Added way to reference custom CAs

telekom · Jan 5, 2024 · 71f8a90 · 71f8a90
1 parent ca4b466
commit 71f8a90
Show file tree

Hide file tree

Showing 13 changed files with 65 additions and 38 deletions.
diff --git a/README.md b/README.md
@@ -60,16 +60,17 @@ Next, Infoblox Instance should be defined using `InfobloxInstance` CRD. Ypu can
 apiVersion: ipam.cluster.x-k8s.io/v1alpha1
 kind: InfobloxInstance
 metadata:
-  name: infobloxinstance-sample    # name of the instance object
-  namespace: caip-infoblox-system  # namespace of the instance object
+  name: infobloxinstance-sample     # name of the instance object.
+  namespace: caip-infoblox-system   # namespace of the instance object.
 spec:
-  credentialsSecretRef:            # reference to the credentials 
-    name: some-credentials         # name of the credentials
-  defaultNetworkView: "some-view"  # default Ifoblox network view
-  host: "some.host.com"            # address of the Infoblox server
-  insecureSkipTLSVerify: true      # disable/enable SSL verification
-  port: "443"                      # network port to be used
-  wapiVersion: "2.12"              # Infoblox Web API version
+  credentialsSecretRef:             # reference to the credentials .
+    name: some-credentials          # name of the credentials.
+  defaultNetworkView: "some-view"   # default Ifoblox network view.
+  host: "some.host.com"             # address of the Infoblox server.
+  disableTLSVerification: false     # disable/enable SSL verification.
+  customCAPath: "/some/path/ca.crt" # path to a file that contians list of custom Certificate Authorities tha can be used to verify SSL certifcates if 'disableTLSVerification' is set to 'false'. Host's default authorities will be used if not specified.
+  port: "443"                       # network port to be used.
+  wapiVersion: "2.12"               # Infoblox Web API version.
 ```
 
 ## Usage

diff --git a/api/v1alpha1/infobloxinstance_types.go b/api/v1alpha1/infobloxinstance_types.go
@@ -40,9 +40,11 @@ type InfobloxInstanceSpec struct {
 	// InfobloxIPPools will inherit this value when not explicitly specifying a network view.
 	// +optional
 	DefaultNetworkView string `json:"defaultNetworkView,omitempty"`
-	//
-	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
-	// maybe add a way to reference a custom CA?
+	// DisableTLSVerification if set 'true', certificates for SSL commuunication with Infoblox instance will be not verified
+	DisableTLSVerification bool `json:"disableTLSVerification,omitempty"`
+	// CustomCAPath can be used to point Infoblox client to a file with a list of accepted certificate authorities. Only used if DisableTLSVerification is set to 'false'.
+	// + optional
+	CustomCAPath string `json:"customCAPath,omitempty"`
 }
 
 // InfobloxInstanceStatus defines the observed state of InfobloxInstance.

diff --git a/config/crd/bases/ipam.cluster.x-k8s.io_infobloxinstances.yaml b/config/crd/bases/ipam.cluster.x-k8s.io_infobloxinstances.yaml
@@ -60,16 +60,23 @@ spec:
                       TODO: Add other useful fields. apiVersion, kind, uid?'
                     type: string
                 type: object
+              customCAPath:
+                description: CustomCAPath can be used to point Infoblox client to
+                  a file with a list of accepted certificate authorities. Only used
+                  if DisableTLSVerification is set to 'false'.
+                type: string
               defaultNetworkView:
                 description: DefaultNetworkView is the default network view used when
                   interacting with Infoblox. InfobloxIPPools will inherit this value
                   when not explicitly specifying a network view.
                 type: string
+              disableTLSVerification:
+                description: DisableTLSVerification if set 'true', certificates for
+                  SSL commuunication with Infoblox instance will be not verified
+                type: boolean
               host:
                 description: Endpoint is the API endpoint of the Infoblox instance.
                 type: string
-              insecureSkipTLSVerify:
-                type: boolean
               port:
                 default: "443"
                 description: Port

diff --git a/config/samples/ipam_v1alpha1_infobloxinstance.yaml b/config/samples/ipam_v1alpha1_infobloxinstance.yaml
@@ -15,6 +15,7 @@ spec:
     name: some-credentials
   defaultNetworkView: "some-view"
   host: "some.host.com"
-  insecureSkipTLSVerify: true
+  disableTLSVerification: false
+  customCAPath: "/some/path/ca.crt"
   port: "443"
   wapiVersion: "2.12"
diff --git a/go.mod b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.13.0
 	github.com/onsi/gomega v1.29.0
 	github.com/pkg/errors v0.9.1
+	go.uber.org/mock v0.4.0
 	k8s.io/api v0.28.3
 	k8s.io/apimachinery v0.28.3
 	k8s.io/client-go v0.28.3

diff --git a/go.sum b/go.sum
@@ -174,6 +174,8 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
+go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
+go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=

diff --git a/internal/controllers/infobloxinstance.go b/internal/controllers/infobloxinstance.go
@@ -108,9 +108,10 @@ func (r *InfobloxInstanceReconciler) reconcile(ctx context.Context, instance *v1
 	}
 
 	hc := infoblox.HostConfig{
-		Host:                  instance.Spec.Host,
-		Version:               instance.Spec.WAPIVersion,
-		InsecureSkipTLSVerify: instance.Spec.InsecureSkipTLSVerify,
+		Host:                   instance.Spec.Host,
+		Version:                instance.Spec.WAPIVersion,
+		DisableTLSVerification: instance.Spec.DisableTLSVerification,
+		CustomCAPath:           instance.Spec.CustomCAPath,
 	}
 
 	ibcl, err := r.NewInfobloxClientFunc(infoblox.Config{HostConfig: hc, AuthConfig: authConfig})

diff --git a/internal/controllers/suite_test.go b/internal/controllers/suite_test.go
@@ -22,9 +22,9 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"go.uber.org/mock/gomock"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/scheme"

diff --git a/internal/controllers/util.go b/internal/controllers/util.go
@@ -33,9 +33,9 @@ func getInfobloxClientForInstance(ctx context.Context, client client.Reader, nam
 	}
 	config := infoblox.Config{
 		HostConfig: infoblox.HostConfig{
-			Host:                  instance.Spec.Host + ":" + instance.Spec.Port,
-			Version:               instance.Spec.WAPIVersion,
-			InsecureSkipTLSVerify: instance.Spec.InsecureSkipTLSVerify,
+			Host:                   instance.Spec.Host + ":" + instance.Spec.Port,
+			Version:                instance.Spec.WAPIVersion,
+			DisableTLSVerification: instance.Spec.DisableTLSVerification,
 		},
 		AuthConfig: ac,
 	}

diff --git a/internal/controllers/utilmock/util.go b/internal/controllers/utilmock/util.go
diff --git a/pkg/infoblox/client.go b/pkg/infoblox/client.go
@@ -50,9 +50,10 @@ type AuthConfig struct {
 
 // HostConfig contains host configuration patameters.
 type HostConfig struct {
-	Host                  string
-	Version               string
-	InsecureSkipTLSVerify bool
+	Host                   string
+	Version                string
+	DisableTLSVerification bool
+	CustomCAPath           string
 }
 
 // Config is a wrapper config structures.
@@ -80,9 +81,12 @@ func NewClient(config Config) (Client, error) {
 		ClientKey:  config.ClientKey,
 	}
 	tlsVerify := "true"
-	if config.InsecureSkipTLSVerify {
+	if config.DisableTLSVerification {
 		tlsVerify = "false"
+	} else if config.CustomCAPath != "" {
+		tlsVerify = config.CustomCAPath
 	}
+
 	rb := &ibclient.WapiRequestBuilder{}
 	rq := &ibclient.WapiHttpRequestor{}
 	tc := ibclient.NewTransportConfig(tlsVerify, int(time.Second), 5)

diff --git a/pkg/infoblox/ibmock/client.go b/pkg/infoblox/ibmock/client.go
diff --git a/pkg/infoblox/util_test.go b/pkg/infoblox/util_test.go
@@ -11,9 +11,9 @@ const infobloxTestEnvPrefix = "CAIP_INFOBLOX_TEST_"
 func InfobloxConfigFromEnv() (Config, error) {
 	config := Config{
 		HostConfig: HostConfig{
-			Host:                  getInfobloxTestEnvVar("host", ""),
-			InsecureSkipTLSVerify: strToBool(getInfobloxTestEnvVar("skip_tls_verify", "false")),
-			Version:               getInfobloxTestEnvVar("wapi_version", ""),
+			Host:                   getInfobloxTestEnvVar("host", ""),
+			DisableTLSVerification: strToBool(getInfobloxTestEnvVar("skip_tls_verify", "false")),
+			Version:                getInfobloxTestEnvVar("wapi_version", ""),
 		},
 		AuthConfig: AuthConfig{
 			Username:   getInfobloxTestEnvVar("username", ""),