From f83210cefb8484ecf33bfe7f617f8da2a2019252 Mon Sep 17 00:00:00 2001 From: Brandon Dunne Date: Tue, 2 Jul 2024 16:50:34 -0400 Subject: [PATCH] Merge pull request #1081 from bdunne/ssl_verify Add a CRD field to replace InsecureSkipVerify=true (cherry picked from commit 5a376e90f89786387aa7b98efd281b735de898c6) # Conflicts: # manageiq-operator/config/crd/bases/manageiq.org_manageiqs.yaml # manageiq-operator/pkg/apis/manageiq/v1alpha1/zz_generated.deepcopy.go --- .../deploy/crds/manageiq.org_manageiqs_crd.yaml | 6 ++++++ .../pkg/apis/manageiq/v1alpha1/manageiq_types.go | 6 ++++++ .../apis/manageiq/v1alpha1/zz_generated.deepcopy.go | 5 +++++ manageiq-operator/pkg/helpers/miq-components/cr.go | 10 ++++++++++ manageiq-operator/pkg/helpers/miq-components/httpd.go | 6 +++--- 5 files changed, 30 insertions(+), 3 deletions(-) diff --git a/manageiq-operator/deploy/crds/manageiq.org_manageiqs_crd.yaml b/manageiq-operator/deploy/crds/manageiq.org_manageiqs_crd.yaml index 31c50b7de..323d93d41 100644 --- a/manageiq-operator/deploy/crds/manageiq.org_manageiqs_crd.yaml +++ b/manageiq-operator/deploy/crds/manageiq.org_manageiqs_crd.yaml @@ -204,6 +204,12 @@ spec: description: Secret name containing the OIDC client id and secret Only used with the openid-connect authentication type type: string + oidcOAuthIntrospectionSSLVerify: + description: |- + Enable or disable SSL verification for OIDC authentication introspection + Only used with the openid-connect authentication type. + If not specified, defaults to true + type: boolean oidcProviderURL: description: URL for the OIDC provider Only used with the openid-connect authentication type diff --git a/manageiq-operator/pkg/apis/manageiq/v1alpha1/manageiq_types.go b/manageiq-operator/pkg/apis/manageiq/v1alpha1/manageiq_types.go index db268d188..150a3a717 100644 --- a/manageiq-operator/pkg/apis/manageiq/v1alpha1/manageiq_types.go +++ b/manageiq-operator/pkg/apis/manageiq/v1alpha1/manageiq_types.go @@ -211,6 +211,12 @@ type ManageIQSpec struct { // +optional OIDCOAuthIntrospectionURL string `json:"oidcAuthIntrospectionURL,omitempty"` + // Enable or disable SSL verification for OIDC authentication introspection + // Only used with the openid-connect authentication type. + // If not specified, defaults to true + // +optional + OIDCOAuthIntrospectionSSLVerify *bool `json:"oidcOAuthIntrospectionSSLVerify,omitempty"` + // URL for the OIDC provider // Only used with the openid-connect authentication type // +optional diff --git a/manageiq-operator/pkg/apis/manageiq/v1alpha1/zz_generated.deepcopy.go b/manageiq-operator/pkg/apis/manageiq/v1alpha1/zz_generated.deepcopy.go index ad796234b..2f1b8b47e 100644 --- a/manageiq-operator/pkg/apis/manageiq/v1alpha1/zz_generated.deepcopy.go +++ b/manageiq-operator/pkg/apis/manageiq/v1alpha1/zz_generated.deepcopy.go @@ -105,6 +105,11 @@ func (in *ManageIQSpec) DeepCopyInto(out *ManageIQSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.OIDCOAuthIntrospectionSSLVerify != nil { + in, out := &in.OIDCOAuthIntrospectionSSLVerify, &out.OIDCOAuthIntrospectionSSLVerify + *out = new(bool) + **out = **in + } return } diff --git a/manageiq-operator/pkg/helpers/miq-components/cr.go b/manageiq-operator/pkg/helpers/miq-components/cr.go index 30ed7287b..9676ec3b1 100644 --- a/manageiq-operator/pkg/helpers/miq-components/cr.go +++ b/manageiq-operator/pkg/helpers/miq-components/cr.go @@ -218,6 +218,14 @@ func memcachedSlabPageSize(cr *miqv1alpha1.ManageIQ) string { } } +func oidcOAuthIntrospectionSSLVerify(cr *miqv1alpha1.ManageIQ) bool { + if cr.Spec.OIDCOAuthIntrospectionSSLVerify == nil { + return true + } else { + return *cr.Spec.OIDCOAuthIntrospectionSSLVerify + } +} + func orchestratorImage(cr *miqv1alpha1.ManageIQ) string { if cr.Spec.OrchestratorImage == "" { return orchestratorImageNamespace(cr) + "/" + orchestratorImageName(cr) + ":" + orchestratorImageTag(cr) @@ -351,6 +359,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ varEnableApplicationLocalLogin := enableApplicationLocalLogin(cr) varEnableSSO := enableSSO(cr) varEnforceWorkerResourceConstraints := enforceWorkerResourceConstraints(cr) + varOIDCOAuthIntrospectionSSLVerify := oidcOAuthIntrospectionSSLVerify(cr) cr.Spec.AppName = appName(cr) cr.Spec.BackupLabelName = backupLabelName(cr) @@ -370,6 +379,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ cr.Spec.MemcachedMaxConnection = memcachedMaxConnection(cr) cr.Spec.MemcachedMaxMemory = memcachedMaxMemory(cr) cr.Spec.MemcachedSlabPageSize = memcachedSlabPageSize(cr) + cr.Spec.OIDCOAuthIntrospectionSSLVerify = &varOIDCOAuthIntrospectionSSLVerify cr.Spec.OrchestratorImage = orchestratorImage(cr) cr.Spec.OrchestratorInitialDelay = orchestratorInitialDelay(cr) cr.Spec.PostgresqlImage = postgresqlImage(cr) diff --git a/manageiq-operator/pkg/helpers/miq-components/httpd.go b/manageiq-operator/pkg/helpers/miq-components/httpd.go index 18a2fcd13..b30a54611 100644 --- a/manageiq-operator/pkg/helpers/miq-components/httpd.go +++ b/manageiq-operator/pkg/helpers/miq-components/httpd.go @@ -95,7 +95,7 @@ func Ingress(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*networkingv1.In func HttpdConfigMap(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ConfigMap, controllerutil.MutateFn, error) { if cr.Spec.HttpdAuthenticationType == "openid-connect" && cr.Spec.OIDCProviderURL != "" && cr.Spec.OIDCOAuthIntrospectionURL == "" { - introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL) + introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL, *cr.Spec.OIDCOAuthIntrospectionSSLVerify) if err != nil { return nil, nil, err } @@ -585,9 +585,9 @@ func tlsSecretName(cr *miqv1alpha1.ManageIQ) string { return secretName } -func fetchIntrospectionUrl(providerUrl string) (string, error) { +func fetchIntrospectionUrl(providerUrl string, sslVerify bool) (string, error) { customTransport := http.DefaultTransport.(*http.Transport).Clone() - customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: !sslVerify} client := &http.Client{Transport: customTransport} errMsg := fmt.Sprintf("failed to get the OIDCOAuthIntrospectionURL from %s", providerUrl)