final changes - add flag to enable/disable http

parent 921ebc0
author gunishmatta <[email protected]> 1660541336 +0000
committer gunishmatta <[email protected]> 1668423536 +0000

added flag to disable http

Signed-off-by: gunishmatta <[email protected]>

added flag

Signed-off-by: gunishmatta <[email protected]>

revert mistakenly pushed binaries

Signed-off-by: gunishmatta <[email protected]>

PR changes

Signed-off-by: gunishmatta <[email protected]>

Update Kubernetes packages to v1.25.0

Signed-off-by: Stefan Prodan <[email protected]>

Fix context cancel defer

Signed-off-by: Philip Laine <[email protected]>

Release v0.25.2

Signed-off-by: Stefan Prodan <[email protected]>

update to new doc links structure

Signed-off-by: Daniel Holbach <[email protected]>

Add .spec.timeout to Provider

Signed-off-by: Somtochi Onyekwere <[email protected]>

Update pkg and controller-runtime

Signed-off-by: Somtochi Onyekwere <[email protected]>

fuzz: Ensure latest base images are used
Latest base image should contain Go 1.18, removing
the need of updating that ourselves, apart from
benefiting from latest changes upstream.

Signed-off-by: Paulo Gomes <[email protected]>

fuzz: Reuse go cache from host

Signed-off-by: Paulo Gomes <[email protected]>

fuzz: Use Go 1.18 on CI and fix cache path

Signed-off-by: Paulo Gomes <[email protected]>

fuzz: Refactor Fuzzers based on Go native fuzzing
The existing fuzzers were converted into the Go native format.
Based on how the code was structured on this project, the fuzzers
can be quite effective, allowing for entire E2E fuzzing in some
cases, but with very low execution cost.

Signed-off-by: Paulo Gomes <[email protected]>

Add finalizers to all the CRDs

Signed-off-by: Somtochi Onyekwere <[email protected]>

Release v0.26.0

Signed-off-by: Stefan Prodan <[email protected]>

api: add custom validation for v1.Duration types

Signed-off-by: Stefan Prodan <[email protected]>

Fix table with git commit status providers

Signed-off-by: Andrey Ivashchenko <[email protected]>

Update dependencies
- k8s.io/* v0.25.2
- controller-runtime v0.13.0
- fluxcd/pkg/runtime v0.19.0

Signed-off-by: Stefan Prodan <[email protected]>

Update Go to 1.19

Signed-off-by: Stefan Prodan <[email protected]>

Dockerfile: Build with Go 1.19

Signed-off-by: Stefan Prodan <[email protected]>

Release v0.27.0

Signed-off-by: Stefan Prodan <[email protected]>

Add "generic-hmac" Provider

This commit adds the "generic-hmac" Provider type for authenticating
webhook requests coming from notification-controller. I extended the
`Forwarder` notifier to accept an optional key used for generating the
HMAC. If the key is nil or empty no HMAC header is generated and the
forwarder behaves as before. If it is provided an `X-Signature` HTTP
header is added to the request carrying the HMAC.

I transformed the `TestForwarder_Post` test into a table-driven test
so that we can use the same setup and testing code for testing HMAC
and non-HMAC forwarder instances.

Any existing `X-Signature` header value set through
a `Provider.spec.secretRef` Secret's `header` field will be
overwritten.

closes #99

Signed-off-by: Max Jonas Werner <[email protected]>

Update dependencies
Includes a fix for CVE-2022-32149 of `golang.org/x/text`

Signed-off-by: Stefan Prodan <[email protected]>

Release v0.28.0

Signed-off-by: Stefan Prodan <[email protected]>

http scheme updates

Signed-off-by: Gunish Matta <[email protected]>

improved tests

Signed-off-by: Gunish Matta <[email protected]>

http scheme updates

Signed-off-by: Gunish Matta <[email protected]>

Update controllers/event_handling_test.go

Co-authored-by: Max Jonas Werner <[email protected]>
Signed-off-by: Gunish Matta <[email protected]>

Update controllers/event_handling_test.go

Co-authored-by: Paulo Gomes <[email protected]>
Signed-off-by: Gunish Matta <[email protected]>

revert mistakenly pushed binaries

Signed-off-by: gunishmatta <[email protected]>

Update controllers/event_handling_test.go

Co-authored-by: Paulo Gomes <[email protected]>
Signed-off-by: Gunish Matta <[email protected]>
Signed-off-by: gunishmatta <[email protected]>

minor formatter changes

Signed-off-by: gunishmatta <[email protected]>

controllers/event_handling_test.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 
@@ -52,7 +53,69 @@ func TestEventHandler(t *testing.T) {
 		t.Fatalf("failed to create memory storage")
 	}
 
-	eventServer := server.NewEventServer("127.0.0.1:56789", logf.Log, k8sClient, true)
+	httpScheme := "http"
+
+	eventServerTests := []struct {
+		name          string
+		isHttpEnabled bool
+		url           string
+	}{
+		{
+			name:          "http scheme is enabled",
+			isHttpEnabled: true,
+		}, {
+			name:          "http scheme is disabled",
+			isHttpEnabled: false,
+		},
+	}
+	for _, eventServerTest := range eventServerTests {
+		t.Run(eventServerTest.name, func(t *testing.T) {
+
+			eventServer := server.NewEventServer("127.0.0.1:56789", logf.Log, k8sClient, true, eventServerTest.isHttpEnabled)
+
+			stopCh := make(chan struct{})
+			go eventServer.ListenAndServe(stopCh, eventMdlw, store)
+			requestsReceived := 0
+			rcvServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				requestsReceived = requestsReceived + 1
+				req = r
+				w.WriteHeader(200)
+			}))
+			defer rcvServer.Close()
+			defer close(stopCh)
+
+			providerKey := types.NamespacedName{
+				Name:      fmt.Sprintf("provider-%s", randStringRunes(5)),
+				Namespace: namespace,
+			}
+			provider = &notifyv1.Provider{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      providerKey.Name,
+					Namespace: providerKey.Namespace,
+				},
+				Spec: notifyv1.ProviderSpec{
+					Type:    "generic",
+					Address: rcvServer.URL,
+				},
+			}
+
+			webhook_url, err := url.Parse(provider.Spec.Address)
+
+			g.Expect(err).ToNot(HaveOccurred())
+
+			if eventServerTest.isHttpEnabled {
+				g.Expect(webhook_url.Scheme).To(Equal(httpScheme))
+				g.Expect(requestsReceived).To(Equal(1))
+			} else {
+				g.Expect(webhook_url.Scheme).ToNot(Equal(httpScheme))
+				g.Expect(requestsReceived).To(Equal(0))
+			}
+
+		})
+	}
+
+	eventServer := server.NewEventServer("127.0.0.1:56789", logf.Log, k8sClient, true, true)
+
 	stopCh := make(chan struct{})
 	go eventServer.ListenAndServe(stopCh, eventMdlw, store)
 
@@ -77,6 +140,9 @@ func TestEventHandler(t *testing.T) {
 			Address: rcvServer.URL,
 		},
 	}
+
+	g.Expect(err).ToNot(HaveOccurred())
+
 	g.Expect(k8sClient.Create(context.Background(), provider)).To(Succeed())
 	g.Eventually(func() bool {
 		var obj notifyv1.Provider
@@ -173,6 +239,7 @@ func TestEventHandler(t *testing.T) {
 		res, err := http.Post("http://localhost:56789/", "application/json", buf)
 		g.Expect(err).ToNot(HaveOccurred())
 		g.Expect(res.StatusCode).To(Equal(202)) // event_server responds with 202 Accepted
+
 	}
 
 	testForwarded := func() {
@@ -294,4 +361,5 @@ func TestEventHandler(t *testing.T) {
 			req = nil
 		})
 	}
+
 }

internal/server/event_handlers.go

@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"regexp"
 	"strings"
 	"time"
@@ -243,6 +244,22 @@ func (s *EventServer) handleEvent() func(w http.ResponseWriter, r *http.Request)
 				continue
 			}
 
+			webhookUrl, err := url.Parse(webhook)
+			if err != nil {
+				s.logger.Error(nil, "Error parsing webhook url",
+					"reconciler kind", v1beta1.ProviderKind,
+					"name", providerName.Name,
+					"namespace", providerName.Namespace)
+				continue
+			}
+
+			if !s.supportHttpScheme && webhookUrl.Scheme == "http" {
+				s.logger.Error(nil, "http scheme is blocked",
+					"reconciler kind", v1beta1.ProviderKind,
+					"name", providerName.Name,
+					"namespace", providerName.Namespace)
+				continue
+			}
 			factory := notifier.NewFactory(webhook, proxy, username, provider.Spec.Channel, token, headers, certPool, password)
 			sender, err := factory.Notifier(provider.Spec.Type)
 			if err != nil {

internal/server/event_server.go

@@ -44,15 +44,17 @@ type EventServer struct {
 	logger               logr.Logger
 	kubeClient           client.Client
 	noCrossNamespaceRefs bool
+	supportHttpScheme    bool
 }
 
 // NewEventServer returns an HTTP server that handles events
-func NewEventServer(port string, logger logr.Logger, kubeClient client.Client, noCrossNamespaceRefs bool) *EventServer {
+func NewEventServer(port string, logger logr.Logger, kubeClient client.Client, noCrossNamespaceRefs bool, supportHttpScheme bool) *EventServer {
 	return &EventServer{
 		port:                 port,
 		logger:               logger.WithName("event-server"),
 		kubeClient:           kubeClient,
 		noCrossNamespaceRefs: noCrossNamespaceRefs,
+		supportHttpScheme:    supportHttpScheme,
 	}
 }
 

main.go

@@ -72,6 +72,7 @@ func main() {
 		leaderElectionOptions leaderelection.Options
 		aclOptions            acl.Options
 		rateLimiterOptions    helper.RateLimiterOptions
+		insecureAllowHTTP     bool
 	)
 
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
@@ -82,6 +83,7 @@ func main() {
 	flag.BoolVar(&watchAllNamespaces, "watch-all-namespaces", true,
 		"Watch for custom resources in all namespaces, if set to false it will only watch the runtime namespace.")
 	flag.DurationVar(&rateLimitInterval, "rate-limit-interval", 5*time.Minute, "Interval in which rate limit has effect.")
+	flag.BoolVar(&insecureAllowHTTP, "insecure-allow-http", true, "Enable the use of HTTP Scheme (no HTTPS) across all controller level objects. This is not recommended for production environments")
 	clientOptions.BindFlags(flag.CommandLine)
 	logOptions.BindFlags(flag.CommandLine)
 	leaderElectionOptions.BindFlags(flag.CommandLine)
@@ -169,7 +171,7 @@ func main() {
 			Registry: crtlmetrics.Registry,
 		}),
 	})
-	eventServer := server.NewEventServer(eventsAddr, log, mgr.GetClient(), aclOptions.NoCrossNamespaceRefs)
+	eventServer := server.NewEventServer(eventsAddr, log, mgr.GetClient(), aclOptions.NoCrossNamespaceRefs, insecureAllowHTTP)
 	go eventServer.ListenAndServe(ctx.Done(), eventMdlw, store)
 
 	setupLog.Info("starting webhook receiver server", "addr", receiverAddr)