Authz: folder api tls settings (#101213)

* Skip certificate verification * Add more settings for folder api
5 months ago · 74632a25c3
parent b58d616495
commit 74632a25c3
2 changed files with 20 additions and 3 deletions
--- a/pkg/services/authz/rbac.go
+++ b/pkg/services/authz/rbac.go
@ -151,20 +151,24 @@ func RegisterRBACAuthZService(
 	reg prometheus.Registerer,
 	cache cache.Cache,
 	exchangeClient authnlib.TokenExchanger,
-	folderAPIURL string,
+	cfg RBACServerSettings,
 ) {
 	var folderStore store.FolderStore
 	// FIXME: for now we default to using database read proxy for folders if the api url is not configured.
 	// we should remove this and the sql implementation once we have verified that is works correctly
-	if folderAPIURL == "" {
+	if cfg.Folder.Host == "" {
 		folderStore = store.NewSQLFolderStore(db, tracer)
 	} else {
 		folderStore = store.NewAPIFolderStore(tracer, func(ctx context.Context) (*rest.Config, error) {
 			return &rest.Config{
-				Host: folderAPIURL,
+				Host: cfg.Folder.Host,
 				WrapTransport: func(rt http.RoundTripper) http.RoundTripper {
 					return &tokenExhangeRoundTripper{te: exchangeClient, rt: rt}
 				},
+				TLSClientConfig: rest.TLSClientConfig{
+					Insecure: cfg.Folder.Insecure,
+					CAFile:   cfg.Folder.CAFile,
+				},
 				QPS:   50,
 				Burst: 100,
 			}, nil
--- a/pkg/services/authz/rbac_settings.go
+++ b/pkg/services/authz/rbac_settings.go
@ -57,3 +57,16 @@ func readAuthzClientSettings(cfg *setting.Cfg) (*authzClientSettings, error) {

 	return s, nil
 }
+
+type RBACServerSettings struct {
+	Folder FolderAPISettings
+}
+
+type FolderAPISettings struct {
+	// Host is hostname for folder api
+	Host string
+	// Insecure will skip verification of ceritificates. Should only be used for testing
+	Insecure bool
+	// CAFile is a filepath to trusted root certificates for server
+	CAFile string
+}