-
Notifications
You must be signed in to change notification settings - Fork 332
add insecureSkipVerify to http source type #4167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 9 commits
9fea512
3bdcb7f
8e9ba34
4649eeb
02e1bee
8b34ebd
2aea8ad
32285f2
d7620a4
e73d9a4
ab32873
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| # This example assumes you are using a default storage class | ||
| apiVersion: cdi.kubevirt.io/v1beta1 | ||
| kind: DataVolume | ||
| metadata: | ||
| name: my-data-volume | ||
| spec: | ||
| source: | ||
| http: | ||
| url: "https://172.16.15.6/iso/cirros-0.4.0-x86_64-disk.img" | ||
| insecureSkipVerify: true | ||
| storage: | ||
| resources: | ||
| requests: | ||
| storage: 500Mi |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -713,9 +713,9 @@ func (r *ImportReconciler) createImportEnvVar(pvc *corev1.PersistentVolumeClaim) | |
| } | ||
|
|
||
| func (r *ImportReconciler) isInsecureTLS(pvc *corev1.PersistentVolumeClaim, cdiConfig *cdiv1.CDIConfig) (bool, error) { | ||
| // Check if insecureSkipVerify annotation is set (only applicable for ImageIO sources) | ||
| // Check if insecureSkipVerify annotation is set (only applicable for ImageIO sources and HTTP sources) | ||
| source, sourceOk := pvc.Annotations[cc.AnnSource] | ||
| if sourceOk && source == cc.SourceImageio { | ||
| if sourceOk && (source == cc.SourceImageio || source == cc.SourceHTTP) { | ||
| if insecureSkipVerify, ok := pvc.Annotations[cc.AnnInsecureSkipVerify]; ok && insecureSkipVerify == "true" { | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Some unit tests for this would also be great, specifically that no AnnInsecureSkipVerify results in no env var for TLS bypass. Just trying to cover everything that guards the runtime importer app receiving insecure=true
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I have also written a test here: 2aea8ad with the help of AI. I think that does what you are suggesting.
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is good! I was hoping to assert on the resulting pod env vars though to cover more ground. We should have existing tests that do something along the lines of _, err := reconciler.Reconcile(context.TODO(), reconcile.Request{NamespacedName: types.NamespacedName{Name: "testPvc1", Namespace: "default"}})
Expect(err).ToNot(HaveOccurred())
pod := &corev1.Pod{}
err = reconciler.client.Get(context.TODO(), types.NamespacedName{Name: "importer-testPvc1", Namespace: "default"}, pod)
<ASSERTION>
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am attempting to re-write the test as you are looking for. Before I move forward with the other unit test, can you review this to see if it is what you were looking for. fixed the issue with my first unit test If this is the proper direction, I will review the unit test for
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah this was the direction. I was looking for something along those lines:
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK, I have integrated that into the most recent change. I think we are all set. Thank you for your continued assistance. |
||
| return true, nil | ||
| } | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -84,14 +84,13 @@ | |
| contentLength uint64 | ||
| // checksumValidator validates the checksum of downloaded data | ||
| checksumValidator *ChecksumValidator | ||
|
|
||
| n image.NbdkitOperation | ||
| n image.NbdkitOperation | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. my editor corrects this back, how come you had to pad the spaces?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Its funny, my editor puts all the spaces in. Even when I remove them, it puts them back. (vscode). If you want I will edit the file outside vscode and commit to remove this change.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I dug into this, its |
||
| } | ||
|
|
||
| var createNbdkitCurl = image.NewNbdkitCurl | ||
|
|
||
| // NewHTTPDataSource creates a new instance of the http data provider. | ||
| func NewHTTPDataSource(endpoint, accessKey, secKey, certDir string, contentType cdiv1.DataVolumeContentType, checksum string) (*HTTPDataSource, error) { | ||
| func NewHTTPDataSource(endpoint, accessKey, secKey, certDir string, contentType cdiv1.DataVolumeContentType, checksum string, insecureSkipVerify bool) (*HTTPDataSource, error) { | ||
| ep, err := ParseEndpoint(endpoint) | ||
| if err != nil { | ||
| return nil, errors.Wrapf(err, "unable to parse endpoint %q", endpoint) | ||
|
|
@@ -104,7 +103,7 @@ | |
| return nil, errors.Wrap(err, "Error getting extra headers for HTTP client") | ||
| } | ||
|
|
||
| httpReader, contentLength, brokenForQemuImg, err := createHTTPReader(ctx, ep, accessKey, secKey, certDir, extraHeaders, secretExtraHeaders, contentType) | ||
| httpReader, contentLength, brokenForQemuImg, err := createHTTPReader(ctx, ep, accessKey, secKey, certDir, extraHeaders, secretExtraHeaders, contentType, insecureSkipVerify) | ||
| if err != nil { | ||
| cancel() | ||
| return nil, err | ||
|
|
@@ -365,9 +364,9 @@ | |
| req.Header.Add("User-Agent", defaultUserAgent) | ||
| } | ||
|
|
||
| func createHTTPReader(ctx context.Context, ep *url.URL, accessKey, secKey, certDir string, extraHeaders, secretExtraHeaders []string, contentType cdiv1.DataVolumeContentType) (io.ReadCloser, uint64, bool, error) { | ||
| func createHTTPReader(ctx context.Context, ep *url.URL, accessKey, secKey, certDir string, extraHeaders, secretExtraHeaders []string, contentType cdiv1.DataVolumeContentType, insecureSkipVerify bool) (io.ReadCloser, uint64, bool, error) { | ||
|
Check warning on line 367 in pkg/importer/http-datasource.go
|
||
| var brokenForQemuImg bool | ||
| client, err := createHTTPClient(certDir, false) | ||
| client, err := createHTTPClient(certDir, insecureSkipVerify) | ||
| if err != nil { | ||
| return nil, uint64(0), false, errors.Wrap(err, "Error creating http client") | ||
| } | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we get some unit tests that validate
AnnInsecureSkipVerifyis correctly set whenInsecureSkipVerifyis true, or correctly absent when nil/false?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I think I now have this covered here: 8b34ebd Please be sure to take a close look, writing unit tests is NOT a strength of mine, so I relied on the help of AI to build this.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is also a solid unit test, but I think we could take a similar approach to my suggestion #4167 (comment) in
pkg/controller/populators/import-populator_test.goThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For this unit test, I feel like we are testing at the proper level... reviewing the rest of the tests for this package none of them appear to be going through the process of checking the environment variables assigned to a pod. While I agree testing for this in the import-controller makes sense, since this is a helper package/function should we not just be testing the results of calling the helper function? Perhaps I am misunderstanding how you would like me to test this. Please advise and thanks for the assistance.