Skip to content

Commit

Permalink
add tinkerbell-insecure-tls param to control InsecureSkipVerify
Browse files Browse the repository at this point in the history
- this allows using TLS but without verifying certificates/CAs/hostnames etc
- fix e2e tests for new tlsInsecure parameter
- add `// #nosec G402` so we can actually use InsecureSkipVerify
- make gofumpt happy

Signed-off-by: Ricardo Pardini <[email protected]>
  • Loading branch information
rpardini committed Jul 6, 2024
1 parent 376c9ae commit 1fa6c71
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 5 deletions.
2 changes: 2 additions & 0 deletions cmd/tink-worker/cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ func NewRootCommand(version string) *cobra.Command {
conn, err := client.NewClientConn(
viper.GetString("tinkerbell-grpc-authority"),
viper.GetBool("tinkerbell-tls"),
viper.GetBool("tinkerbell-insecure-tls"),

Check warning on line 60 in cmd/tink-worker/cmd/root.go

View check run for this annotation

Codecov / codecov/patch

cmd/tink-worker/cmd/root.go#L60

Added line #L60 was not covered by tests
)
if err != nil {
return err
Expand Down Expand Up @@ -104,6 +105,7 @@ func NewRootCommand(version string) *cobra.Command {
rootCmd.Flags().Int64("max-file-size", defaultMaxFileSize, "Maximum file size in bytes (MAX_FILE_SIZE)")
rootCmd.Flags().Bool("capture-action-logs", true, "Capture action container output as part of worker logs")
rootCmd.Flags().Bool("tinkerbell-tls", true, "Connect to server via TLS or not (TINKERBELL_TLS)")
rootCmd.Flags().Bool("tinkerbell-insecure-tls", false, "When connecting via TLS, enable insecure TLS via InsecureSkipVerify (TINKERBELL_INSECURE_TLS)")

Check warning on line 108 in cmd/tink-worker/cmd/root.go

View check run for this annotation

Codecov / codecov/patch

cmd/tink-worker/cmd/root.go#L108

Added line #L108 was not covered by tests
rootCmd.Flags().StringP("docker-registry", "r", "", "Sets the Docker registry (DOCKER_REGISTRY)")
rootCmd.Flags().StringP("registry-username", "u", "", "Sets the registry username (REGISTRY_USERNAME)")
rootCmd.Flags().StringP("registry-password", "p", "", "Sets the registry-password (REGISTRY_PASSWORD)")
Expand Down
1 change: 1 addition & 0 deletions cmd/virtual-worker/cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ func NewRootCommand(version string) *cobra.Command {
conn, err := client.NewClientConn(
viper.GetString("tinkerbell-grpc-authority"),
viper.GetBool("tinkerbell-tls"),
viper.GetBool("tinkerbell-insecure-tls"),

Check warning on line 54 in cmd/virtual-worker/cmd/root.go

View check run for this annotation

Codecov / codecov/patch

cmd/virtual-worker/cmd/root.go#L54

Added line #L54 was not covered by tests
)
if err != nil {
return err
Expand Down
8 changes: 5 additions & 3 deletions internal/client/client.go
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
package client

import (
"crypto/tls"

"github.com/pkg/errors"
"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
)

func NewClientConn(authority string, tls bool) (*grpc.ClientConn, error) {
func NewClientConn(authority string, tlsEnabled bool, tlsInsecure bool) (*grpc.ClientConn, error) {

Check warning on line 13 in internal/client/client.go

View check run for this annotation

Codecov / codecov/patch

internal/client/client.go#L13

Added line #L13 was not covered by tests
var creds grpc.DialOption
if tls {
creds = grpc.WithTransportCredentials(credentials.NewTLS(nil))
if tlsEnabled { // #nosec G402
creds = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: tlsInsecure}))

Check warning on line 16 in internal/client/client.go

View check run for this annotation

Codecov / codecov/patch

internal/client/client.go#L15-L16

Added lines #L15 - L16 were not covered by tests
} else {
creds = grpc.WithTransportCredentials(insecure.NewCredentials())
}
Expand Down
4 changes: 2 additions & 2 deletions internal/e2e/e2e_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ var _ = Describe("Tink API", func() {
}, timeout, interval).Should(Equal("STATE_PENDING"))

By("Running a virtual worker")
conn, err := client.NewClientConn(serverAddr, false)
conn, err := client.NewClientConn(serverAddr, false, false)
Expect(err).NotTo(HaveOccurred())
rClient := proto.NewWorkflowServiceClient(conn)

Expand Down Expand Up @@ -155,7 +155,7 @@ var _ = Describe("Tink API", func() {
}, timeout, interval).Should(Equal("STATE_PENDING"))

By("Getting Workflow Contexts")
conn, err := client.NewClientConn(serverAddr, false)
conn, err := client.NewClientConn(serverAddr, false, false)
Expect(err).NotTo(HaveOccurred())
rClient := proto.NewWorkflowServiceClient(conn)
workerID := hardware.Spec.Interfaces[0].DHCP.MAC
Expand Down

0 comments on commit 1fa6c71

Please sign in to comment.