Allowing tls config to be passed to sm login

Indulekha Prathapan · Indulekha Prathapan · commit c11206d02633 · 2025-11-18T10:38:42.000-08:00
diff --git a/internal/authctx/selfmanaged.go b/internal/authctx/selfmanaged.go
@@ -6,12 +6,14 @@ package authctx
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"net/url"
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/client/proxy"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	"go.pinniped.dev/pkg/oidcclient/pkce"
 	"go.pinniped.dev/pkg/oidcclient/state"
@@ -35,18 +37,24 @@ const (
 
 type smSession struct {
 	sharedOauthConfig             *oauth2.Config
+	tlsConfig                     *tls.Config
 	issuerURL, username, password string
 	pkceCodePair                  pkce.Code
 	stateVal                      state.State
 }
 
 // todo: proxy support is not added for the self-managed flow. Add it when there is a requirement.
-func getSMUserAuthCtx(pinnipedURL, uName, password string) (metadata map[string]string, err error) {
+func getSMUserAuthCtx(pinnipedURL, uName, password string, config *proxy.TLSConfig) (metadata map[string]string, err error) {
 	if pinnipedURL == "" || uName == "" || password == "" {
 		return nil, errors.New("Invalid auth configuration for self_managed")
 	}
 
-	session, err := initSession(pinnipedURL, uName, password)
+	tlsConfig, err := proxy.GetConnectorTLSConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	session, err := initSession(pinnipedURL, uName, password, tlsConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -111,7 +119,7 @@ func getSMUserAuthCtx(pinnipedURL, uName, password string) (metadata map[string]
 }
 
 // todo: if slowness is experienced, then we can avoid re-initialising same values again.
-func initSession(pinnipedURL, uName, password string) (*smSession, error) {
+func initSession(pinnipedURL, uName, password string, config *tls.Config) (*smSession, error) {
 	// TMC Local Pinniped sample endpoint:
 	// https://pinniped-supervisor.*******.com/provider/pinniped
 	u := url.URL{
@@ -137,6 +145,7 @@ func initSession(pinnipedURL, uName, password string) (*smSession, error) {
 
 	session := &smSession{
 		sharedOauthConfig: sharedOauthConfig,
+		tlsConfig:         config,
 		issuerURL:         issuerURL,
 		username:          uName,
 		password:          password,
@@ -192,6 +201,9 @@ func (s *smSession) initiateAuthorizeRequestUnamePwd() (*url.URL, error) {
 
 	redirected := false
 	httpClient := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: s.tlsConfig,
+		},
 		CheckRedirect: func(r *http.Request, via []*http.Request) error {
 			redirected = true
 			return http.ErrUseLastResponse
@@ -230,7 +242,7 @@ func (s *smSession) getAuthCodeURL() string {
 }
 
 func refreshSMUserAuthCtx(config *TanzuContext) {
-	md, _ := getSMUserAuthCtx(config.VMWCloudEndPoint, config.SMUsername, config.Token)
+	md, _ := getSMUserAuthCtx(config.VMWCloudEndPoint, config.SMUsername, config.Token, config.TLSConfig)
 	for key, value := range md {
 		config.TMCConnection.Headers.Set(key, value)
 	}
