8000 THREESCALE-7836 Refactor TLS InsecureSkipVerify logic to use annotations by carlkyrillos · Pull Request #858 · 3scale/3scale-operator · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
8000

THREESCALE-7836 Refactor TLS InsecureSkipVerify logic to use annotations #858

New issue

Have a qu 8000 estion about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 31, 2023
Merged

THREESCALE-7836 Refactor TLS InsecureSkipVerify logic to use annotations #858

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
55e4139
THREESCALE-7836 Added documentation around env vars
carlkyrillos Aug 16, 2023
e5c98b1
THREESCALE-7836 Refactor TLS InsecureSkipVerify logic to use annotations
carlkyrillos Aug 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion controllers/capabilities/activedoc_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,8 @@ func (r *ActiveDocReconciler) reconcileSpec(activeDocCR *capabilitiesv1beta1.Act
return statusReconciler, err
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(activeDocCR.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
statusReconciler := NewActiveDocStatusReconciler(r.BaseReconciler, activeDocCR, providerAccount.AdminURLStr, nil, err)
return statusReconciler, err
Expand Down
3 changes: 2 additions & 1 deletion controllers/capabilities/application_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,8 @@ func (r *ApplicationReconciler) Reconcile(ctx context.Context, req ctrl.Request)
return ctrl.Result{}, err
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(application.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
return ctrl.Result{}, err
}
Expand Down
6 changes: 4 additions & 2 deletions controllers/capabilities/backend_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,8 @@ func (r *BackendReconciler) reconcile(backendResource *capabilitiesv1beta1.Backe
return statusReconciler, err
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(backendResource.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
statusReconciler := NewBackendStatusReconciler(r.BaseReconciler, backendResource, nil, providerAccount.AdminURLStr, err)
return statusReconciler, err
Expand Down Expand Up @@ -298,7 +299,8 @@ func (r *BackendReconciler) removeBackendFrom3scale(backend *capabilitiesv1beta1
return err
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(backend.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
return err
}
Expand Down
3 changes: 2 additions & 1 deletion controllers/capabilities/custompolicydefinition_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,8 @@ func (r *CustomPolicyDefinitionReconciler) reconcileSpec(customPolicyDefinitionC
return statusReconciler, err
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(customPolicyDefinitionCR.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
statusReconciler := NewCustomPolicyDefinitionStatusReconciler(r.BaseReconciler, customPolicyDefinitionCR, providerAccount.AdminURLStr, nil, err)
return statusReconciler, err
Expand Down
6 changes: 4 additions & 2 deletions controllers/capabilities/developeraccount_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,8 @@ func (r *DeveloperAccountReconciler) reconcileSpec(accountCR *capabilitiesv1beta
return statusReconciler, err
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(accountCR.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
statusReconciler := NewDeveloperAccountStatusReconciler(r.BaseReconciler, accountCR, providerAccount.AdminURLStr, nil, err)
return statusReconciler, err
Expand Down Expand Up @@ -240,7 +241,8 @@ func (r *DeveloperAccountReconciler) removeDeveloperAccountFrom3scale(developerA
return err
}

threescaleAPIClient, err := controllerhelper.PortaClient(developerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(developerAccountCR.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(developerAccount, insecureSkipVerify)
if err != nil {
return err
}
Expand Down
6 changes: 4 additions & 2 deletions controllers/capabilities/developeruser_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,8 @@ func (r *DeveloperUserReconciler) reconcileSpec(userCR *capabilitiesv1beta1.Deve
return statusReconciler, err
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(userCR.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
statusReconciler := NewDeveloperUserStatusReconciler(r.BaseReconciler, userCR, parentAccountCR, providerAccount.AdminURLStr, nil, err)
return statusReconciler, err
Expand Down Expand Up @@ -298,7 +299,8 @@ func (r *DeveloperUserReconciler) removeDeveloperUserFrom3scale(developerUser *c
return err
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(developerUser.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
return err
}
Expand Down
6 changes: 4 additions & 2 deletions controllers/capabilities/product_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,8 @@ func (r *ProductReconciler) reconcile(productResource *capabilitiesv1beta1.Produ
return statusReconciler, err
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(productResource.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
statusReconciler := NewProductStatusReconciler(r.BaseReconciler, productResource, nil, providerAccount.AdminURLStr, err)
return statusReconciler, err
Expand Down Expand Up @@ -400,7 +401,8 @@ func (r *ProductReconciler) removeProductFrom3scale(product *capabilitiesv1beta1
return err< 9E88 /span>
}

threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(product.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
return err
}
Expand Down
3 changes: 2 additions & 1 deletion controllers/capabilities/proxyconfigpromote_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,8 @@ func (r *ProxyConfigPromoteReconciler) Reconcile(ctx context.Context, req ctrl.R
}

// connect to the 3scale porta client
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(proxyConfigPromote.GetAnnotations())
threescaleAPIClient, err := controllerhelper.PortaClient(providerAccount, insecureSkipVerify)
if err != nil {
return ctrl.Result{}, err
}
Expand Down
3 changes: 2 additions & 1 deletion controllers/capabilities/tenant_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,8 @@ func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
return ctrl.Result{}, err
}

portaClient, err := controllerhelper.PortaClientFromURLString(tenantR.Spec.SystemMasterUrl, masterAccessToken)
insecureSkipVerify := controllerhelper.GetInsecureSkipVerifyAnnotation(tenantR.GetAnnotations())
portaClient, err := controllerhelper.PortaClientFromURLString(tenantR.Spec.SystemMasterUrl, masterAccessToken, insecureSkipVerify)
if err != nil {
reqLogger.Error(err, "Error creating porta client object")
// Error reading the object - requeue the request.
Expand Down
8 changes: 8 additions & 0 deletions doc/development.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
* [Run 3scale Operator](#run-3scale-operator)
* [Run 3scale Operator Locally](#run-3scale-operator-locally)
* [Deploy custom 3scale Operator using OLM](#deploy-custom-3scale-operator-using-olm)
* [Environment Variables](#3scale-operator-environment-variables)
* [Run tests](#run-tests)
* [Run all tests](#run-all-tests)
* [Run unit tests](#run-unit-tests)
Expand Down Expand Up @@ -116,6 +117,13 @@ It will take a few minutes for the operator to become visible under
the _OperatorHub_ section of the OpenShift console _Catalog_. It can be
easily found by filtering the provider type to _Custom_.

### 3scale Operator Environment Variables
There are environment variables that may be used to aid in development. Refer to the table below for details:

| Variable | Options | Type | Default | Details |
|-----------------------------|------------|:--------:|---------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| THREESCALE_DEBUG | `1` or `0` | Optional | `0` | If `1`, sets the porta client logging to be more verbose. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small but to be precise, verbose logging is enabled for local by default, disabled for olm


### Run tests

#### Run all tests
Expand Down
12 changes: 12 additions & 0 deletions doc/operator-user-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
* [Setting custom TopologySpreadConstraints](#setting-custom-topologyspreadconstraints)
* [Setting custom labels](#setting-custom-labels)
* [Setting custom Annotations](#setting-custom-annotations)
* [Setting porta client to skip certificate verification](#setting-porta-client-to-skip-certificate-verification)
* [Reconciliation](#reconciliation)
* [Resources](#resources)
* [Backend replicas](#backend-replicas)
Expand Down Expand Up @@ -815,6 +816,17 @@ spec:
anno-sample2: anno2
```

#### Setting porta client to skip certificate verification
Whenever a controller reconciles an object it creates a new porta client to make API calls. That client is configured to verify the server's certificate chain by default. For development/testing purposes, you may want the client to skip certificate verification when reconciling an object. This can be done using the annotation `insecure_skip_verify: true`, which can be added to the following objects:
* ActiveDoc
* Application
* Backend
* CustomPolicyDefinition
* DeveloperAccount
* DeveloperUser
* Product
* ProxyConfigPromote
* Tenant

### Reconciliation
After 3scale API Management solution has been installed, 3scale Operator enables updating a given set
Expand Down
30 changes: 17 additions & 13 deletions pkg/controller/helper/threescale_api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,40 +11,35 @@ import (
)

const (
HTTP_VERBOSE_ENVVAR = "THREESCALE_DEBUG"
INSECURE_SKIP_VERIFY_ENVVAR = "INSECURE_SKIP_VERIFY_CLIENT"
HTTP_VERBOSE_ENVVAR = "THREESCALE_DEBUG"
)

type ProviderAccount struct {
AdminURLStr string
Token string
}

// PortaClient instantiate porta_client.ThreeScaleClient from ProviderAccount object
func PortaClient(providerAccount *ProviderAccount) (*threescaleapi.ThreeScaleClient, error) {
return PortaClientFromURLString(providerAccount.AdminURLStr, providerAccount.Token)
// PortaClient instantiates porta_client.ThreeScaleClient from ProviderAccount object
func PortaClient(providerAccount *ProviderAccount, insecureSkipVerify bool) (*threescaleapi.ThreeScaleClient, error) {
return PortaClientFromURLString(providerAccount.AdminURLStr, providerAccount.Token, insecureSkipVerify)
}

func PortaClientFromURLString(adminURLStr, token string) (*threescaleapi.ThreeScaleClient, error) {
// PortaClientFromURLString instantiates porta_client.ThreeScaleClient from url string
func PortaClientFromURLString(adminURLStr, token string, insecureSkipVerify bool) (*threescaleapi.ThreeScaleClient, error) {
adminURL, err := url.Parse(adminURLStr)
if err != nil {
return nil, err
}
return PortaClientFromURL(adminURL, token)
return PortaClientFromURL(adminURL, token, insecureSkipVerify)
}

// PortaClientFromURL instantiates porta_client.ThreeScaleClient from admin url object
func PortaClientFromURL(url *url.URL, token string) (*threescaleapi.ThreeScaleClient, error) {
func PortaClientFromURL(url *url.URL, token string, insecureSkipVerify bool) (*threescaleapi.ThreeScaleClient, error) {
adminPortal, err := threescaleapi.NewAdminPortal(url.Scheme, url.Hostname(), helper.PortFromURL(url))
if err != nil {
return nil, err
}

insecureSkipVerify := false
if helper.GetEnvVar(INSECURE_SKIP_VERIFY_ENVVAR, "0") == "1" {
insecureSkipVerify = true
}

// Activated by some env var or Spec param
var transport http.RoundTripper = &http.Transport{
Proxy: http.ProxyFromEnvironment,
Expand All @@ -57,3 +52,12 @@ func PortaClientFromURL(url *url.URL, token string) (*threescaleapi.ThreeScaleCl

return threescaleapi.NewThreeScale(adminPortal, token, &http.Client{Transport: transport}), nil
}

// GetInsecureSkipVerifyAnnotation extracts the insecure_skip_verify annotation from an object
func GetInsecureSkipVerifyAnnotation(annotations map[string]string) bool {
insecureSkipVerify, ok := annotations["insecure_skip_verify"]
if ok && insecureSkipVerify == "true" {
return true
}
return false
}
10 changes: 5 additions & 5 deletions pkg/controller/helper/threescale_api_test.go
View file
Open in desktop
419F
Original file line number Diff line number Diff line change
Expand Up @@ -7,28 +7,28 @@ import (

func TestPortaClientInvalidURL(t *testing.T) {
providerAccount := &ProviderAccount{AdminURLStr: ":foo", Token: "some token"}
_, err := PortaClient(providerAccount)
_, err := PortaClient(providerAccount, false)
assert(t, er 3D11 r != nil, "error should not be nil")
}

func TestPortaClient(t *testing.T) {
providerAccount := &ProviderAccount{AdminURLStr: "http://somedomain.example.com", Token: "some token"}
_, err := PortaClient(providerAccount)
_, err := PortaClient(providerAccount, false)
ok(t, err)
}

func TestPortaClientFromURLStringInvalidURL(t *testing.T) {
_, err := PortaClientFromURLString(":foo", "some token")
_, err := PortaClientFromURLString(":foo", "some token", false)
assert(t, err != nil, "error should not be nil")
}

func TestPortaClientFromURLString(t *testing.T) {
_, err := PortaClientFromURLString("http://somedomain.example.com", "some token")
_, err := PortaClientFromURLString("http://somedomain.example.com", "some token", false)
ok(t, err)
}

func TestPortaClientFromURL(t *testing.T) {
url := &url.URL{}
_, err := PortaClientFromURL(url, "some token")
_, err := PortaClientFromURL(url, "some token", false)
assert(t, err != nil, "error should not be nil")
}
0