client: support GRPC insecure mode

Signed-off-by: Nahum Shalman <[email protected]>
tinkerbell · Dec 10, 2021 · a476bc2 · a476bc2
1 parent b18b238
commit a476bc2
Showing 1 changed file with 37 additions and 13 deletions.
diff --git a/client/main.go b/client/main.go
@@ -6,6 +6,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strconv"
 
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
@@ -44,11 +45,13 @@ func NewFullClient(conn grpc.ClientConnInterface) *FullClient {
 type ConnOptions struct {
 	CertURL       string
 	GRPCAuthority string
+	Insecure      bool
 }
 
 func (o *ConnOptions) SetFlags(flagSet *pflag.FlagSet) {
 	flagSet.StringVar(&o.CertURL, "tinkerbell-cert-url", "http://127.0.0.1:42114/cert", "The URL where the certificate is located")
 	flagSet.StringVar(&o.GRPCAuthority, "tinkerbell-grpc-authority", "127.0.0.1:42113", "Link to tink-server grcp api")
+	flagSet.BoolVar(&o.Insecure, "insecure", false, "Run in insecure mode (no TLS)")
 }
 
 // This function is bad and ideally should be removed, but for now it moves all the bad into one place.
@@ -62,24 +65,35 @@ func grpcCredentialFromCertEndpoint(url string) (credentials.TransportCredential
 		return nil, errors.Wrap(err, "fetch cert")
 	}
 	defer resp.Body.Close()
+
 	certs, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, errors.Wrap(err, "read cert")
 	}
+
 	cp := x509.NewCertPool()
 	ok := cp.AppendCertsFromPEM(certs)
 	if !ok {
 		return nil, errors.Wrap(err, "parse cert")
 	}
+
 	return credentials.NewClientTLSFromCert(cp, ""), nil
 }
 
 func NewClientConn(opt *ConnOptions) (*grpc.ClientConn, error) {
-	creds, err := grpcCredentialFromCertEndpoint(opt.CertURL)
-	if err != nil {
-		return nil, errors.Wrap(err, "obtain trusted certificate")
+	method := grpc.WithInsecure()
+	if !opt.Insecure {
+		creds, err := grpcCredentialFromCertEndpoint(opt.CertURL)
+		if err != nil {
+			return nil, err
+		}
+		method = grpc.WithTransportCredentials(creds)
 	}
-	conn, err := grpc.Dial(opt.GRPCAuthority, grpc.WithTransportCredentials(creds))
+	conn, err := grpc.Dial(opt.GRPCAuthority,
+		method,
+		grpc.WithUnaryInterceptor(otelgrpc.UnaryClientInterceptor()),
+		grpc.WithStreamInterceptor(otelgrpc.StreamClientInterceptor()),
+	)
 	if err != nil {
 		return nil, errors.Wrap(err, "connect to tinkerbell server")
 	}
@@ -88,22 +102,32 @@ func NewClientConn(opt *ConnOptions) (*grpc.ClientConn, error) {
 
 // GetConnection returns a gRPC client connection.
 func GetConnection() (*grpc.ClientConn, error) {
-	certURL := os.Getenv("TINKERBELL_CERT_URL")
-	if certURL == "" {
-		return nil, errors.New("undefined TINKERBELL_CERT_URL")
-	}
-
 	grpcAuthority := os.Getenv("TINKERBELL_GRPC_AUTHORITY")
 	if grpcAuthority == "" {
 		return nil, errors.New("undefined TINKERBELL_GRPC_AUTHORITY")
 	}
 
-	creds, err := grpcCredentialFromCertEndpoint(certURL)
-	if err != nil {
-		return nil, errors.Wrap(err, "obtain trusted certificate")
+	method := grpc.WithInsecure()
+	insecure := false
+	if val, isSet := os.LookupEnv("TINKERBELL_INSECURE"); isSet {
+		if b, err := strconv.ParseBool(val); err == nil {
+			insecure = b
+		}
+	}
+
+	if !insecure {
+		certURL := os.Getenv("TINKERBELL_CERT_URL")
+		if certURL == "" {
+			return nil, errors.New("undefined TINKERBELL_CERT_URL")
+		}
+		creds, err := grpcCredentialFromCertEndpoint(certURL)
+		if err != nil {
+			return nil, err
+		}
+		method = grpc.WithTransportCredentials(creds)
 	}
 	conn, err := grpc.Dial(grpcAuthority,
-		grpc.WithTransportCredentials(creds),
+		method,
 		grpc.WithUnaryInterceptor(otelgrpc.UnaryClientInterceptor()),
 		grpc.WithStreamInterceptor(otelgrpc.StreamClientInterceptor()),
 	)