[RFC-0004] Allow disabling of insecure HTTP connections for alert providers

controllers/event_handling_test.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 
@@ -52,7 +53,69 @@ func TestEventHandler(t *testing.T) {
 		t.Fatalf("failed to create memory storage")
 	}
 
-	eventServer := server.NewEventServer("127.0.0.1:56789", logf.Log, k8sClient, true)
+	httpScheme := "http"
+
+	eventServerTests := []struct {
+		name          string
+		isHttpEnabled bool
+		url           string
+	}{
+		{
+			name:          "http scheme is enabled",
+			isHttpEnabled: true,
+		}, {
+			name:          "http scheme is disabled",
+			isHttpEnabled: false,
+		},
+	}
+	for _, eventServerTest := range eventServerTests {
+		t.Run(eventServerTest.name, func(t *testing.T) {
+
+			eventServer := server.NewEventServer("127.0.0.1:56789", logf.Log, k8sClient, true, eventServerTest.isHttpEnabled)
+
+			stopCh := make(chan struct{})
+			go eventServer.ListenAndServe(stopCh, eventMdlw, store)
+			requestsReceived := 0
+			rcvServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				requestsReceived = requestsReceived + 1
+				req = r
+				w.WriteHeader(200)
+			}))
+			defer rcvServer.Close()
+			defer close(stopCh)
+
+			providerKey := types.NamespacedName{
+				Name:      fmt.Sprintf("provider-%s", randStringRunes(5)),
+				Namespace: namespace,
+			}
+			provider = &notifyv1.Provider{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      providerKey.Name,
+					Namespace: providerKey.Namespace,
+				},
+				Spec: notifyv1.ProviderSpec{
+					Type:    "generic",
+					Address: rcvServer.URL,
+				},
+			}
+
+			webhook_url, err := url.Parse(provider.Spec.Address)
+
+			g.Expect(err).ToNot(HaveOccurred())
+
+			if eventServerTest.isHttpEnabled {
+				g.Expect(webhook_url.Scheme).To(Equal(httpScheme))
+				g.Expect(requestsReceived).To(Equal(1))
+			} else {
+				g.Expect(webhook_url.Scheme).ToNot(Equal(httpScheme))
+				g.Expect(requestsReceived).To(Equal(0))
+			}
+
+		})
+	}
+
+	eventServer := server.NewEventServer("127.0.0.1:56789", logf.Log, k8sClient, true, true)
+
 	stopCh := make(chan struct{})
 	go eventServer.ListenAndServe(stopCh, eventMdlw, store)
 
@@ -77,6 +140,9 @@ func TestEventHandler(t *testing.T) {
 			Address: rcvServer.URL,
 		},
 	}
+
+	g.Expect(err).ToNot(HaveOccurred())
+
 	g.Expect(k8sClient.Create(context.Background(), provider)).To(Succeed())
 	g.Eventually(func() bool {
 		var obj notifyv1.Provider
@@ -173,6 +239,7 @@ func TestEventHandler(t *testing.T) {
 		res, err := http.Post("http://localhost:56789/", "application/json", buf)
 		g.Expect(err).ToNot(HaveOccurred())
 		g.Expect(res.StatusCode).To(Equal(202)) // event_server responds with 202 Accepted
+
 	}
 
 	testForwarded := func() {
@@ -294,4 +361,5 @@ func TestEventHandler(t *testing.T) {
 			req = nil
 		})
 	}
+
 }

internal/server/event_handlers.go

@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"regexp"
 	"strings"
 	"time"
@@ -243,6 +244,22 @@ func (s *EventServer) handleEvent() func(w http.ResponseWriter, r *http.Request)
 				continue
 			}
 
+			webhookUrl, err := url.Parse(webhook)
+			if err != nil {
+				s.logger.Error(nil, "Error parsing webhook url",
+					"reconciler kind", v1beta1.ProviderKind,
+					"name", providerName.Name,
+					"namespace", providerName.Namespace)
+				continue
+			}
+
+			if !s.supportHttpScheme && webhookUrl.Scheme == "http" {
+				s.logger.Error(nil, "http scheme is blocked",
+					"reconciler kind", v1beta1.ProviderKind,
+					"name", providerName.Name,
+					"namespace", providerName.Namespace)
+				continue
+			}
 			factory := notifier.NewFactory(webhook, proxy, username, provider.Spec.Channel, token, headers, certPool, password)
 			sender, err := factory.Notifier(provider.Spec.Type)
 			if err != nil {

internal/server/event_server.go

@@ -44,15 +44,17 @@ type EventServer struct {
 	logger               logr.Logger
 	kubeClient           client.Client
 	noCrossNamespaceRefs bool
+	supportHttpScheme    bool
 }
 
 // NewEventServer returns an HTTP server that handles events
-func NewEventServer(port string, logger logr.Logger, kubeClient client.Client, noCrossNamespaceRefs bool) *EventServer {
+func NewEventServer(port string, logger logr.Logger, kubeClient client.Client, noCrossNamespaceRefs bool, supportHttpScheme bool) *EventServer {
 	return &EventServer{
 		port:                 port,
 		logger:               logger.WithName("event-server"),
 		kubeClient:           kubeClient,
 		noCrossNamespaceRefs: noCrossNamespaceRefs,
+		supportHttpScheme:    supportHttpScheme,
 	}
 }
 

main.go

@@ -72,6 +72,7 @@ func main() {
 		leaderElectionOptions leaderelection.Options
 		aclOptions            acl.Options
 		rateLimiterOptions    helper.RateLimiterOptions
+		insecureAllowHTTP     bool
 	)
 
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
@@ -82,6 +83,7 @@ func main() {
 	flag.BoolVar(&watchAllNamespaces, "watch-all-namespaces", true,
 		"Watch for custom resources in all namespaces, if set to false it will only watch the runtime namespace.")
 	flag.DurationVar(&rateLimitInterval, "rate-limit-interval", 5*time.Minute, "Interval in which rate limit has effect.")
+	flag.BoolVar(&insecureAllowHTTP, "insecure-allow-http", true, "Enable the use of HTTP Scheme (no HTTPS) across all controller level objects. This is not recommended for production environments")
 	clientOptions.BindFlags(flag.CommandLine)
 	logOptions.BindFlags(flag.CommandLine)
 	leaderElectionOptions.BindFlags(flag.CommandLine)
@@ -169,7 +171,7 @@ func main() {
 			Registry: crtlmetrics.Registry,
 		}),
 	})
-	eventServer := server.NewEventServer(eventsAddr, log, mgr.GetClient(), aclOptions.NoCrossNamespaceRefs)
+	eventServer := server.NewEventServer(eventsAddr, log, mgr.GetClient(), aclOptions.NoCrossNamespaceRefs, insecureAllowHTTP)
 	go eventServer.ListenAndServe(ctx.Done(), eventMdlw, store)
 
 	setupLog.Info("starting webhook receiver server", "addr", receiverAddr)