Add TLS option for webhook

Author: Seungwon Lee

cmd/webhook.go

@@ -17,6 +17,8 @@ limitations under the License.
 package cmd
 
 import (
+	"strconv"
+
 	"github.com/bitnami-labs/kubewatch/config"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -42,6 +44,30 @@ var webhookConfigCmd = &cobra.Command{
 			logrus.Fatal(err)
 		}
 
+		cert, err := cmd.Flags().GetString("cert")
+		if err == nil {
+			if len(cert) > 0 {
+				conf.Handler.Webhook.Cert = cert
+			}
+		} else {
+			logrus.Fatal(err)
+		}
+
+		tlsSkip, err := cmd.Flags().GetString("tlsskip")
+		if err == nil {
+			if len(tlsSkip) > 0 {
+				skip, err := strconv.ParseBool(tlsSkip)
+				if err != nil {
+					logrus.Fatal(err)
+				}
+				conf.Handler.Webhook.TlsSkip = skip
+			} else {
+				conf.Handler.Webhook.TlsSkip = false
+			}
+		} else {
+			logrus.Fatal(err)
+		}
+
 		if err = conf.Write(); err != nil {
 			logrus.Fatal(err)
 		}
@@ -50,4 +76,6 @@ var webhookConfigCmd = &cobra.Command{
 
 func init() {
 	webhookConfigCmd.Flags().StringP("url", "u", "", "Specify Webhook url")
+	webhookConfigCmd.Flags().StringP("cert", "", "", "Specify Webhook cert path")
+	webhookConfigCmd.Flags().StringP("tlsskip", "", "", "Specify whether Webhook skips tls verify; TRUE or FALSE")
 }

config/config.go

@@ -119,7 +119,9 @@ type Flock struct {
 // Webhook contains webhook configuration
 type Webhook struct {
 	// Webhook URL.
-	Url string `json:"url"`
+	Url     string `json:"url"`
+	Cert    string `json:"cert"`
+	TlsSkip bool   `json:"tlsskip"`
 }
 
 // CloudEvent contains CloudEvent configuration

config/sample.go

@@ -26,6 +26,10 @@ handler:
   webhook:
     # Webhook URL.
     url: ""
+    # Whether skip tls or not.
+    tlsskip: ""
+    # Path of webhook cert. Default value is false.
+    cert: ""
   cloudevent:
     # CloudEvent webhook URL.
     url: ""

examples/conf/kubewatch.conf.webhook.yaml

@@ -13,7 +13,9 @@ handler:
   flock:
     url: ""
   webhook:
-    url: "http://localhost:8080"
+    url: "https://localhost:443"
+    tlsskip: false
+    cert: "/root/tls/ca.crt"
 resource:
   deployment: false
   replicationcontroller: false

pkg/handlers/webhook/webhook.go

@@ -17,7 +17,10 @@ limitations under the License.
 package webhook
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"os"
 
@@ -66,13 +69,36 @@ type EventMeta struct {
 // Init prepares Webhook configuration
 func (m *Webhook) Init(c *config.Config) error {
 	url := c.Handler.Webhook.Url
+	cert := c.Handler.Webhook.Cert
+	tlsSkip := c.Handler.Webhook.TlsSkip
 
 	if url == "" {
 		url = os.Getenv("KW_WEBHOOK_URL")
 	}
+	if cert == "" {
+		cert = os.Getenv("KW_WEBHOOK_CERT")
+	}
 
 	m.Url = url
 
+	if tlsSkip {
+		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	} else {
+		if cert == "" {
+			log.Printf("No webhook cert is given")
+		} else {
+			caCert, err := ioutil.ReadFile(cert)
+			if err != nil {
+				log.Printf("%s\n", err)
+				return err
+			}
+			caCertPool := x509.NewCertPool()
+			caCertPool.AppendCertsFromPEM(caCert)
+			http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{RootCAs: caCertPool}
+		}
+
+	}
+
 	return checkMissingWebhookVars(m)
 }