Skip to content

Commit

Permalink
fixup! Inject certificate to http client from a configmap referenced …
Browse files Browse the repository at this point in the history
…in the config

Signed-off-by: ivinokur <[email protected]>
  • Loading branch information
vinokurig committed May 23, 2024
1 parent 66ee28b commit dea48cc
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 28 deletions.
12 changes: 3 additions & 9 deletions controllers/workspace/devworkspace_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ package controllers
import (
"context"
"fmt"
"net/http"
"strconv"
"strings"
"time"
Expand All @@ -28,7 +27,6 @@ import (
"github.com/devfile/devworkspace-operator/controllers/workspace/metrics"
"github.com/devfile/devworkspace-operator/pkg/common"
"github.com/devfile/devworkspace-operator/pkg/conditions"
"github.com/devfile/devworkspace-operator/pkg/config"
wkspConfig "github.com/devfile/devworkspace-operator/pkg/config"
"github.com/devfile/devworkspace-operator/pkg/constants"
"github.com/devfile/devworkspace-operator/pkg/dwerrors"
Expand Down Expand Up @@ -144,12 +142,8 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request
reqLogger = reqLogger.WithValues(constants.DevWorkspaceIDLoggerKey, workspace.Status.DevWorkspaceId)
reqLogger.Info("Reconciling Workspace", "resolvedConfig", configString)

// Inject ca certificates to the http clint if the certificates configmap is created and defined in the config.
if certs, ok := readCertificates(r.Client, config, r.Log); ok {
for _, certsPem := range certs {
injectCertificates([]byte(certsPem), httpClient.Transport.(*http.Transport))
}
}
// Inject ca certificates to the http client, if the certificates configmap is created and defined in the config.
InjectCertificates(r.Client, r.Log)

// Check if the DevWorkspaceRouting instance is marked to be deleted, which is
// indicated by the deletion timestamp being set.
Expand Down Expand Up @@ -677,7 +671,7 @@ func (r *DevWorkspaceReconciler) getWorkspaceId(ctx context.Context, workspace *
}

func (r *DevWorkspaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
setupHttpClients(mgr.GetClient(), config.GetGlobalConfig(), mgr.GetLogger())
setupHttpClients(mgr.GetClient(), mgr.GetLogger())

maxConcurrentReconciles, err := wkspConfig.GetMaxConcurrentReconciles()
if err != nil {
Expand Down
50 changes: 31 additions & 19 deletions controllers/workspace/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ import (
"net/url"
"time"

"k8s.io/apimachinery/pkg/types"
"github.com/devfile/devworkspace-operator/pkg/config"

controller "github.com/devfile/devworkspace-operator/apis/controller/v1alpha1"
"k8s.io/apimachinery/pkg/types"

"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
Expand All @@ -37,28 +37,25 @@ var (
healthCheckHttpClient *http.Client
)

func setupHttpClients(k8s client.Client, config *controller.OperatorConfiguration, logger logr.Logger) {
func setupHttpClients(k8s client.Client, logger logr.Logger) {
transport := http.DefaultTransport.(*http.Transport).Clone()
if certs, ok := readCertificates(k8s, config, logger); ok {
for _, certsPem := range certs {
injectCertificates([]byte(certsPem), transport)
}
}
healthCheckTransport := http.DefaultTransport.(*http.Transport).Clone()
healthCheckTransport.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true,
}

if config.Routing != nil && config.Routing.ProxyConfig != nil {
globalConfig := config.GetGlobalConfig()

if globalConfig.Routing != nil && globalConfig.Routing.ProxyConfig != nil {
proxyConf := httpproxy.Config{}
if config.Routing.ProxyConfig.HttpProxy != nil {
proxyConf.HTTPProxy = *config.Routing.ProxyConfig.HttpProxy
if globalConfig.Routing.ProxyConfig.HttpProxy != nil {
proxyConf.HTTPProxy = *globalConfig.Routing.ProxyConfig.HttpProxy
}
if config.Routing.ProxyConfig.HttpsProxy != nil {
proxyConf.HTTPSProxy = *config.Routing.ProxyConfig.HttpsProxy
if globalConfig.Routing.ProxyConfig.HttpsProxy != nil {
proxyConf.HTTPSProxy = *globalConfig.Routing.ProxyConfig.HttpsProxy
}
if config.Routing.ProxyConfig.NoProxy != nil {
proxyConf.NoProxy = *config.Routing.ProxyConfig.NoProxy
if globalConfig.Routing.ProxyConfig.NoProxy != nil {
proxyConf.NoProxy = *globalConfig.Routing.ProxyConfig.NoProxy
}

proxyFunc := func(req *http.Request) (*url.URL, error) {
Expand All @@ -75,10 +72,19 @@ func setupHttpClients(k8s client.Client, config *controller.OperatorConfiguratio
Transport: healthCheckTransport,
Timeout: 500 * time.Millisecond,
}
InjectCertificates(k8s, logger)
}

func readCertificates(k8s client.Client, config *controller.OperatorConfiguration, logger logr.Logger) (map[string]string, bool) {
configmapRef := config.Routing.TLSCertificateConfigmapRef
func InjectCertificates(k8s client.Client, logger logr.Logger) {
if certs, ok := readCertificates(k8s, logger); ok {
for _, certsPem := range certs {
injectCertificates([]byte(certsPem), httpClient.Transport.(*http.Transport), logger)
}
}
}

func readCertificates(k8s client.Client, logger logr.Logger) (map[string]string, bool) {
configmapRef := config.GetGlobalConfig().Routing.TLSCertificateConfigmapRef
if configmapRef == nil {
return nil, false
}
Expand All @@ -95,10 +101,16 @@ func readCertificates(k8s client.Client, config *controller.OperatorConfiguratio
return configMap.Data, true
}

func injectCertificates(certsPem []byte, transport *http.Transport) {
func injectCertificates(certsPem []byte, transport *http.Transport, logger logr.Logger) {
caCertPool := transport.TLSClientConfig.RootCAs
if caCertPool == nil {
caCertPool = x509.NewCertPool()
systemCertPool, err := x509.SystemCertPool()
if err != nil {
logger.Error(err, "Failed to load system cert pool")
caCertPool = x509.NewCertPool()
} else {
caCertPool = systemCertPool
}
}
if ok := caCertPool.AppendCertsFromPEM(certsPem); ok {
transport.TLSClientConfig = &tls.Config{RootCAs: caCertPool}
Expand Down

0 comments on commit dea48cc

Please sign in to comment.