add tinkerbell-insecure-tls param to control InsecureSkipVerify

- this allows using TLS but without verifying certificates/CAs/hostnames etc - fix e2e tests for new tlsInsecure parameter - add `// #nosec G402` so we can actually use InsecureSkipVerify - make gofumpt happy Signed-off-by: Ricardo Pardini <[email protected]>
tinkerbell · Jul 3, 2024 · e803be8 · e803be8
1 parent 7647cbc
commit e803be8
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 5 deletions.
diff --git a/cmd/tink-worker/cmd/root.go b/cmd/tink-worker/cmd/root.go
@@ -57,6 +57,7 @@ func NewRootCommand(version string) *cobra.Command {
 			conn, err := client.NewClientConn(
 				viper.GetString("tinkerbell-grpc-authority"),
 				viper.GetBool("tinkerbell-tls"),
+				viper.GetBool("tinkerbell-insecure-tls"),
 			)
 			if err != nil {
 				return err
@@ -104,6 +105,7 @@ func NewRootCommand(version string) *cobra.Command {
 	rootCmd.Flags().Int64("max-file-size", defaultMaxFileSize, "Maximum file size in bytes (MAX_FILE_SIZE)")
 	rootCmd.Flags().Bool("capture-action-logs", true, "Capture action container output as part of worker logs")
 	rootCmd.Flags().Bool("tinkerbell-tls", true, "Connect to server via TLS or not (TINKERBELL_TLS)")
+	rootCmd.Flags().Bool("tinkerbell-insecure-tls", false, "When connecting via TLS, enable insecure TLS via InsecureSkipVerify (TINKERBELL_INSECURE_TLS)")
 	rootCmd.Flags().StringP("docker-registry", "r", "", "Sets the Docker registry (DOCKER_REGISTRY)")
 	rootCmd.Flags().StringP("registry-username", "u", "", "Sets the registry username (REGISTRY_USERNAME)")
 	rootCmd.Flags().StringP("registry-password", "p", "", "Sets the registry-password (REGISTRY_PASSWORD)")

diff --git a/cmd/virtual-worker/cmd/root.go b/cmd/virtual-worker/cmd/root.go
@@ -51,6 +51,7 @@ func NewRootCommand(version string) *cobra.Command {
 			conn, err := client.NewClientConn(
 				viper.GetString("tinkerbell-grpc-authority"),
 				viper.GetBool("tinkerbell-tls"),
+				viper.GetBool("tinkerbell-insecure-tls"),
 			)
 			if err != nil {
 				return err

diff --git a/internal/client/client.go b/internal/client/client.go
@@ -1,17 +1,19 @@
 package client
 
 import (
+	"crypto/tls"
+
 	"github.com/pkg/errors"
 	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
-func NewClientConn(authority string, tls bool) (*grpc.ClientConn, error) {
+func NewClientConn(authority string, tlsEnabled bool, tlsInsecure bool) (*grpc.ClientConn, error) {
 	var creds grpc.DialOption
-	if tls {
-		creds = grpc.WithTransportCredentials(credentials.NewTLS(nil))
+	if tlsEnabled { // #nosec G402
+		creds = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: tlsInsecure}))
 	} else {
 		creds = grpc.WithTransportCredentials(insecure.NewCredentials())
 	}

diff --git a/internal/e2e/e2e_test.go b/internal/e2e/e2e_test.go
@@ -85,7 +85,7 @@ var _ = Describe("Tink API", func() {
 			}, timeout, interval).Should(Equal("STATE_PENDING"))
 
 			By("Running a virtual worker")
-			conn, err := client.NewClientConn(serverAddr, false)
+			conn, err := client.NewClientConn(serverAddr, false, false)
 			Expect(err).NotTo(HaveOccurred())
 			rClient := proto.NewWorkflowServiceClient(conn)
 
@@ -155,7 +155,7 @@ var _ = Describe("Tink API", func() {
 			}, timeout, interval).Should(Equal("STATE_PENDING"))
 
 			By("Getting Workflow Contexts")
-			conn, err := client.NewClientConn(serverAddr, false)
+			conn, err := client.NewClientConn(serverAddr, false, false)
 			Expect(err).NotTo(HaveOccurred())
 			rClient := proto.NewWorkflowServiceClient(conn)
 			workerID := hardware.Spec.Interfaces[0].DHCP.MAC