From f365d9b32b917714bffc3b8c924c95ab5e1a977f Mon Sep 17 00:00:00 2001 From: "Biava, Lorenzo" Date: Fri, 10 Mar 2023 12:11:44 +0100 Subject: [PATCH 1/4] Allow skipping TLS verification for requests to Grafana Fixes #261 --- README.md | 2 ++ src/helpers.py | 11 +++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e3515db6..dfe880ee 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,8 @@ If the filename ends with `.url` suffix, the content will be processed as a URL | `SCRIPT` | Absolute path to shell script to execute after a configmap got reloaded. It runs before calls to `REQ_URI` | false | - | string | | `ERROR_THROTTLE_SLEEP` | How many seconds to wait before watching resources again when an error occurs | false | `5` | integer | | `SKIP_TLS_VERIFY` | Set to `true` to skip tls verification for kube api calls | false | - | boolean | +| `SKIP_GRAFANA_TLS_VERIFY` | Set to `true` to skip tls verification for Grafana api calls (for reloading certain resources). +Note that the latest 'requests' library no longer offer a way to disable this via env vars; however a custom truststore can be set via EQUESTS_CA_BUNDLE. | false | - | boolean | | `UNIQUE_FILENAMES` | Set to true to produce unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | false | `false` | boolean | | `DEFAULT_FILE_MODE` | The default file system permission for every file. Use three digits (e.g. '500', '440', ...) | false | - | string | | `KUBECONFIG` | if this is given and points to a file or `~/.kube/config` is mounted k8s config will be loaded from this file, otherwise "incluster" k8s configuration is tried. | false | - | string | diff --git a/src/helpers.py b/src/helpers.py index 2fa34d02..7d5ce64e 100755 --- a/src/helpers.py +++ b/src/helpers.py @@ -23,6 +23,13 @@ os.getenv("REQ_RETRY_BACKOFF_FACTOR")) REQ_TIMEOUT = 10 if os.getenv("REQ_TIMEOUT") is None else float(os.getenv("REQ_TIMEOUT")) +# Allows to suppress TLS verification for HTTPs requests to Grafana +# This is particularly useful since the connection happens as "localhost" +# and most likely the TLS cert offered by Grafana will have an external URL. +# Note that the latest 'requests' library no longer offer a way to disable this via +# env vars; however a custom truststore can be set via REQUESTS_CA_BUNDLE +REQ_TLS_VERIFY = False if os.getenv("SKIP_GRAFANA_TLS_VERIFY") == "true" else None + # Tune default timeouts as outlined in # https://github.com/kubernetes-client/python/issues/1148#issuecomment-626184613 # https://github.com/kubernetes-client/python/blob/master/examples/watch/timeout-settings.md @@ -127,9 +134,9 @@ def request(url, method, enable_5xx=False, payload=None): # If method is not provided use GET as default if method == "GET" or not method: - res = r.get("%s" % url, auth=auth, timeout=REQ_TIMEOUT) + res = r.get("%s" % url, auth=auth, timeout=REQ_TIMEOUT, verify=REQ_TLS_VERIFY) elif method == "POST": - res = r.post("%s" % url, auth=auth, json=payload, timeout=REQ_TIMEOUT) + res = r.post("%s" % url, auth=auth, json=payload, timeout=REQ_TIMEOUT, verify=REQ_TLS_VERIFY) else: logger.warning(f"Invalid REQ_METHOD: '{method}', please use 'GET' or 'POST'. Doing nothing.") return From c5e0682899c8993a87ca1291dd3826341517bdc1 Mon Sep 17 00:00:00 2001 From: "Biava, Lorenzo" Date: Wed, 15 Mar 2023 11:30:29 +0100 Subject: [PATCH 2/4] fixup --- README.md | 2 +- src/helpers.py | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index dfe880ee..c8c78521 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,7 @@ If the filename ends with `.url` suffix, the content will be processed as a URL | `SCRIPT` | Absolute path to shell script to execute after a configmap got reloaded. It runs before calls to `REQ_URI` | false | - | string | | `ERROR_THROTTLE_SLEEP` | How many seconds to wait before watching resources again when an error occurs | false | `5` | integer | | `SKIP_TLS_VERIFY` | Set to `true` to skip tls verification for kube api calls | false | - | boolean | -| `SKIP_GRAFANA_TLS_VERIFY` | Set to `true` to skip tls verification for Grafana api calls (for reloading certain resources). +| `REQ_SKIP_TLS_VERIFY ` | Set to `true` to skip tls verification for all HTTP requests (except the Kube API server, which are controlled by `SKIP_TLS_VERIFY`). Note that the latest 'requests' library no longer offer a way to disable this via env vars; however a custom truststore can be set via EQUESTS_CA_BUNDLE. | false | - | boolean | | `UNIQUE_FILENAMES` | Set to true to produce unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | false | `false` | boolean | | `DEFAULT_FILE_MODE` | The default file system permission for every file. Use three digits (e.g. '500', '440', ...) | false | - | string | diff --git a/src/helpers.py b/src/helpers.py index 7d5ce64e..53e82314 100755 --- a/src/helpers.py +++ b/src/helpers.py @@ -23,12 +23,12 @@ os.getenv("REQ_RETRY_BACKOFF_FACTOR")) REQ_TIMEOUT = 10 if os.getenv("REQ_TIMEOUT") is None else float(os.getenv("REQ_TIMEOUT")) -# Allows to suppress TLS verification for HTTPs requests to Grafana -# This is particularly useful since the connection happens as "localhost" -# and most likely the TLS cert offered by Grafana will have an external URL. +# Allows to suppress TLS verification for all HTTPs requests (except to the API server, which are controller by SKIP_TLS_VERIFY) +# This is particularly useful when the connection to the main container happens as "localhost" +# and most likely the TLS cert offered by that will have an external URL in it. # Note that the latest 'requests' library no longer offer a way to disable this via # env vars; however a custom truststore can be set via REQUESTS_CA_BUNDLE -REQ_TLS_VERIFY = False if os.getenv("SKIP_GRAFANA_TLS_VERIFY") == "true" else None +REQ_TLS_VERIFY = False if os.getenv("REQ_SKIP_TLS_VERIFY ") == "true" else None # Tune default timeouts as outlined in # https://github.com/kubernetes-client/python/issues/1148#issuecomment-626184613 From 8edbe959d8b142ee7858b97c886855f88d582a55 Mon Sep 17 00:00:00 2001 From: "Biava, Lorenzo" Date: Wed, 15 Mar 2023 16:09:35 +0100 Subject: [PATCH 3/4] fixup --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index c8c78521..6bd4db60 100644 --- a/README.md +++ b/README.md @@ -80,8 +80,7 @@ If the filename ends with `.url` suffix, the content will be processed as a URL | `SCRIPT` | Absolute path to shell script to execute after a configmap got reloaded. It runs before calls to `REQ_URI` | false | - | string | | `ERROR_THROTTLE_SLEEP` | How many seconds to wait before watching resources again when an error occurs | false | `5` | integer | | `SKIP_TLS_VERIFY` | Set to `true` to skip tls verification for kube api calls | false | - | boolean | -| `REQ_SKIP_TLS_VERIFY ` | Set to `true` to skip tls verification for all HTTP requests (except the Kube API server, which are controlled by `SKIP_TLS_VERIFY`). -Note that the latest 'requests' library no longer offer a way to disable this via env vars; however a custom truststore can be set via EQUESTS_CA_BUNDLE. | false | - | boolean | +| `REQ_SKIP_TLS_VERIFY ` | Set to `true` to skip tls verification for all HTTP requests (except the Kube API server, which are controlled by `SKIP_TLS_VERIFY`). Note that the latest 'requests' library no longer offer a way to disable this via env vars; however a custom truststore can be set via REQUESTS_CA_BUNDLE. | false | - | boolean | | `UNIQUE_FILENAMES` | Set to true to produce unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | false | `false` | boolean | | `DEFAULT_FILE_MODE` | The default file system permission for every file. Use three digits (e.g. '500', '440', ...) | false | - | string | | `KUBECONFIG` | if this is given and points to a file or `~/.kube/config` is mounted k8s config will be loaded from this file, otherwise "incluster" k8s configuration is tried. | false | - | string | From 94e02b5886eb76d9f22e411f9add793a7fb555ac Mon Sep 17 00:00:00 2001 From: "Biava, Lorenzo" Date: Wed, 15 Mar 2023 16:11:13 +0100 Subject: [PATCH 4/4] fixup --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6bd4db60..2f7105b3 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,7 @@ If the filename ends with `.url` suffix, the content will be processed as a URL | `SCRIPT` | Absolute path to shell script to execute after a configmap got reloaded. It runs before calls to `REQ_URI` | false | - | string | | `ERROR_THROTTLE_SLEEP` | How many seconds to wait before watching resources again when an error occurs | false | `5` | integer | | `SKIP_TLS_VERIFY` | Set to `true` to skip tls verification for kube api calls | false | - | boolean | -| `REQ_SKIP_TLS_VERIFY ` | Set to `true` to skip tls verification for all HTTP requests (except the Kube API server, which are controlled by `SKIP_TLS_VERIFY`). Note that the latest 'requests' library no longer offer a way to disable this via env vars; however a custom truststore can be set via REQUESTS_CA_BUNDLE. | false | - | boolean | +| `REQ_SKIP_TLS_VERIFY ` | Set to `true` to skip tls verification for all HTTP requests (except the Kube API server, which are controlled by `SKIP_TLS_VERIFY`). Note that the latest 'requests' library no longer offer a way to disable this via env vars; however a custom truststore can be set via REQUESTS_CA_BUNDLE. | false | - | boolean | | `UNIQUE_FILENAMES` | Set to true to produce unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | false | `false` | boolean | | `DEFAULT_FILE_MODE` | The default file system permission for every file. Use three digits (e.g. '500', '440', ...) | false | - | string | | `KUBECONFIG` | if this is given and points to a file or `~/.kube/config` is mounted k8s config will be loaded from this file, otherwise "incluster" k8s configuration is tried. | false | - | string |