feat: make APIM HTTP client timeout configurable

see https://gravitee.atlassian.net/browse/GKO-433

Author: a-cordier

helm/gko/README.md

@@ -69,6 +69,7 @@ This is where you can configure the deployment itself and the way the operator w
 | `manager.applyCRDs`                         | 👎 This feature is deprecated and will be replaced in a future release. If true, the manager will patch Custom Resource Definitions on startup. | `true`                           |
 | `manager.metrics.enabled`                   | If true, a metrics server will be created so that metrics can be scraped using prometheus.                                                      | `true`                           |
 | `manager.httpClient.insecureSkipCertVerify` | If true, the manager HTTP client will not verify the certificate used by the Management API.                                                    | `false`                          |
+| `manager.httpClient.timeoutSeconds`         | he timeout (in seconds) used when issuing request to the Management API.                                                                        | `5`                              |
 | `manager.webhook.enabled`                   | If true, the manager will register a webhook server operating on custom resources.                                                              | `true`                           |
 | `manager.webhook.service.name`              | The service used to expose the webhook server.                                                                                                  | `gko-webhook`                    |
 | `manager.webhook.service.port`              | Which port the webhook server will listen to.                                                                                                   | `9443`                           |

helm/gko/templates/manager/config.yaml

@@ -47,12 +47,13 @@ data:
   TEMPLATE_404_CONFIG_MAP_NAMESPACE: {{ $template404.namespace }}
   {{- end }}
   {{- if or .Values.manager.httpClient.insecureSkipCertVerify .Values.httpClient.insecureSkipCertVerify }}
-  INSECURE_SKIP_CERT_VERIFY: "true"
+  HTTP_CLIENT_INSECURE_SKIP_CERT_VERIFY: "true"
   {{- end }}
+  HTTP_CLIENT_TIMEOUT_SECONDS: {{ quote .Values.manager.httpClient.timeoutSeconds }}
   {{- if .Values.manager.webhook.enabled }}
   ENABLE_WEBHOOK: "true"
   WEBHOOK_CERT_SECRET_NAME: {{ .Values.manager.webhook.cert.secret.name }}
   WEBHOOK_NAMESPACE: {{ .Release.Namespace }}
   WEBHOOK_SERVICE_NAME: {{ .Values.manager.webhook.service.name }}
   WEBHOOK_SERVICE_PORT: {{ quote .Values.manager.webhook.service.port }}
-  {{- end }}
+  {{- end }}

helm/gko/values.yaml

@@ -91,6 +91,8 @@ manager:
   httpClient:
     ## @param manager.httpClient.insecureSkipCertVerify If true, the manager HTTP client will not verify the certificate used by the Management API.
     insecureSkipCertVerify: false
+    ## @param manager.httpClient.timeoutSeconds he timeout (in seconds) used when issuing request to the Management API.
+    timeoutSeconds: 5
   webhook:
     ## @param manager.webhook.enabled If true, the manager will register a webhook server operating on custom resources.
     enabled: true

internal/env/env.go

@@ -23,39 +23,42 @@ import (
 )
 
 const (
-	CMTemplate404Name      = "TEMPLATE_404_CONFIG_MAP_NAME"
-	CMTemplate404NS        = "TEMPLATE_404_CONFIG_MAP_NAMESPACE"
-	Development            = "DEV_MODE"
-	NS                     = "NAMESPACE"
-	ApplyCRDs              = "APPLY_CRDS"
-	EnableMetrics          = "ENABLE_METRICS"
-	EnableWebhook          = "ENABLE_WEBHOOK"
-	WebhookNS              = "WEBHOOK_NAMESPACE"
-	WebhookServiceName     = "WEBHOOK_SERVICE_NAME"
-	WebhookPort            = "WEBHOOK_SERVICE_PORT"
-	WebhookCertSecret      = "WEBHOOK_CERT_SECRET_NAME" //nolint:gosec // This is not a hardcoded secret
-	InsecureSkipCertVerify = "INSECURE_SKIP_CERT_VERIFY"
-	TrueString             = "true"
-	IngressClasses         = "INGRESS_CLASSES"
+	CMTemplate404Name                = "TEMPLATE_404_CONFIG_MAP_NAME"
+	CMTemplate404NS                  = "TEMPLATE_404_CONFIG_MAP_NAMESPACE"
+	Development                      = "DEV_MODE"
+	NS                               = "NAMESPACE"
+	ApplyCRDs                        = "APPLY_CRDS"
+	EnableMetrics                    = "ENABLE_METRICS"
+	EnableWebhook                    = "ENABLE_WEBHOOK"
+	WebhookNS                        = "WEBHOOK_NAMESPACE"
+	WebhookServiceName               = "WEBHOOK_SERVICE_NAME"
+	WebhookPort                      = "WEBHOOK_SERVICE_PORT"
+	WebhookCertSecret                = "WEBHOOK_CERT_SECRET_NAME" //nolint:gosec // This is not a hardcoded secret
+	HttpCLientInsecureSkipCertVerify = "HTTP_CLIENT_INSECURE_SKIP_CERT_VERIFY"
+	HttpClientTimeoutSeconds         = "HTTP_CLIENT_TIMEOUT_SECONDS"
+	TrueString                       = "true"
+	IngressClasses                   = "INGRESS_CLASSES"
 
 	// This default are applied when running the app locally.
-	defaultWebhookPort = 9443
+	defaultWebhookPort       = 9443
+	defaultHttpCLientTimeout = 5
 )
 
 var Config = struct {
-	NS                 string
-	ApplyCRDs          bool
-	EnableMetrics      bool
-	EnableWebhook      bool
-	WebhookNS          string
-	WebhookService     string
-	WebhookPort        int
-	WebhookCertSecret  string
-	Development        bool
-	CMTemplate404Name  string
-	CMTemplate404NS    string
-	InsecureSkipVerify bool
-	IngressClasses     []string
+	NS                           string
+	ApplyCRDs                    bool
+	EnableMetrics                bool
+	EnableWebhook                bool
+	WebhookNS                    string
+	WebhookService               string
+	WebhookPort                  int
+	WebhookCertSecret            string
+	Development                  bool
+	CMTemplate404Name            string
+	CMTemplate404NS              string
+	HTTPClientInsecureSkipVerify bool
+	HTTPClientTimeoutSeconds     int
+	IngressClasses               []string
 }{}
 
 func init() {
@@ -64,7 +67,8 @@ func init() {
 	Config.Development = os.Getenv(Development) == TrueString
 	Config.CMTemplate404Name = os.Getenv(CMTemplate404Name)
 	Config.CMTemplate404NS = os.Getenv(CMTemplate404NS)
-	Config.InsecureSkipVerify = os.Getenv(InsecureSkipCertVerify) == TrueString
+	Config.HTTPClientInsecureSkipVerify = os.Getenv(HttpCLientInsecureSkipCertVerify) == TrueString
+	Config.HTTPClientTimeoutSeconds = parseInt(HttpClientTimeoutSeconds, defaultHttpCLientTimeout)
 	Config.EnableMetrics = os.Getenv(EnableMetrics) == TrueString
 	Config.EnableWebhook = os.Getenv(EnableWebhook) == TrueString
 	Config.WebhookNS = os.Getenv(WebhookNS)

internal/http/http.go

@@ -25,10 +25,6 @@ import (
 	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/errors"
 )
 
-const (
-	requestTimeoutSeconds = 5
-)
-
 type Client struct {
 	ctx  context.Context
 	http http.Client
@@ -197,10 +193,11 @@ func NewClient(ctx context.Context, auth *Auth) *Client {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.TLSClientConfig = &tls.Config{
 		// #nosec G402
-		InsecureSkipVerify: env.Config.InsecureSkipVerify,
+		InsecureSkipVerify: env.Config.HTTPClientInsecureSkipVerify,
 	}
 
-	httpClient := http.Client{Timeout: requestTimeoutSeconds * time.Second, Transport: transport}
+	timeout := time.Duration(env.Config.HTTPClientTimeoutSeconds) * time.Second
+	httpClient := http.Client{Timeout: timeout, Transport: transport}
 
 	if auth != nil {
 		authRoundTripper := NewAuthenticatedRoundTripper(auth, transport)

main.go

@@ -120,7 +120,7 @@ func main() {
 		metricsAddr = "0" // disables metrics
 	}
 
-	if env.Config.InsecureSkipVerify {
+	if env.Config.HTTPClientInsecureSkipVerify {
 		setupLog.Info("TLS verification is skipped for APIM HTTP client")
 	}