feat: Config to allow self-signed certificates

Signed-off-by: Maximilian Blatt <[email protected]>

apis/v1beta1/providerconfig_types.go

@@ -29,6 +29,10 @@ type ProviderConfigSpec struct {
 
 	// Credentials required to authenticate to this provider.
 	Credentials ProviderCredentials `json:"credentials"`
+
+	// InsecureSkipVerify ignores self signed TLS certificates when connecting
+	// to Gitlab.
+	InsecureSkipVerify *bool `json:"insecureSkipVerify,omitempty"`
 }
 
 // ProviderCredentials required to authenticate.

go.mod

@@ -40,7 +40,7 @@ require (
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
@@ -82,7 +82,7 @@ require (
 	k8s.io/component-base v0.26.1 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448
+	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect

go.sum

@@ -739,8 +739,8 @@ k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
 k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E=
 k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
-k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y=
-k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
+k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

package/crds/gitlab.crossplane.io_providerconfigs.yaml

@@ -104,6 +104,10 @@ spec:
                 required:
                 - source
                 type: object
+              insecureSkipVerify:
+                description: InsecureSkipVerify ignores self signed TLS certificates
+                  when connecting to Gitlab.
+                type: boolean
             required:
             - credentials
             type: object

pkg/clients/gitlab.go

@@ -18,14 +18,17 @@ package clients
 
 import (
 	"context"
+	"net/http"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/go-cleanhttp"
 	"github.com/pkg/errors"
 	gitlab "github.com/xanzy/go-gitlab"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
@@ -37,19 +40,26 @@ import (
 
 // Config provides gitlab configurations for the Gitlab client
 type Config struct {
-	Token   string
-	BaseURL string
+	Token              string
+	BaseURL            string
+	InsecureSkipVerify bool
 }
 
 // NewClient creates new Gitlab Client with provided Gitlab Configurations/Credentials.
 func NewClient(c Config) *gitlab.Client {
-	var cl *gitlab.Client
-	var err error
+	options := []gitlab.ClientOptionFunc{}
 	if c.BaseURL != "" {
-		cl, err = gitlab.NewClient(c.Token, gitlab.WithBaseURL(c.BaseURL))
-	} else {
-		cl, err = gitlab.NewClient(c.Token)
+		options = append(options, gitlab.WithBaseURL(c.BaseURL))
 	}
+	if c.InsecureSkipVerify {
+		transport := cleanhttp.DefaultPooledTransport()
+		transport.TLSClientConfig.InsecureSkipVerify = true
+		httpclient := &http.Client{
+			Transport: transport,
+		}
+		options = append(options, gitlab.WithHTTPClient(httpclient))
+	}
+	cl, err := gitlab.NewClient(c.Token, options...)
 	if err != nil {
 		panic(err)
 	}
@@ -89,7 +99,11 @@ func UseProviderConfig(ctx context.Context, c client.Client, mg resource.Managed
 		if err := c.Get(ctx, types.NamespacedName{Namespace: csr.Namespace, Name: csr.Name}, s); err != nil {
 			return nil, errors.Wrap(err, "cannot get credentials secret")
 		}
-		return &Config{BaseURL: pc.Spec.BaseURL, Token: string(s.Data[csr.Key])}, nil
+		return &Config{
+			BaseURL:            pc.Spec.BaseURL,
+			Token:              string(s.Data[csr.Key]),
+			InsecureSkipVerify: ptr.Deref(pc.Spec.InsecureSkipVerify, false),
+		}, nil
 	default:
 		return nil, errors.Errorf("credentials source %s is not currently supported", s)
 	}

pkg/controller/projects/deploykeys/controller.go

@@ -16,7 +16,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	controller "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -255,7 +255,7 @@ func generateUpdateOptions(customResourse *v1alpha1.DeployKey) *gitlab.UpdateDep
 }
 
 func isUpToDate(cr *v1alpha1.DeployKey, dk *gitlab.ProjectDeployKey) bool {
-	isCanPushUpToDate := pointer.BoolEqual(cr.Spec.ForProvider.CanPush, &dk.CanPush)
+	isCanPushUpToDate := ptr.Equal(cr.Spec.ForProvider.CanPush, &dk.CanPush)
 	isTitleUpToDate := cr.Spec.ForProvider.Title == dk.Title
 
 	return isCanPushUpToDate && isTitleUpToDate