Skip to content

Commit

Permalink
adding support for client certificates. See: kiwigrid#334
Browse files Browse the repository at this point in the history
Signed-off-by: Syed Nihal <[email protected]>
  • Loading branch information
wasim-nihal committed Mar 18, 2024
1 parent fd64485 commit 85e09db
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 3 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ If the filename ends with `.url` suffix, the content will be processed as a URL
| `REQ_USERNAME` | Username to use for basic authentication for requests to `REQ_URL` and for `*.url` triggered requests | false | - | string |
| `REQ_PASSWORD` | Password to use for basic authentication for requests to `REQ_URL` and for `*.url` triggered requests | false | - | string |
| `REQ_BASIC_AUTH_ENCODING` | Which encoding to use for username and password as [by default it's undefined](https://datatracker.ietf.org/doc/html/rfc7617) (e.g. `utf-8`). | false | `latin1` | string |
| `REQ_CLIENT_CERT` | [PATH] Client Certificate to be used by k8s-sidecar when communicating with the `REQ_URL` | false | - | string |
| `REQ_CLIENT_KEY` | [PATH] Client Key to be used by k8s-sidecar when communicating with the `REQ_URL` | false | - | string |
| `SCRIPT` | Absolute path to a script to execute after a configmap got reloaded. It runs before calls to `REQ_URI`. If the file is not executable it will be passed to `sh`. Otherwise it's executed as is. [Shebangs](https://en.wikipedia.org/wiki/Shebang_(Unix)) known to work are `#!/bin/sh` and `#!/usr/bin/env python` | false | - | string |
| `ERROR_THROTTLE_SLEEP` | How many seconds to wait before watching resources again when an error occurs | false | `5` | integer |
| `SKIP_TLS_VERIFY` | Set to `true` to skip tls verification for kube api calls | false | - | boolean |
Expand Down
16 changes: 13 additions & 3 deletions src/helpers.py
Original file line number Diff line number Diff line change
Expand Up @@ -134,12 +134,16 @@ def request(url, method, enable_5xx=False, payload=None):
if url is None:
logger.warning(f"No url provided. Doing nothing.")
return

client_cert, client_key = get_client_cert_and_key_paths()
if client_cert and client_key:
cert = (client_cert, client_key)
else:
cert = None
# If method is not provided use GET as default
if method == "GET" or not method:
res = r.get("%s" % url, auth=auth, timeout=REQ_TIMEOUT, verify=REQ_TLS_VERIFY)
res = r.get("%s" % url, cert=cert, auth=auth, timeout=REQ_TIMEOUT, verify=REQ_TLS_VERIFY)
elif method == "POST":
res = r.post("%s" % url, auth=auth, json=payload, timeout=REQ_TIMEOUT, verify=REQ_TLS_VERIFY)
res = r.post("%s" % url, cert=cert, auth=auth, json=payload, timeout=REQ_TIMEOUT, verify=REQ_TLS_VERIFY)
else:
logger.warning(f"Invalid REQ_METHOD: '{method}', please use 'GET' or 'POST'. Doing nothing.")
return
Expand Down Expand Up @@ -185,3 +189,9 @@ def execute(script_path):
logger.debug(f"Script exit code: {result.returncode}")
except subprocess.CalledProcessError as e:
logger.error(f"Script failed with error: {e}")


def get_client_cert_and_key_paths():
client_cert = os.getenv("REQ_CLIENT_CERT")
client_key = os.getenv("REQ_CLIENT_KEY")
return client_cert, client_key

0 comments on commit 85e09db

Please sign in to comment.