feat: add disableTls option for webhooks request

Signed-off-by: Juan Rodriguez <engineer.jrg@gmail.com>
2026-04-15 06:57:34 +00:00 · 2024-10-03 18:59:43 -05:00
parent 7cd14761d5
commit 3d2e0b428b
7 changed files with 63 additions and 16 deletions
--- a/pkg/controller/webhook.go
+++ b/pkg/controller/webhook.go
@@ -18,10 +18,12 @@ package controller

 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
+	"net/http"
 	"net/url"
 	"strconv"
 	"time"
@@ -32,7 +34,22 @@ import (
 	"github.com/fluxcd/flagger/pkg/canary"
 )

-func callWebhook(webhook string, payload interface{}, timeout string, retries int) error {
+func newHTTPClient(retries int, timeout time.Duration, disableTls bool) *retryablehttp.Client {
+	httpClient := retryablehttp.NewClient()
+	httpClient.RetryMax = retries
+	httpClient.Logger = nil
+	httpClient.HTTPClient.Timeout = timeout
+
+	if disableTls {
+		httpClient.HTTPClient.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+	}
+
+	return httpClient
+}
+
+func callWebhook(webhook string, payload interface{}, timeout string, retries int, disableTls bool) error {
 	payloadBin, err := json.Marshal(payload)
 	if err != nil {
 		return err
@@ -43,17 +60,6 @@ func callWebhook(webhook string, payload interface{}, timeout string, retries in
 		return err
 	}

-	httpClient := retryablehttp.NewClient()
-	httpClient.RetryMax = retries
-	httpClient.Logger = nil
-
-	req, err := retryablehttp.NewRequest("POST", hook.String(), bytes.NewBuffer(payloadBin))
-	if err != nil {
-		return err
-	}
-
-	req.Header.Set("Content-Type", "application/json")
-
 	if timeout == "" {
 		timeout = "10s"
 	}
@@ -62,7 +68,13 @@ func callWebhook(webhook string, payload interface{}, timeout string, retries in
 		return err
 	}

-	httpClient.HTTPClient.Timeout = t
+	httpClient := newHTTPClient(retries, t, disableTls)
+
+	req, err := retryablehttp.NewRequest("POST", hook.String(), bytes.NewBuffer(payloadBin))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json")

 	r, err := httpClient.Do(req)
 	if err != nil {
@@ -100,7 +112,7 @@ func CallWebhook(canary flaggerv1.Canary, phase flaggerv1.CanaryPhase, w flagger
 		w.Timeout = "10s"
 	}

-	return callWebhook(w.URL, payload, w.Timeout, w.Retries)
+	return callWebhook(w.URL, payload, w.Timeout, w.Retries, w.DisableTLS)
 }

 func CallEventWebhook(r *flaggerv1.Canary, w flaggerv1.CanaryWebhook, message, eventtype string) error {
@@ -126,7 +138,7 @@ func CallEventWebhook(r *flaggerv1.Canary, w flaggerv1.CanaryWebhook, message, e
 			payload.Metadata[key] = value
 		}
 	}
-	return callWebhook(w.URL, payload, "5s", w.Retries)
+	return callWebhook(w.URL, payload, "5s", w.Retries, w.DisableTLS)
 }

 func canaryChecksum(c flaggerv1.Canary) string {
--- a/pkg/controller/webhook_test.go
+++ b/pkg/controller/webhook_test.go
@@ -289,3 +289,22 @@ func TestCallWebhook_Retries(t *testing.T) {
 		flaggerv1.CanaryPhaseProgressing, hook)
 	require.NoError(t, err)
 }
+
+func TestCallWebhook_DisableTLS(t *testing.T) {
+	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusAccepted)
+	}))
+	defer ts.Close()
+	hook := flaggerv1.CanaryWebhook{
+		Name:       "validation",
+		URL:        ts.URL,
+		DisableTLS: true,
+	}
+
+	err := CallWebhook(
+		flaggerv1.Canary{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "podinfo", Namespace: corev1.NamespaceDefault}},
+		flaggerv1.CanaryPhaseProgressing, hook)
+	require.NoError(t, err)
+}