feat: support self signed certificates

Author: ansgarschulte

README.md

@@ -18,12 +18,12 @@ Supported Splunk Cloud Platform and Splunk Enterprise versions:
 
 ## Configuration
 
-| Environment Variable                                      | Helm value           | Meaning                                                                                                                              | Required | Default |
-|-----------------------------------------------------------|----------------------|--------------------------------------------------------------------------------------------------------------------------------------|----------|---------|
-| `STEADYBIT_EXTENSION_ACCESS_TOKEN`                        | `splunk.accessToken` | The token required to access the Splunk Cloud Platform or Splunk Enterprise.                                                         | Yes      |         |
-| `STEADYBIT_EXTENSION_API_BASE_URL`                        | `splunk.apiBaseUrl`  | The API URL of the Splunk Cloud Platform or Splunk Enterprise instance, for example `https://<deployment-name>.splunkcloud.com:8089` | Yes      |         |
-| `STEADYBIT_EXTENSION_DISABLE_CERTIFICATE_VALIDATION`      |                      | Disable TLS certificate validation.                                                                                                  | No       | False   |
-| `STEADYBIT_EXTENSION_DISCOVERY_ATTRIBUTES_EXCLUDES_ALERT` |                      | List of Alert Attributes which will be excluded during discovery. Checked by key equality and supporting trailing "*"                | No       |         |
+| Environment Variable                                      | Helm value                  | Meaning                                                                                                                              | Required | Default |
+|-----------------------------------------------------------|-----------------------------|--------------------------------------------------------------------------------------------------------------------------------------|----------|---------|
+| `STEADYBIT_EXTENSION_ACCESS_TOKEN`                        | `splunk.accessToken`        | The token required to access the Splunk Cloud Platform or Splunk Enterprise.                                                         | Yes      |         |
+| `STEADYBIT_EXTENSION_API_BASE_URL`                        | `splunk.apiBaseUrl`         | The API URL of the Splunk Cloud Platform or Splunk Enterprise instance, for example `https://<deployment-name>.splunkcloud.com:8089` | Yes      |         |
+| `STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY`                | `splunk.insecureSkipVerify` | Disable TLS certificate validation.                                                                                                  | No       | False   |
+| `STEADYBIT_EXTENSION_DISCOVERY_ATTRIBUTES_EXCLUDES_ALERT` |                             | List of Alert Attributes which will be excluded during discovery. Checked by key equality and supporting trailing "*"                | No       |         |
 
 The extension supports all environment variables provided by [steadybit/extension-kit](https://github.com/steadybit/extension-kit#environment-variables).
 
@@ -80,6 +80,45 @@ Make sure that the extension is registered with the agent. In most cases this is
 the [documentation](https://docs.steadybit.com/install-and-configure/install-agent/extension-registration) for more
 information about extension registration and how to verify.
 
+
+## Importing your own certificates
+
+You may want to import your own certificates for connecting to Jenkins instances with self-signed certificates. This can be done in two ways:
+
+### Option 1: Using InsecureSkipVerify
+
+The extension provides the `insecureSkipVerify` option which disables TLS certificate verification. This is suitable for testing but not recommended for production environments.
+
+```yaml
+splunk:
+  insecureSkipVerify: true
+```
+
+### Option 2: Mounting custom certificates
+
+Mount a volume with your custom certificates and reference it in `extraVolumeMounts` and `extraVolumes` in the helm chart.
+
+This example uses a config map to store the `*.crt`-files:
+
+```shell
+kubectl create configmap -n steadybit-agent splunk-self-signed-ca --from-file=./self-signed-ca.crt
+```
+
+```yaml
+extraVolumeMounts:
+  - name: extra-certs
+    mountPath: /etc/ssl/extra-certs
+    readOnly: true
+extraVolumes:
+  - name: extra-certs
+    configMap:
+      name: splunk-self-signed-ca
+extraEnv:
+  - name: SSL_CERT_DIR
+    value: /etc/ssl/extra-certs:/etc/ssl/certs
+```
+
+
 ## Version and Revision
 
 The version and revision of the extension:

charts/steadybit-extension-splunk-platform/templates/deployment.yaml

@@ -69,6 +69,8 @@ spec:
                 secretKeyRef:
                   name: {{ include "splunk.secret.name" . }}
                   key: api-base-url
+            - name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
+              value: "{{ .Values.splunk.insecureSkipVerify }}"
             {{- include "extensionlib.deployment.env" (list .) | nindent 12 }}
             {{- with .Values.extraEnv }}
               {{- toYaml . | nindent 12 }}
@@ -79,6 +81,9 @@ spec:
           {{- end }}
           volumeMounts:
             {{- include "extensionlib.deployment.volumeMounts" (list .) | nindent 12 }}
+            {{- with .Values.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           livenessProbe:
             initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
             periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
@@ -103,6 +108,9 @@ spec:
           {{- end }}
       volumes:
         {{- include "extensionlib.deployment.volumes" (list .) | nindent 8 }}
+        {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
       {{- with .Values.nodeSelector }}
       nodeSelector:

charts/steadybit-extension-splunk-platform/values.yaml

@@ -5,6 +5,8 @@ splunk:
   apiBaseUrl: ""
   # splunk.existingSecret -- If defined, will skip secret creation and instead assume that the referenced secret contains the keys api-base-url and access-token.
   existingSecret: null
+  # splunk.disableCertificateValidation -- If true, the extension will skip TLS verification when connecting to Splunk (for self-signed certificates)
+  insecureSkipVerify: false
 
 image:
   # image.name -- The container image to use.
@@ -133,6 +135,22 @@ extraEnv: []
 #    name: env-secrets
 extraEnvFrom: []
 
+# extraVolumeMounts -- Additional volumeMounts to add to the container
+# e.g:
+# extraVolumeMounts:
+#   - name: extra-certs
+#     mountPath: /etc/ssl/extra-certs
+#     readOnly: true
+extraVolumeMounts: []
+
+# extraVolumes -- Additional volumes to add to the pod
+# e.g:
+# extraVolumes:
+#   - name: extra-certs
+#     configMap:
+#       name: splunk-self-signed-ca
+extraVolumes: []
+
 discovery:
   attributes:
     excludes:

config/config.go

@@ -12,7 +12,7 @@ type Specification struct {
 	AccessToken                      string   `json:"accessToken" split_words:"true" required:"true"`
 	ApiBaseUrl                       string   `json:"apiBaseUrl" split_words:"true" required:"true"`
 	DiscoveryAttributesExcludesAlert []string `json:"discoveryAttributesExcludesAlert" split_words:"true" required:"false"`
-	DisableCertificateValidation     bool     `json:"disableCertificateValidation" split_words:"true" default:"false"`
+	InsecureSkipVerify               bool     `json:"insecureSkipVerify" split_words:"true" default:"false"`
 }
 
 var (

e2e/cert_generator_test.go

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2025 steadybit GmbH. All rights reserved.
+ */
+
+package e2e
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"time"
+)
+
+// generateSelfSignedCert creates a self-signed certificate and private key
+func generateSelfSignedCert() (tls.Certificate, error) {
+	// Generate a private key
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to generate private key: %w", err)
+	}
+
+	// Create a certificate template
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to generate serial number: %w", err)
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(365 * 24 * time.Hour) // Valid for 1 year
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"Steadybit Test"},
+			CommonName:   "localhost",
+		},
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{"localhost", "host.minikube.internal"},
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+	}
+
+	// Create the certificate
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	// Encode certificate and private key to PEM format
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	privateKeyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)})
+
+	// Parse the certificate and private key
+	cert, err := tls.X509KeyPair(certPEM, privateKeyPEM)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	return cert, nil
+}

e2e/integration_test.go

@@ -32,8 +32,9 @@ func TestWithMinikube(t *testing.T) {
 		Port: 8083,
 		ExtraArgs: func(m *e2e.Minikube) []string {
 			return []string{
-				"--set", fmt.Sprintf("splunk.apiBaseUrl=http://host.minikube.internal:%s", port),
+				"--set", fmt.Sprintf("splunk.apiBaseUrl=https://host.minikube.internal:%s", port),
 				"--set", "logging.level=trace",
+				"--set", "splunk.insecureSkipVerify=true", // Enable skipping TLS verification
 			}
 		},
 	}

e2e/mock_splunk_api_test.go

@@ -4,6 +4,7 @@
 package e2e
 
 import (
+	"crypto/tls"
 	"fmt"
 	"github.com/rs/zerolog/log"
 	"github.com/steadybit/extension-kit/exthttp"
@@ -18,15 +19,31 @@ type mockServer struct {
 }
 
 func createMockSplunkApiServer() *mockServer {
+	// Generate self-signed certificate for TLS
+	cert, err := generateSelfSignedCert()
+	if err != nil {
+		panic(fmt.Sprintf("httptest: failed to generate self-signed certificate: %v", err))
+	}
+
 	listener, err := net.Listen("tcp", "0.0.0.0:0")
 	if err != nil {
 		panic(fmt.Sprintf("httptest: failed to listen: %v", err))
 	}
 	mux := http.NewServeMux()
 
-	server := httptest.Server{Listener: listener, Config: &http.Server{Handler: mux}}
-	server.Start()
-	log.Info().Str("url", server.URL).Msg("Started Mock-Server")
+	server := httptest.Server{
+		Listener: listener,
+		Config: &http.Server{
+			Handler: mux,
+			TLSConfig: &tls.Config{},
+		},
+		TLS: &tls.Config{
+			Certificates: []tls.Certificate{cert},
+		},
+	}
+
+	server.StartTLS()
+	log.Info().Str("url", server.URL).Msg("Started Secure Mock-Server with self-signed certificate")
 
 	mock := &mockServer{http: &server}
 	mux.Handle("GET /services/saved/searches", handler(mock.getSavedSearches))

extalert/common.go

@@ -37,7 +37,7 @@ type SplunkClient struct {
 
 func NewSplunkClient() *SplunkClient {
 	client := resty.New()
-	if config.Config.DisableCertificateValidation {
+	if config.Config.InsecureSkipVerify {
 		client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) //NOSONAR explicit choice
 	}
 	client.SetBaseURL(strings.TrimRight(config.Config.ApiBaseUrl, "/"))