Add support for additional caCerts

Signed-off-by: Sebastian Sdorra <[email protected]>
scm-manager · Aug 8, 2024 · 01b684f · 01b684f
1 parent 2b42289
commit 01b684f
Show file tree

Hide file tree

Showing 13 changed files with 1,118 additions and 726 deletions.
diff --git a/applicationset/generators/pull_request.go b/applicationset/generators/pull_request.go
@@ -211,7 +211,17 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Secret token: %v", err)
 		}
-		return pullrequest.NewScmManagerService(ctx, token, providerConfig.API, providerConfig.Namespace, providerConfig.Name, providerConfig.Insecure)
+
+		var caCerts []byte
+		var prErr error
+		if providerConfig.CARef != nil {
+			caCerts, prErr = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if prErr != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", prErr)
+			}
+		}
+
+		return pullrequest.NewScmManagerService(ctx, token, providerConfig.API, providerConfig.Namespace, providerConfig.Name, providerConfig.Insecure, g.scmRootCAPath, caCerts)
 	}
 	return nil, fmt.Errorf("no Pull Request provider implementation configured")
 }

diff --git a/applicationset/generators/scm_provider.go b/applicationset/generators/scm_provider.go
@@ -224,11 +224,22 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			return nil, fmt.Errorf("error initializing AWS codecommit service: %w", awsErr)
 		}
 	} else if providerConfig.ScmManager != nil {
-		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.ScmManager.TokenRef, applicationSetInfo.Namespace)
+		providerConfig := providerConfig.ScmManager
+		var caCerts []byte
+		var scmError error
+		if providerConfig.CARef != nil {
+			caCerts, scmError = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if scmError != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", scmError)
+			}
+		}
+
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching SCM-Manager token: %v", err)
 		}
-		provider, err = scm_provider.NewScmManagerProvider(ctx, token, providerConfig.ScmManager.API, providerConfig.ScmManager.AllBranches, providerConfig.ScmManager.Insecure, g.scmRootCAPath)
+
+		provider, err = scm_provider.NewScmManagerProvider(ctx, token, providerConfig.API, providerConfig.AllBranches, providerConfig.Insecure, g.scmRootCAPath, caCerts)
 		if err != nil {
 			return nil, fmt.Errorf("error initializing SCM-Manager provider: %v", err)
 		}

diff --git a/applicationset/services/pull_request/scm-manager.go b/applicationset/services/pull_request/scm-manager.go
@@ -2,9 +2,8 @@ package pull_request
 
 import (
 	"context"
-	"crypto/tls"
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"net/http"
-	"net/http/cookiejar"
 	"os"
 	"strconv"
 
@@ -19,24 +18,21 @@ type ScmManagerService struct {
 
 var _ PullRequestService = (*ScmManagerService)(nil)
 
-func NewScmManagerService(ctx context.Context, token, url, namespace, name string, insecure bool) (PullRequestService, error) {
+func NewScmManagerService(ctx context.Context, token, url, namespace, name string, insecure bool, scmRootCAPath string, caCerts []byte) (PullRequestService, error) {
 	if token == "" {
 		token = os.Getenv("SCMM_TOKEN")
 	}
+
 	httpClient := &http.Client{}
-	if insecure {
-		cookieJar, _ := cookiejar.New(nil)
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	tr.TLSClientConfig = utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)
+	httpClient.Transport = tr
 
-		httpClient = &http.Client{
-			Jar: cookieJar,
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			}}
-	}
 	client, err := scmm.NewClient(url, token)
 	if err != nil {
 		return nil, err
 	}
+
 	client.SetHttpClient(httpClient)
 	return &ScmManagerService{
 		client:    client,

diff --git a/applicationset/services/scm_provider/scm-manager.go b/applicationset/services/scm_provider/scm-manager.go
@@ -18,13 +18,13 @@ type ScmManagerProvider struct {
 
 var _ SCMProviderService = &ScmManagerProvider{}
 
-func NewScmManagerProvider(ctx context.Context, token, url string, allBranches, insecure bool, scmRootCAPath string) (*ScmManagerProvider, error) {
+func NewScmManagerProvider(ctx context.Context, token, url string, allBranches, insecure bool, scmRootCAPath string, caCerts []byte) (*ScmManagerProvider, error) {
 	if token == "" {
 		token = os.Getenv("SCMM_TOKEN")
 	}
 	httpClient := &http.Client{}
 	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.TLSClientConfig = utils.GetTlsConfig(scmRootCAPath, insecure)
+	tr.TLSClientConfig = utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)
 	httpClient.Transport = tr
 
 	client, err := scmm.NewClient(url, token)

diff --git a/assets/swagger.json b/assets/swagger.json
diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml
diff --git a/manifests/crds/applicationset-crd.yaml b/manifests/crds/applicationset-crd.yaml