Skip to content

Commit 2ba00a3

Browse files
authored
Merge pull request #1709 from juparog/juparog/webhook-disabletls
feat: add `disableTLS` option for webhooks request
2 parents 7cd1476 + 8f83838 commit 2ba00a3

File tree

7 files changed

+63
-16
lines changed

7 files changed

+63
-16
lines changed

artifacts/flagger/crd.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -1135,6 +1135,9 @@ spec:
11351135
retries:
11361136
description: Number of retries for this webhook
11371137
type: number
1138+
disableTLS:
1139+
description: Disable TLS verification for this webhook
1140+
type: boolean
11381141
metadata:
11391142
description: Metadata (key-value pairs) for this webhook
11401143
type: object

charts/flagger/crds/crd.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -1135,6 +1135,9 @@ spec:
11351135
retries:
11361136
description: Number of retries for this webhook
11371137
type: number
1138+
disableTLS:
1139+
description: Disable TLS verification for this webhook
1140+
type: boolean
11381141
metadata:
11391142
description: Metadata (key-value pairs) for this webhook
11401143
type: object

docs/gitbook/usage/webhooks.md

+4-1
Original file line numberDiff line numberDiff line change
@@ -124,7 +124,10 @@ Event payload (HTTP POST):
124124
The event receiver can create alerts based on the received phase
125125
(possible values: `Initialized`, `Waiting`, `Progressing`, `Promoting`, `Finalising`, `Succeeded` or `Failed`).
126126

127-
The webhook request can be retried by specifying a positive integer in the `retries` field.
127+
Options:
128+
* retries: The webhook request can be retried by specifying a positive integer in the `retries` field. This helps ensure reliability if the webhook fails due to transient network issues.
129+
130+
* disable TLS: Set `disableTLS` to `true` in the webhook spec to bypass TLS verification. This is useful in cases where the target service uses self-signed certificates, or you need to connect to an insecure service for testing purposes.
128131

129132
## Load Testing
130133

kustomize/base/flagger/crd.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -1135,6 +1135,9 @@ spec:
11351135
retries:
11361136
description: Number of retries for this webhook
11371137
type: number
1138+
disableTLS:
1139+
description: Disable TLS verification for this webhook
1140+
type: boolean
11381141
metadata:
11391142
description: Metadata (key-value pairs) for this webhook
11401143
type: object

pkg/apis/flagger/v1beta1/canary.go

+4
Original file line numberDiff line numberDiff line change
@@ -398,6 +398,10 @@ type CanaryWebhook struct {
398398
// Number of retries for this webhook
399399
// +optional
400400
Retries int `json:"retries,omitempty"`
401+
402+
// Disable TLS verification for this webhook
403+
// +optional
404+
DisableTLS bool `json:"disableTLS,omitempty"`
401405
}
402406

403407
// CanaryWebhookPayload holds the deployment info and metadata sent to webhooks

pkg/controller/webhook.go

+27-15
Original file line numberDiff line numberDiff line change
@@ -18,10 +18,12 @@ package controller
1818

1919
import (
2020
"bytes"
21+
"crypto/tls"
2122
"encoding/json"
2223
"errors"
2324
"fmt"
2425
"io"
26+
"net/http"
2527
"net/url"
2628
"strconv"
2729
"time"
@@ -32,28 +34,32 @@ import (
3234
"github.com/fluxcd/flagger/pkg/canary"
3335
)
3436

35-
func callWebhook(webhook string, payload interface{}, timeout string, retries int) error {
36-
payloadBin, err := json.Marshal(payload)
37-
if err != nil {
38-
return err
37+
func newHTTPClient(retries int, timeout time.Duration, disableTls bool) *retryablehttp.Client {
38+
httpClient := retryablehttp.NewClient()
39+
httpClient.RetryMax = retries
40+
httpClient.Logger = nil
41+
httpClient.HTTPClient.Timeout = timeout
42+
43+
if disableTls {
44+
httpClient.HTTPClient.Transport = &http.Transport{
45+
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
46+
}
3947
}
4048

41-
hook, err := url.Parse(webhook)
49+
return httpClient
50+
}
51+
52+
func callWebhook(webhook string, payload interface{}, timeout string, retries int, disableTls bool) error {
53+
payloadBin, err := json.Marshal(payload)
4254
if err != nil {
4355
return err
4456
}
4557

46-
httpClient := retryablehttp.NewClient()
47-
httpClient.RetryMax = retries
48-
httpClient.Logger = nil
49-
50-
req, err := retryablehttp.NewRequest("POST", hook.String(), bytes.NewBuffer(payloadBin))
58+
hook, err := url.Parse(webhook)
5159
if err != nil {
5260
return err
5361
}
5462

55-
req.Header.Set("Content-Type", "application/json")
56-
5763
if timeout == "" {
5864
timeout = "10s"
5965
}
@@ -62,7 +68,13 @@ func callWebhook(webhook string, payload interface{}, timeout string, retries in
6268
return err
6369
}
6470

65-
httpClient.HTTPClient.Timeout = t
71+
httpClient := newHTTPClient(retries, t, disableTls)
72+
73+
req, err := retryablehttp.NewRequest("POST", hook.String(), bytes.NewBuffer(payloadBin))
74+
if err != nil {
75+
return err
76+
}
77+
req.Header.Set("Content-Type", "application/json")
6678

6779
r, err := httpClient.Do(req)
6880
if err != nil {
@@ -100,7 +112,7 @@ func CallWebhook(canary flaggerv1.Canary, phase flaggerv1.CanaryPhase, w flagger
100112
w.Timeout = "10s"
101113
}
102114

103-
return callWebhook(w.URL, payload, w.Timeout, w.Retries)
115+
return callWebhook(w.URL, payload, w.Timeout, w.Retries, w.DisableTLS)
104116
}
105117

106118
func CallEventWebhook(r *flaggerv1.Canary, w flaggerv1.CanaryWebhook, message, eventtype string) error {
@@ -126,7 +138,7 @@ func CallEventWebhook(r *flaggerv1.Canary, w flaggerv1.CanaryWebhook, message, e
126138
payload.Metadata[key] = value
127139
}
128140
}
129-
return callWebhook(w.URL, payload, "5s", w.Retries)
141+
return callWebhook(w.URL, payload, "5s", w.Retries, w.DisableTLS)
130142
}
131143

132144
func canaryChecksum(c flaggerv1.Canary) string {

pkg/controller/webhook_test.go

+19
Original file line numberDiff line numberDiff line change
@@ -289,3 +289,22 @@ func TestCallWebhook_Retries(t *testing.T) {
289289
flaggerv1.CanaryPhaseProgressing, hook)
290290
require.NoError(t, err)
291291
}
292+
293+
func TestCallWebhook_DisableTLS(t *testing.T) {
294+
ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
295+
w.WriteHeader(http.StatusAccepted)
296+
}))
297+
defer ts.Close()
298+
hook := flaggerv1.CanaryWebhook{
299+
Name: "validation",
300+
URL: ts.URL,
301+
DisableTLS: true,
302+
}
303+
304+
err := CallWebhook(
305+
flaggerv1.Canary{
306+
ObjectMeta: metav1.ObjectMeta{
307+
Name: "podinfo", Namespace: corev1.NamespaceDefault}},
308+
flaggerv1.CanaryPhaseProgressing, hook)
309+
require.NoError(t, err)
310+
}

0 commit comments

Comments
 (0)