Merge pull request ManageIQ#1081 from bdunne/ssl_verify

Add a CRD field to replace InsecureSkipVerify=true (cherry picked from commit 5a376e9) # Conflicts: # manageiq-operator/config/crd/bases/manageiq.org_manageiqs.yaml # manageiq-operator/pkg/apis/manageiq/v1alpha1/zz_generated.deepcopy.go
bdunne · Jul 2, 2024 · f83210c · f83210c
1 parent ec4e28b
commit f83210c
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 3 deletions.
diff --git a/manageiq-operator/deploy/crds/manageiq.org_manageiqs_crd.yaml b/manageiq-operator/deploy/crds/manageiq.org_manageiqs_crd.yaml
@@ -204,6 +204,12 @@ spec:
                 description: Secret name containing the OIDC client id and secret
                   Only used with the openid-connect authentication type
                 type: string
+              oidcOAuthIntrospectionSSLVerify:
+                description: |-
+                  Enable or disable SSL verification for OIDC authentication introspection
+                  Only used with the openid-connect authentication type.
+                  If not specified, defaults to true
+                type: boolean
               oidcProviderURL:
                 description: URL for the OIDC provider Only used with the openid-connect
                   authentication type

diff --git a/manageiq-operator/pkg/apis/manageiq/v1alpha1/manageiq_types.go b/manageiq-operator/pkg/apis/manageiq/v1alpha1/manageiq_types.go
@@ -211,6 +211,12 @@ type ManageIQSpec struct {
 	// +optional
 	OIDCOAuthIntrospectionURL string `json:"oidcAuthIntrospectionURL,omitempty"`
 
+	// Enable or disable SSL verification for OIDC authentication introspection
+	// Only used with the openid-connect authentication type.
+	// If not specified, defaults to true
+	// +optional
+	OIDCOAuthIntrospectionSSLVerify *bool `json:"oidcOAuthIntrospectionSSLVerify,omitempty"`
+
 	// URL for the OIDC provider
 	// Only used with the openid-connect authentication type
 	// +optional

diff --git a/manageiq-operator/pkg/apis/manageiq/v1alpha1/zz_generated.deepcopy.go b/manageiq-operator/pkg/apis/manageiq/v1alpha1/zz_generated.deepcopy.go
diff --git a/manageiq-operator/pkg/helpers/miq-components/cr.go b/manageiq-operator/pkg/helpers/miq-components/cr.go
@@ -218,6 +218,14 @@ func memcachedSlabPageSize(cr *miqv1alpha1.ManageIQ) string {
 	}
 }
 
+func oidcOAuthIntrospectionSSLVerify(cr *miqv1alpha1.ManageIQ) bool {
+	if cr.Spec.OIDCOAuthIntrospectionSSLVerify == nil {
+		return true
+	} else {
+		return *cr.Spec.OIDCOAuthIntrospectionSSLVerify
+	}
+}
+
 func orchestratorImage(cr *miqv1alpha1.ManageIQ) string {
 	if cr.Spec.OrchestratorImage == "" {
 		return orchestratorImageNamespace(cr) + "/" + orchestratorImageName(cr) + ":" + orchestratorImageTag(cr)
@@ -351,6 +359,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
 		varEnableApplicationLocalLogin := enableApplicationLocalLogin(cr)
 		varEnableSSO := enableSSO(cr)
 		varEnforceWorkerResourceConstraints := enforceWorkerResourceConstraints(cr)
+		varOIDCOAuthIntrospectionSSLVerify := oidcOAuthIntrospectionSSLVerify(cr)
 
 		cr.Spec.AppName = appName(cr)
 		cr.Spec.BackupLabelName = backupLabelName(cr)
@@ -370,6 +379,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
 		cr.Spec.MemcachedMaxConnection = memcachedMaxConnection(cr)
 		cr.Spec.MemcachedMaxMemory = memcachedMaxMemory(cr)
 		cr.Spec.MemcachedSlabPageSize = memcachedSlabPageSize(cr)
+		cr.Spec.OIDCOAuthIntrospectionSSLVerify = &varOIDCOAuthIntrospectionSSLVerify
 		cr.Spec.OrchestratorImage = orchestratorImage(cr)
 		cr.Spec.OrchestratorInitialDelay = orchestratorInitialDelay(cr)
 		cr.Spec.PostgresqlImage = postgresqlImage(cr)

diff --git a/manageiq-operator/pkg/helpers/miq-components/httpd.go b/manageiq-operator/pkg/helpers/miq-components/httpd.go
@@ -95,7 +95,7 @@ func Ingress(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*networkingv1.In
 
 func HttpdConfigMap(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ConfigMap, controllerutil.MutateFn, error) {
 	if cr.Spec.HttpdAuthenticationType == "openid-connect" && cr.Spec.OIDCProviderURL != "" && cr.Spec.OIDCOAuthIntrospectionURL == "" {
-		introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL)
+		introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL, *cr.Spec.OIDCOAuthIntrospectionSSLVerify)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -585,9 +585,9 @@ func tlsSecretName(cr *miqv1alpha1.ManageIQ) string {
 	return secretName
 }
 
-func fetchIntrospectionUrl(providerUrl string) (string, error) {
+func fetchIntrospectionUrl(providerUrl string, sslVerify bool) (string, error) {
 	customTransport := http.DefaultTransport.(*http.Transport).Clone()
-	customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: !sslVerify}
 	client := &http.Client{Transport: customTransport}
 	errMsg := fmt.Sprintf("failed to get the OIDCOAuthIntrospectionURL from %s", providerUrl)