true
+	// +optional
+	OIDCOAuthIntrospectionSSLVerify *bool `json:"oidcOAuthIntrospectionSSLVerify,omitempty"`
+
 	// URL for the OIDC provider
 	// Only used with the openid-connect authentication type
 	// +optional

@@ -218,6 +218,14 @@ func memcachedSlabPageSize(cr *miqv1alpha1.ManageIQ) string {
 	}
 }
 
+func oidcOAuthIntrospectionSSLVerify(cr *miqv1alpha1.ManageIQ) bool {
+	if cr.Spec.OIDCOAuthIntrospectionSSLVerify == nil {
+		return true
+	} else {
+		return *cr.Spec.OIDCOAuthIntrospectionSSLVerify
+	}
+}
+
 func orchestratorImage(cr *miqv1alpha1.ManageIQ) string {
 	if cr.Spec.OrchestratorImage == "" {
 		return orchestratorImageNamespace(cr) + "/" + orchestratorImageName(cr) + ":" + orchestratorImageTag(cr)
@@ -351,6 +359,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
 		varEnableApplicationLocalLogin := enableApplicationLocalLogin(cr)
 		varEnableSSO := enableSSO(cr)
 		varEnforceWorkerResourceConstraints := enforceWorkerResourceConstraints(cr)
+		varOIDCOAuthIntrospectionSSLVerify := oidcOAuthIntrospectionSSLVerify(cr)
 
 		cr.Spec.AppName = appName(cr)
 		cr.Spec.BackupLabelName = backupLabelName(cr)
@@ -370,6 +379,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
 		cr.Spec.MemcachedMaxConnection = memcachedMaxConnection(cr)
 		cr.Spec.MemcachedMaxMemory = memcachedMaxMemory(cr)
 		cr.Spec.MemcachedSlabPageSize = memcachedSlabPageSize(cr)
+		cr.Spec.OIDCOAuthIntrospectionSSLVerify = &varOIDCOAuthIntrospectionSSLVerify
 		cr.Spec.OrchestratorImage = orchestratorImage(cr)
 		cr.Spec.OrchestratorInitialDelay = orchestratorInitialDelay(cr)
 		cr.Spec.PostgresqlImage = postgresqlImage(cr)

@@ -95,7 +95,7 @@ func Ingress(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*networkingv1.In
 
 func HttpdConfigMap(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ConfigMap, controllerutil.MutateFn, error) {
 	if cr.Spec.HttpdAuthenticationType == "openid-connect" && cr.Spec.OIDCProviderURL != "" && cr.Spec.OIDCOAuthIntrospectionURL == "" {
-		introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL)
+		introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL, *cr.Spec.OIDCOAuthIntrospectionSSLVerify)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -585,9 +585,9 @@ func tlsSecretName(cr *miqv1alpha1.ManageIQ) string {
 	return secretName
 }
 
-func fetchIntrospectionUrl(providerUrl string) (string, error) {
+func fetchIntrospectionUrl(providerUrl string, sslVerify bool) (string, error) {
 	customTransport := http.DefaultTransport.(*http.Transport).Clone()
-	customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: !sslVerify}
 	client := &http.Client{Transport: customTransport}
 	errMsg := fmt.Sprintf("failed to get the OIDCOAuthIntrospectionURL from %s", providerUrl)