From b7b1dd88a4ad550942b715b72d7edf3efe81835f Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 10 Jul 2024 18:52:13 -0700
Subject: [PATCH] Skip tls verification, if IP address is used for baseURL host

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 pkg/controllers/prometheus/client.go | 15 ++++++++++++++-
 pkg/grafana/builder.go               | 11 +++++++++++
 pkg/grafana/client.go                | 11 +++++++++++
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/pkg/controllers/prometheus/client.go b/pkg/controllers/prometheus/client.go
index 0fac9a152..d88c1054a 100644
--- a/pkg/controllers/prometheus/client.go
+++ b/pkg/controllers/prometheus/client.go
@@ -21,7 +21,9 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"io"
+	"net"
 	"net/http"
+	"net/url"
 	"path"
 
 	"go.openviz.dev/apimachinery/apis/openviz"
@@ -53,7 +55,18 @@ func NewClient(baseURL, token string, caCert []byte) (*Client, error) {
 		caCert:  caCert,
 	}
 	if len(caCert) == 0 {
-		c.client = http.DefaultClient
+		u, err := url.Parse(baseURL)
+		if err != nil {
+			return nil, err
+		}
+		// use InsecureSkipVerify, if IP address is used for baseURL host
+		if ip := net.ParseIP(u.Hostname()); ip != nil && u.Scheme == "https" {
+			customTransport := http.DefaultTransport.(*http.Transport).Clone()
+			customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+			c.client = &http.Client{Transport: customTransport}
+		} else {
+			c.client = http.DefaultClient
+		}
 	} else {
 		caCertPool := x509.NewCertPool()
 		caCertPool.AppendCertsFromPEM(caCert)
diff --git a/pkg/grafana/builder.go b/pkg/grafana/builder.go
index 8a8183f71..2f592ae00 100644
--- a/pkg/grafana/builder.go
+++ b/pkg/grafana/builder.go
@@ -18,7 +18,10 @@ package grafana
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
+	"net"
+	"net/url"
 	"sync"
 
 	sdk "go.openviz.dev/grafana-sdk"
@@ -194,6 +197,14 @@ func (r *ClientBuilder) GetGrafanaClient() (*sdk.Client, error) {
 	if cfg.TLS != nil && len(cfg.TLS.CABundle) > 0 {
 		httpClient.SetRootCertificateFromString(string(cfg.TLS.CABundle))
 	}
+	u, err := url.Parse(r.cfg.Addr)
+	if err != nil {
+		return nil, err
+	}
+	// use InsecureSkipVerify, if IP address is used for baseURL host
+	if ip := net.ParseIP(u.Hostname()); ip != nil && u.Scheme == "https" {
+		httpClient.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
+	}
 
 	gc, err := sdk.NewClient(r.cfg.Addr, r.cfg.AuthConfig, httpClient)
 	if err != nil {
diff --git a/pkg/grafana/client.go b/pkg/grafana/client.go
index 66b09ce62..098810dab 100644
--- a/pkg/grafana/client.go
+++ b/pkg/grafana/client.go
@@ -18,6 +18,9 @@ package grafana
 
 import (
 	"context"
+	"crypto/tls"
+	"net"
+	"net/url"
 
 	openvizapi "go.openviz.dev/apimachinery/apis/openviz/v1alpha1"
 	sdk "go.openviz.dev/grafana-sdk"
@@ -56,6 +59,14 @@ func newGrafanaClient(ctx context.Context, kc client.Client, ab *appcatalog.AppB
 	if cfg.TLS != nil && len(cfg.TLS.CABundle) > 0 {
 		httpClient.SetRootCertificateFromString(string(cfg.TLS.CABundle))
 	}
+	u, err := url.Parse(cfg.Addr)
+	if err != nil {
+		return nil, err
+	}
+	// use InsecureSkipVerify, if IP address is used for baseURL host
+	if ip := net.ParseIP(u.Hostname()); ip != nil && u.Scheme == "https" {
+		httpClient.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
+	}
 
 	return sdk.NewClient(cfg.Addr, cfg.AuthConfig, httpClient)
 }