Skip to content

Commit

Permalink
Allow skipping TLS verification for requests to Grafana
Browse files Browse the repository at this point in the history 
Fixes #261
  • Loading branch information
@lorenzo-biava
lorenzo-biava committed Mar 10, 2023
1 parent 5e1127f commit f365d9b
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ If the filename ends with `.url` suffix, the content will be processed as a URL
| `SCRIPT` | Absolute path to shell script to execute after a configmap got reloaded. It runs before calls to `REQ_URI` | false | - | string |
| `ERROR_THROTTLE_SLEEP` | How many seconds to wait before watching resources again when an error occurs | false | `5` | integer |
| `SKIP_TLS_VERIFY` | Set to `true` to skip tls verification for kube api calls | false | - | boolean |
| `SKIP_GRAFANA_TLS_VERIFY` | Set to `true` to skip tls verification for Grafana api calls (for reloading certain resources).
Note that the latest 'requests' library no longer offer a way to disable this via env vars; however a custom truststore can be set via EQUESTS_CA_BUNDLE. | false | - | boolean |
| `UNIQUE_FILENAMES` | Set to true to produce unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | false | `false` | boolean |
| `DEFAULT_FILE_MODE` | The default file system permission for every file. Use three digits (e.g. '500', '440', ...) | false | - | string |
| `KUBECONFIG` | if this is given and points to a file or `~/.kube/config` is mounted k8s config will be loaded from this file, otherwise "incluster" k8s configuration is tried. | false | - | string |
Expand Down
11 changes: 9 additions & 2 deletions src/helpers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,13 @@
os.getenv("REQ_RETRY_BACKOFF_FACTOR"))
REQ_TIMEOUT = 10 if os.getenv("REQ_TIMEOUT") is None else float(os.getenv("REQ_TIMEOUT"))

# Allows to suppress TLS verification for HTTPs requests to Grafana
# This is particularly useful since the connection happens as "localhost"
# and most likely the TLS cert offered by Grafana will have an external URL.
# Note that the latest 'requests' library no longer offer a way to disable this via
# env vars; however a custom truststore can be set via REQUESTS_CA_BUNDLE
REQ_TLS_VERIFY = False if os.getenv("SKIP_GRAFANA_TLS_VERIFY") == "true" else None

# Tune default timeouts as outlined in
# https://github.com/kubernetes-client/python/issues/1148#issuecomment-626184613
# https://github.com/kubernetes-client/python/blob/master/examples/watch/timeout-settings.md
Expand Down Expand Up @@ -127,9 +134,9 @@ def request(url, method, enable_5xx=False, payload=None):

# If method is not provided use GET as default
if method == "GET" or not method:
res = r.get("%s" % url, auth=auth, timeout=REQ_TIMEOUT)
res = r.get("%s" % url, auth=auth, timeout=REQ_TIMEOUT, verify=REQ_TLS_VERIFY)
elif method == "POST":
res = r.post("%s" % url, auth=auth, json=payload, timeout=REQ_TIMEOUT)
res = r.post("%s" % url, auth=auth, json=payload, timeout=REQ_TIMEOUT, verify=REQ_TLS_VERIFY)
else:
logger.warning(f"Invalid REQ_METHOD: '{method}', please use 'GET' or 'POST'. Doing nothing.")
return
Expand Down

0 comments on commit f365d9b

Please sign in to comment.