feat: enforce rule into the .spec.external.tls block to avoid insecur…

…eSkipVerify and certSecretRef be set at the same time
grafana · Jul 31, 2024 · 75433e7 · 75433e7
1 parent c1dfb7a
commit 75433e7
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 0 deletions.
diff --git a/api/v1beta1/grafana_types.go b/api/v1beta1/grafana_types.go
@@ -90,9 +90,12 @@ type External struct {
 	// AdminPassword key to talk to the external grafana instance.
 	AdminPassword *v1.SecretKeySelector `json:"adminPassword,omitempty"`
 	// TLS Configuration used to talk with the external grafana instance.
+	// +optional
 	TLS *ExternalTLSConfig `json:"tls,omitempty"`
 }
 
+// TLS Configuration to an external Grafana endpoint
+// +kubebuilder:validation:XValidation:rule="(has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))", message="insecureSkipVerify and certSecretRef cannot be set at the same time"
 type ExternalTLSConfig struct {
 	// Disable the CA check of the server
 	// +optional

diff --git a/config/crd/bases/grafana.integreatly.org_grafanas.yaml b/config/crd/bases/grafana.integreatly.org_grafanas.yaml
@@ -8277,6 +8277,11 @@ spec:
                         description: Disable the CA check of the server
                         type: boolean
                     type: object
+                    x-kubernetes-validations:
+                    - message: insecureSkipVerify and certSecretRef cannot be set
+                        at the same time
+                      rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef)))
+                        || (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))
                   url:
                     description: URL of the external grafana instance you want to
                       manage.

diff --git a/deploy/helm/grafana-operator/crds/grafana.integreatly.org_grafanas.yaml b/deploy/helm/grafana-operator/crds/grafana.integreatly.org_grafanas.yaml
@@ -8277,6 +8277,11 @@ spec:
                         description: Disable the CA check of the server
                         type: boolean
                     type: object
+                    x-kubernetes-validations:
+                    - message: insecureSkipVerify and certSecretRef cannot be set
+                        at the same time
+                      rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef)))
+                        || (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))
                   url:
                     description: URL of the external grafana instance you want to
                       manage.

diff --git a/deploy/kustomize/base/crds.yaml b/deploy/kustomize/base/crds.yaml
@@ -9726,6 +9726,11 @@ spec:
                         description: Disable the CA check of the server
                         type: boolean
                     type: object
+                    x-kubernetes-validations:
+                    - message: insecureSkipVerify and certSecretRef cannot be set
+                        at the same time
+                      rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef)))
+                        || (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))
                   url:
                     description: URL of the external grafana instance you want to
                       manage.

diff --git a/docs/docs/api.md b/docs/docs/api.md
@@ -18737,6 +18737,8 @@ External enables you to configure external grafana instances that is not managed
         <td>object</td>
         <td>
           TLS Configuration used to talk with the external grafana instance.<br/>
+          <br/>
+            <i>Validations</i>:<li>(has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify))): insecureSkipVerify and certSecretRef cannot be set at the same time</li>
         </td>
         <td>false</td>
       </tr></tbody>