Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Ignore certificate check on fetch devworkspace template #1247

Closed
wants to merge 3 commits into from
Closed

fix: Ignore certificate check on fetch devworkspace template #1247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
08f2ed3
fix: Ignore certificate check on fetch devworkspace template
vinokurig Apr 8, 2024
4dbd3ce
Merge branch 'main' of github.com:devfile/devworkspace-operator into …
vinokurig Apr 23, 2024
b758f9c
fixup! fix: Ignore certificate check on fetch devworkspace template
vinokurig Apr 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ type RoutingConfig struct {
// DevWorkspaces. However, changing the proxy configuration for the DevWorkspace Operator itself
// requires restarting the controller deployment.
ProxyConfig *Proxy `json:"proxyConfig,omitempty"`
// DisableTLSVerification turns off TLS verification for http requests.
DisableTLSVerification *bool `json:"disableTLSVerification,omitempty"`
}

type WorkspaceConfig struct {
Expand Down
13 changes: 8 additions & 5 deletions controllers/workspace/http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,16 @@ var (
)

func setupHttpClients() {
transport := http.DefaultTransport.(*http.Transport).Clone()
healthCheckTransport := http.DefaultTransport.(*http.Transport).Clone()
healthCheckTransport.TLSClientConfig = &tls.Config{
globalConfig := config.GetGlobalConfig()
insecureTlsConfig := &tls.Config{
InsecureSkipVerify: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vinokurig but this means that we are skipping verification of TLS for every single request, no?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ibuziuk this is my understanding as well. Previously, we were only skipping TLS verification for the health check

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might make more sense to add a DevWorkspace Operator Config field to allow disabling the TLS verification which users on an air-gapped cluster would toggle on.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the property, @AObuchow please take a look.

Copy link
Collaborator

@AObuchow AObuchow Apr 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good to me if we're going with the approach of enabling/disabling TLS verification (one small note in my next comment below about modifying the DevWorkspace Operator Config though). I do think @tolusha's suggestion of using certificates retrieved from a secret is more optimal than my suggestion, though.

Additionally, we have to commit to any changes made to the DevWorkspace Operator Config since these are considered API changes, and we unfortunately can't easily remove any fields we add. So taking my simpler approach first, and then implementing @tolusha's suggestion later on would mean we'd have to keep DisableTLSVerification in the DevWorkspace Operator Config.

Thankfully, though both my suggestion and @tolusha's suggestion would resolve #1248, they both provide different functionality and would not necessarily be redundantly overlapping each other if we were to support both fields in the DevWorkspace Operator Config. So implementing both approaches would not be redundant. @ibuziuk @tolusha @dkwon17 if any of you have any input on whether we should take a simpler approach first or not, please feel free to share.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding adding a new DevWorkspace Operator Config field, two areas need to be addressed:

  1. Modifications need to be made to mergeConfig() and GetCurrentConfigString() in sync.go.

In mergeConfig() we need to copy over the values of the new DisableTLSVerification field, something like:

	if from.Routing != nil {
		if to.Routing == nil {
			to.Routing = &controller.RoutingConfig{}
		}
		if from.Routing.DefaultRoutingClass != "" {
			to.Routing.DefaultRoutingClass = from.Routing.DefaultRoutingClass
		}
		if from.Routing.ClusterHostSuffix != "" {
			to.Routing.ClusterHostSuffix = from.Routing.ClusterHostSuffix
		}
		if from.Routing.ProxyConfig != nil {
			if to.Routing.ProxyConfig == nil {
				to.Routing.ProxyConfig = &controller.Proxy{}
			}
			to.Routing.ProxyConfig = proxy.MergeProxyConfigs(from.Routing.ProxyConfig, defaultConfig.Routing.ProxyConfig)
		}
+		if from.Routing.DisableTLSVerification != nil {
+			to.Routing.DisableTLSVerification = from.Routing.DisableTLSVerification
+		}
	}

And in GetCurrentConfigString() we need to declare if DisableTLSVerification is enabled. Something like:

	if routing != nil {
		if routing.ClusterHostSuffix != "" && routing.ClusterHostSuffix != defaultConfig.Routing.ClusterHostSuffix {
			config = append(config, fmt.Sprintf("routing.clusterHostSuffix=%s", routing.ClusterHostSuffix))
		}
		if routing.DefaultRoutingClass != defaultConfig.Routing.DefaultRoutingClass {
			config = append(config, fmt.Sprintf("routing.defaultRoutingClass=%s", routing.DefaultRoutingClass))
		}
+		if routing.DisableTLSVerification != nil && *routing.DisableTLSVerification {
+			config = append(config, "routing.DisableTLSVerification=true")
+		}
	}

You can run make test to make sure everything's working as expected. In particular, this test should be passing.

  1. The CRDs need to be re-generated since a new field was added to the DevWorkspace Operator Config. Run the following, and add the resulting changes into a separate commit: make generate manifests fmt generate_default_deployment generate_olm_bundle_yaml

}

globalConfig := config.GetGlobalConfig()
transport := http.DefaultTransport.(*http.Transport).Clone()
if globalConfig.Routing != nil && globalConfig.Routing.DisableTLSVerification != nil && *globalConfig.Routing.DisableTLSVerification {
transport.TLSClientConfig = insecureTlsConfig
}
healthCheckTransport := http.DefaultTransport.(*http.Transport).Clone()
healthCheckTransport.TLSClientConfig = insecureTlsConfig

if globalConfig.Routing != nil && globalConfig.Routing.ProxyConfig != nil {
proxyConf := httpproxy.Config{}
Expand Down
3 changes: 3 additions & 0 deletions deploy/bundle/manifests/controller.devfile.io_devworkspaceoperatorconfigs.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading