add http client and tlsSecretRef

Author: Avarei

apis/disposablerequest/v1alpha2/disposablerequest_types.go

@@ -45,6 +45,9 @@ type DisposableRequestParameters struct {
 	// InsecureSkipTLSVerify, when set to true, skips TLS certificate checks for the HTTP request
 	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
 
+	// TlsSecretRef expects a reference to an opaque secret containing tls.crt and tls.key or/and ca.crt
+	TlsSecretRef xpv1.SecretReference `json:"tlsSecretRef,omitempty"`
+
 	// ExpectedResponse is a jq filter expression used to evaluate the HTTP response and determine if it matches the expected criteria.
 	// The expression should return a boolean; if true, the response is considered expected.
 	// Example: '.Body.job_status == "success"'

apis/disposablerequest/v1alpha2/zz_generated.deepcopy.go

@@ -42,6 +42,9 @@ type RequestParameters struct {
 	// InsecureSkipTLSVerify, when set to true, skips TLS certificate checks for the HTTP request
 	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
 
+	// TlsSecretRef expects a reference to an opaque secret containing tls.crt and tls.key or/and ca.crt
+	TlsSecretRef xpv1.SecretReference `json:"tlsSecretRef,omitempty"`
+
 	// SecretInjectionConfig specifies the secrets receiving patches for response data.
 	SecretInjectionConfigs []SecretInjectionConfig `json:"secretInjectionConfigs,omitempty"`
 }

apis/request/v1alpha2/request_types.go

@@ -4,7 +4,9 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -15,12 +17,12 @@ import (
 
 // Client is the interface to interact with Http
 type Client interface {
-	SendRequest(ctx context.Context, method string, url string, body Data, headers Data, skipTLSVerify bool) (resp HttpDetails, err error)
+	SendRequest(ctx context.Context, method string, url string, body Data, headers Data) (resp HttpDetails, err error)
 }
 
 type client struct {
-	log     logging.Logger
-	timeout time.Duration
+	client http.Client
+	log    logging.Logger
 }
 
 type HttpResponse struct {
@@ -46,7 +48,7 @@ type HttpDetails struct {
 	HttpRequest  HttpRequest
 }
 
-func (hc *client) SendRequest(ctx context.Context, method string, url string, body Data, headers Data, skipTLSVerify bool) (details HttpDetails, err error) {
+func (hc *client) SendRequest(ctx context.Context, method string, url string, body Data, headers Data) (details HttpDetails, err error) {
 	requestBody := []byte(body.Decrypted.(string))
 	request, err := http.NewRequestWithContext(ctx, method, url, bytes.NewBuffer(requestBody))
 	requestDetails := HttpRequest{
@@ -68,15 +70,7 @@ func (hc *client) SendRequest(ctx context.Context, method string, url string, bo
 		}
 	}
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			// #nosec G402
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify},
-		},
-		Timeout: hc.timeout,
-	}
-
-	response, err := client.Do(request)
+	response, err := hc.client.Do(request)
 	if err != nil {
 		return HttpDetails{
 			HttpRequest: requestDetails,
@@ -112,10 +106,20 @@ func (hc *client) SendRequest(ctx context.Context, method string, url string, bo
 }
 
 // NewClient returns a new Http Client
-func NewClient(log logging.Logger, timeout time.Duration) (Client, error) {
+func NewClient(log logging.Logger, timeout time.Duration, certPEMBlock, keyPEMBlock, caPEMBlock []byte, insecureSkipVerify bool) (Client, error) {
+	tlsConfig, err := tlsConfig(certPEMBlock, keyPEMBlock, caPEMBlock, insecureSkipVerify)
+	if err != nil {
+		return nil, err
+	}
+	httpClient := http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsConfig,
+		},
+		Timeout: timeout,
+	}
 	return &client{
-		log:     log,
-		timeout: timeout,
+		client: httpClient,
+		log:    log,
 	}, nil
 }
 
@@ -127,3 +131,26 @@ func toJSON(request HttpRequest) string {
 
 	return string(jsonBytes)
 }
+
+func tlsConfig(certPEMBlock, keyPEMBlock, caPEMBlock []byte, insecureSkipVerify bool) (*tls.Config, error) {
+	tlsConfig := &tls.Config{}
+	if len(certPEMBlock) > 0 && len(keyPEMBlock) > 0 {
+		certificate, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.Certificates = []tls.Certificate{certificate}
+	}
+
+	if len(caPEMBlock) > 0 {
+		caPool := x509.NewCertPool()
+		if !caPool.AppendCertsFromPEM(caPEMBlock) {
+			return nil, errors.New("some error appending the ca.crt")
+		}
+		tlsConfig.RootCAs = caPool
+	}
+
+	tlsConfig.InsecureSkipVerify = insecureSkipVerify
+
+	return tlsConfig, nil
+}

apis/request/v1alpha2/zz_generated.deepcopy.go

@@ -42,6 +42,7 @@ import (
 	apisv1alpha1 "github.com/crossplane-contrib/provider-http/apis/v1alpha1"
 	httpClient "github.com/crossplane-contrib/provider-http/internal/clients/http"
 	"github.com/crossplane-contrib/provider-http/internal/utils"
+	corev1 "k8s.io/api/core/v1"
 )
 
 const (
@@ -92,7 +93,7 @@ type connector struct {
 	logger          logging.Logger
 	kube            client.Client
 	usage           resource.Tracker
-	newHttpClientFn func(log logging.Logger, timeout time.Duration) (httpClient.Client, error)
+	newHttpClientFn func(log logging.Logger, timeout time.Duration, certPEMBlock, keyPEMBlock, caPEMBlock []byte, insecureSkipVerify bool) (httpClient.Client, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -113,7 +114,21 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errProviderNotRetrieved)
 	}
 
-	h, err := c.newHttpClientFn(l, utils.WaitTimeout(cr.Spec.ForProvider.WaitTimeout))
+	secret := &corev1.Secret{}
+
+	if cr.Spec.ForProvider.TlsSecretRef.Name != "" && cr.Spec.ForProvider.TlsSecretRef.Namespace != "" {
+		if err := c.kube.Get(ctx, types.NamespacedName{
+			Namespace: cr.Spec.ForProvider.TlsSecretRef.Namespace,
+			Name:      cr.Spec.ForProvider.TlsSecretRef.Name,
+		}, secret); err != nil {
+			return nil, errors.Wrap(err, errGetReferencedSecret)
+		}
+	}
+	certPEMBlock := secret.Data["tls.crt"]
+	keyPEMBlock := secret.Data["tls.key"]
+	caPEMBlock := secret.Data["ca.crt"]
+
+	h, err := c.newHttpClientFn(l, utils.WaitTimeout(cr.Spec.ForProvider.WaitTimeout), certPEMBlock, keyPEMBlock, caPEMBlock, cr.Spec.ForProvider.InsecureSkipTLSVerify)
 	if err != nil {
 		return nil, errors.Wrap(err, errNewHttpClient)
 	}
@@ -173,7 +188,7 @@ func (c *external) deployAction(ctx context.Context, cr *v1alpha2.DisposableRequ
 
 	bodyData := httpClient.Data{Encrypted: cr.Spec.ForProvider.Body, Decrypted: sensitiveBody}
 	headersData := httpClient.Data{Encrypted: cr.Spec.ForProvider.Headers, Decrypted: sensitiveHeaders}
-	details, err := c.http.SendRequest(ctx, cr.Spec.ForProvider.Method, cr.Spec.ForProvider.URL, bodyData, headersData, cr.Spec.ForProvider.InsecureSkipTLSVerify)
+	details, err := c.http.SendRequest(ctx, cr.Spec.ForProvider.Method, cr.Spec.ForProvider.URL, bodyData, headersData)
 
 	sensitiveResponse := details.HttpResponse
 	resource := &utils.RequestResource{

internal/clients/http/client.go

@@ -54,7 +54,7 @@ func (c *external) isUpToDate(ctx context.Context, cr *v1alpha2.Request) (Observ
 		return FailedObserve(), err
 	}
 
-	details, responseErr := c.http.SendRequest(ctx, http.MethodGet, requestDetails.Url, requestDetails.Body, requestDetails.Headers, cr.Spec.ForProvider.InsecureSkipTLSVerify)
+	details, responseErr := c.http.SendRequest(ctx, http.MethodGet, requestDetails.Url, requestDetails.Body, requestDetails.Headers)
 	if details.HttpResponse.StatusCode == http.StatusNotFound {
 		return FailedObserve(), errors.New(errObjectNotFound)
 	}

internal/controller/disposablerequest/disposablerequest.go

@@ -42,6 +42,7 @@ import (
 	"github.com/crossplane-contrib/provider-http/internal/controller/request/statushandler"
 	datapatcher "github.com/crossplane-contrib/provider-http/internal/data-patcher"
 	"github.com/crossplane-contrib/provider-http/internal/utils"
+	corev1 "k8s.io/api/core/v1"
 )
 
 const (
@@ -56,6 +57,7 @@ const (
 	errMappingNotFound              = "%s mapping doesn't exist in request, skipping operation"
 	errPatchDataToSecret            = "Warning, couldn't patch data from request to secret %s:%s:%s, error: %s"
 	errGetLatestVersion             = "failed to get the latest version of the resource"
+	errGetReferencedSecret          = "cannot get referenced secret"
 )
 
 // Setup adds a controller that reconciles Request managed resources.
@@ -91,7 +93,7 @@ type connector struct {
 	logger          logging.Logger
 	kube            client.Client
 	usage           resource.Tracker
-	newHttpClientFn func(log logging.Logger, timeout time.Duration) (httpClient.Client, error)
+	newHttpClientFn func(log logging.Logger, timeout time.Duration, certPEMBlock, keyPEMBlock, caPEMBlock []byte, insecureSkipVerify bool) (httpClient.Client, error)
 }
 
 // Connect typically produces an ExternalClient by:
@@ -117,7 +119,21 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errProviderNotRetrieved)
 	}
 
-	h, err := c.newHttpClientFn(l, utils.WaitTimeout(cr.Spec.ForProvider.WaitTimeout))
+	secret := &corev1.Secret{}
+
+	if cr.Spec.ForProvider.TlsSecretRef.Name != "" && cr.Spec.ForProvider.TlsSecretRef.Namespace != "" {
+		if err := c.kube.Get(ctx, types.NamespacedName{
+			Namespace: cr.Spec.ForProvider.TlsSecretRef.Namespace,
+			Name:      cr.Spec.ForProvider.TlsSecretRef.Name,
+		}, secret); err != nil {
+			return nil, errors.Wrap(err, errGetReferencedSecret)
+		}
+	}
+	certPEMBlock := secret.Data["tls.crt"]
+	keyPEMBlock := secret.Data["tls.key"]
+	caPEMBlock := secret.Data["ca.crt"]
+
+	h, err := c.newHttpClientFn(l, utils.WaitTimeout(cr.Spec.ForProvider.WaitTimeout), certPEMBlock, keyPEMBlock, caPEMBlock, cr.Spec.ForProvider.InsecureSkipTLSVerify)
 	if err != nil {
 		return nil, errors.Wrap(err, errNewHttpClient)
 	}
@@ -194,7 +210,7 @@ func (c *external) deployAction(ctx context.Context, cr *v1alpha2.Request, metho
 		return err
 	}
 
-	details, err := c.http.SendRequest(ctx, mapping.Method, requestDetails.Url, requestDetails.Body, requestDetails.Headers, cr.Spec.ForProvider.InsecureSkipTLSVerify)
+	details, err := c.http.SendRequest(ctx, mapping.Method, requestDetails.Url, requestDetails.Body, requestDetails.Headers)
 	c.patchResponseToSecret(ctx, cr, &details.HttpResponse)
 
 	statusHandler, err := statushandler.NewStatusHandler(ctx, cr, details, err, c.localKube, c.logger)

internal/controller/request/observe.go

@@ -506,6 +506,20 @@ spec:
                       - secretRef
                       type: object
                     type: array
+                  tlsSecretRef:
+                    description: TlsSecretRef expects a reference to an opaque secret
+                      containing tls.crt and tls.key or/and ca.crt
+                    properties:
+                      name:
+                        description: Name of the secret.
+                        type: string
+                      namespace:
+                        description: Namespace of the secret.
+                        type: string
+                    required:
+                    - name
+                    - namespace
+                    type: object
                   url:
                     type: string
                     x-kubernetes-validations:

internal/controller/request/request.go

@@ -540,6 +540,20 @@ spec:
                       - secretRef
                       type: object
                     type: array
+                  tlsSecretRef:
+                    description: TlsSecretRef expects a reference to an opaque secret
+                      containing tls.crt and tls.key or/and ca.crt
+                    properties:
+                      name:
+                        description: Name of the secret.
+                        type: string
+                      namespace:
+                        description: Namespace of the secret.
+                        type: string
+                    required:
+                    - name
+                    - namespace
+                    type: object
                   waitTimeout:
                     description: WaitTimeout specifies the maximum time duration for
                       waiting.