Add a new environment variable 'TFC_TLS_SKIP_VERIFY' (#222)

hashicorp · Jul 20, 2023 · b510596 · b510596
1 parent b6326fe
commit b510596
Show file tree

Hide file tree

Showing 6 changed files with 76 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ BUG FIXES:
 * `AgentPool`: fix an issue when `plan_queued` and `apply_queued` statuses do not trigger agent scaling. [[GH-215](https://github.com/hashicorp/terraform-cloud-operator/pull/215)]
 * `Helm Chart`: fix an issue with the Deployment template in the Helm chart where `name` in path `spec.template.spec.containers[0]` was duplicated. [[GH-216](https://github.com/hashicorp/terraform-cloud-operator/pull/216)]
 
+ENHANCEMENT:
+* `Operator`: Add the ability to skip TLS certificate validation for communication between the Operator and the TFC/E endpoint. A new environment variable `TFC_TLS_SKIP_VERIFY` should be set to `true` to skip the validation. Default: `false`. [[GH-222](https://github.com/hashicorp/terraform-cloud-operator/pull/222)]
+* `Helm Chart`: Add a new parameter `operator.skipTLSVerify` to configure the ability to skip TLS certificate validation for communication between the Operator and the TFC/E endpoint. Default: `false`. [[GH-222](https://github.com/hashicorp/terraform-cloud-operator/pull/222)]
+
 DEPENDENCIES:
 
 * Bump `github.com/hashicorp/go-tfe` from 1.29.0 to 1.30.0. [[GH-218](https://github.com/hashicorp/terraform-cloud-operator/pull/218)]

diff --git a/charts/terraform-cloud-operator/templates/deployment.yaml b/charts/terraform-cloud-operator/templates/deployment.yaml
@@ -37,11 +37,14 @@ spec:
           {{- if .Values.operator.tfeAddress }}
             {{- $_ := set $envVars "TFE_ADDRESS" .Values.operator.tfeAddress }}
           {{- end }}
+          {{- if .Values.operator.skipTLSVerify }}
+            {{- $_ := set $envVars "TFC_TLS_SKIP_VERIFY" .Values.operator.skipTLSVerify }}
+          {{- end }}
           {{- if gt (len (keys $envVars)) 0 }}
           env:
             {{- range $ek, $ev := $envVars }}
             - name: {{ $ek }}
-              value: {{ $ev -}}
+              value: "{{ $ev -}}"
             {{ end }}
           {{- end }}
           command:

diff --git a/charts/terraform-cloud-operator/values.yaml b/charts/terraform-cloud-operator/values.yaml
@@ -28,6 +28,9 @@ operator:
   # The API URL of a TFE instance
   tfeAddress: ""
 
+  # Whether or not to ignore TLS certification warnings.
+  skipTLSVerify: false
+
 # Controllers-specific options.
 controllers:
   agentPool:

diff --git a/controllers/agentpool_controller.go b/controllers/agentpool_controller.go
@@ -5,7 +5,11 @@ package controllers
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
+	"net/http"
+	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -153,8 +157,25 @@ func (r *AgentPoolReconciler) getTerraformClient(ctx context.Context, ap *agentP
 		return err
 	}
 
+	httpClient := tfc.DefaultConfig().HTTPClient
+	insecure := false
+
+	if v, ok := os.LookupEnv("TFC_TLS_SKIP_VERIFY"); ok {
+		insecure, err = strconv.ParseBool(v)
+		if err != nil {
+			return err
+		}
+	}
+
+	if insecure {
+		ap.log.Info("Reconcile Workspace", "msg", "client configured to skip TLS certificate verifications")
+	}
+
+	httpClient.Transport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: insecure}
+
 	config := &tfc.Config{
-		Token: token,
+		Token:      token,
+		HTTPClient: httpClient,
 	}
 	ap.tfClient.Client, err = tfc.NewClient(config)
 

diff --git a/controllers/module_controller.go b/controllers/module_controller.go
@@ -6,8 +6,11 @@ package controllers
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"fmt"
+	"net/http"
 	"os"
+	"strconv"
 	"strings"
 	"text/template"
 
@@ -202,8 +205,25 @@ func (r *ModuleReconciler) getTerraformClient(ctx context.Context, m *moduleInst
 		return err
 	}
 
+	httpClient := tfc.DefaultConfig().HTTPClient
+	insecure := false
+
+	if v, ok := os.LookupEnv("TFC_TLS_SKIP_VERIFY"); ok {
+		insecure, err = strconv.ParseBool(v)
+		if err != nil {
+			return err
+		}
+	}
+
+	if insecure {
+		m.log.Info("Reconcile Workspace", "msg", "client configured to skip TLS certificate verifications")
+	}
+
+	httpClient.Transport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: insecure}
+
 	config := &tfc.Config{
-		Token: token,
+		Token:      token,
+		HTTPClient: httpClient,
 	}
 	m.tfClient.Client, err = tfc.NewClient(config)
 

diff --git a/controllers/workspace_controller.go b/controllers/workspace_controller.go
@@ -5,7 +5,11 @@ package controllers
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
+	"net/http"
+	"os"
+	"strconv"
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
@@ -160,8 +164,25 @@ func (r *WorkspaceReconciler) getTerraformClient(ctx context.Context, w *workspa
 		return err
 	}
 
+	httpClient := tfc.DefaultConfig().HTTPClient
+	insecure := false
+
+	if v, ok := os.LookupEnv("TFC_TLS_SKIP_VERIFY"); ok {
+		insecure, err = strconv.ParseBool(v)
+		if err != nil {
+			return err
+		}
+	}
+
+	if insecure {
+		w.log.Info("Reconcile Workspace", "msg", "client configured to skip TLS certificate verifications")
+	}
+
+	httpClient.Transport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: insecure}
+
 	config := &tfc.Config{
-		Token: token,
+		Token:      token,
+		HTTPClient: httpClient,
 	}
 	w.tfClient.Client, err = tfc.NewClient(config)