feature: Add 'caCertificate' parameter to Minio EventSource (#2903)

Signed-off-by: Ross Golder <ross@golder.org>
argoproj · Nov 16, 2023 · 6d982b3 · 6d982b3
1 parent d6ec145
commit 6d982b3
Show file tree

Hide file tree

Showing 8 changed files with 194 additions and 92 deletions.
diff --git a/api/jsonschema/schema.json b/api/jsonschema/schema.json
@@ -111,6 +111,9 @@
         "bucket": {
           "$ref": "#/definitions/io.argoproj.common.S3Bucket"
         },
+        "caCertificate": {
+          "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector"
+        },
         "endpoint": {
           "type": "string"
         },

diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
diff --git a/eventsources/sources/minio/start.go b/eventsources/sources/minio/start.go
@@ -18,8 +18,11 @@ package minio
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"time"
 
 	"github.com/minio/minio-go/v7"
@@ -80,10 +83,35 @@ func (el *EventListener) StartListening(ctx context.Context, dispatch func([]byt
 		return fmt.Errorf("failed to retrieve the secret key for event source %s, %w", el.GetEventName(), err)
 	}
 
-	log.Info("setting up a minio client...")
-	minioClient, err := minio.New(minioEventSource.Endpoint, &minio.Options{
-		Creds: credentials.NewStaticV4(accessKey, secretKey, ""), Secure: !minioEventSource.Insecure})
-	if err != nil {
+	var minioClient *minio.Client
+	var clientErr error
+	if minioEventSource.CACertificate != nil {
+		log.Info("retrieving CA certificate...")
+		caCertificate, err := common.GetSecretFromVolume(minioEventSource.CACertificate)
+		if err != nil {
+			return fmt.Errorf("failed to get the CA certificate for event source %s, %w", el.GetEventName(), err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM([]byte(caCertificate))
+		tlsConfig := &tls.Config{
+			RootCAs: caCertPool,
+		}
+		log.Info("setting up a minio client with custom CA...")
+		minioClient, clientErr = minio.New(minioEventSource.Endpoint, &minio.Options{
+			Creds:  credentials.NewStaticV4(accessKey, secretKey, ""),
+			Secure: !minioEventSource.Insecure,
+			Transport: &http.Transport{
+				TLSClientConfig: tlsConfig,
+			},
+		})
+	} else {
+		log.Info("setting up a minio client...")
+		minioClient, clientErr = minio.New(minioEventSource.Endpoint, &minio.Options{
+			Creds:  credentials.NewStaticV4(accessKey, secretKey, ""),
+			Secure: !minioEventSource.Insecure,
+		})
+	}
+	if clientErr != nil {
 		return fmt.Errorf("failed to create a client for event source %s, %w", el.GetEventName(), err)
 	}
 

diff --git a/pkg/apis/common/deepcopy_generated.go b/pkg/apis/common/deepcopy_generated.go
diff --git a/pkg/apis/common/generated.pb.go b/pkg/apis/common/generated.pb.go
diff --git a/pkg/apis/common/generated.proto b/pkg/apis/common/generated.proto
diff --git a/pkg/apis/common/openapi_generated.go b/pkg/apis/common/openapi_generated.go
diff --git a/pkg/apis/common/s3.go b/pkg/apis/common/s3.go
@@ -32,6 +32,8 @@ type S3Artifact struct {
 	Events   []string          `json:"events,omitempty" protobuf:"bytes,7,rep,name=events"`
 	Filter   *S3Filter         `json:"filter,omitempty" protobuf:"bytes,8,opt,name=filter"`
 	Metadata map[string]string `json:"metadata,omitempty" protobuf:"bytes,9,opt,name=metadata"`
+
+	CACertificate *corev1.SecretKeySelector `json:"caCertificate,omitempty" protobuf:"bytes,10,opt,name=caCertificate"`
 }
 
 // S3Bucket contains information to describe an S3 Bucket