Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add tinkerbell-insecure-tls param to control InsecureSkipVerify #960

Merged
merged 1 commit into from
Jul 9, 2024
Merged

add tinkerbell-insecure-tls param to control InsecureSkipVerify #960

merged 1 commit into from
Jul 9, 2024

Conversation

rpardini
Copy link
Contributor

@rpardini rpardini commented Jul 3, 2024
edited
Loading

add tinkerbell-insecure-tls param to control InsecureSkipVerify

  • this allows using TLS but without verifying certificates/CAs/hostnames etc
  • fix e2e tests for new tlsInsecure parameter
  • add // #nosec G402 so we can actually use InsecureSkipVerify
  • make gofumpt happy

Signed-off-by: Ricardo Pardini [email protected]

@rpardini
Copy link
Contributor Author

rpardini commented Jul 3, 2024

Small justification here: when using an Ingress in front of tink (eg: ingress-nginx), having TLS enabled is essential, as non-TLS gRPC is generally not supported by Ingresses (as it would require disabling http/1.1 support in favor of http/2 on port 80). But enabling TLS before this implied the full TLS verification as well (CA/certs/CN+SAN matching etc). This allows to have TLS enabled, but with InsecureSkipVerify. It defaults to false so no unexpected changes should be introduced.

@rpardini rpardini force-pushed the add-tls-insecure branch from 9306325 to e803be8 Compare July 3, 2024 13:35
@rpardini
Copy link
Contributor Author

rpardini commented Jul 3, 2024

updated after making CI pass (gofumpt, gosec, etc)

@rpardini
Copy link
Contributor Author

rpardini commented Jul 3, 2024

Reference kubernetes/ingress-nginx#3897

@codecov Codecov
Copy link

codecov bot commented Jul 3, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.

Project coverage is 28.00%. Comparing base (376c9ae) to head (1fa6c71).

Files Patch % Lines
internal/client/client.go 0.00% 3 Missing ⚠️
cmd/tink-worker/cmd/root.go 0.00% 2 Missing ⚠️
cmd/virtual-worker/cmd/root.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #960      +/-   ##
==========================================
- Coverage   28.02%   28.00%   -0.03%     
==========================================
  Files          70       70              
  Lines        3486     3489       +3     
==========================================
  Hits          977      977              
- Misses       2447     2450       +3     
  Partials       62       62

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@rpardini
add tinkerbell-insecure-tls param to control InsecureSkipVerify
1fa6c71 
- this allows using TLS but without verifying certificates/CAs/hostnames etc
- fix e2e tests for new tlsInsecure parameter
- add `// #nosec G402` so we can actually use InsecureSkipVerify
- make gofumpt happy

Signed-off-by: Ricardo Pardini <[email protected]>
@rpardini rpardini force-pushed the add-tls-insecure branch from e803be8 to 1fa6c71 Compare July 6, 2024 08:19
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 9, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
58cff02 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 9, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
8543424 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 9, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
b9ea57b 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
@rpardini rpardini mentioned this pull request Jul 9, 2024
Merged
@jacobweinstock jacobweinstock added the ready-to-merge Signal to Mergify to merge the PR. label Jul 9, 2024
@mergify mergify bot merged commit a3d4371 into tinkerbell:main Jul 9, 2024
12 of 14 checks passed
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 11, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
3b12ab9 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 11, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
624057e 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 11, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
ef6d7eb 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
@rpardini rpardini mentioned this pull request Jul 11, 2024
Merged
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 11, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
75bb9cf 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 11, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
d4ed1c3 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
@rpardini rpardini mentioned this pull request Jul 11, 2024
Merged
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 12, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
d6f150f 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 20, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
0952d06 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 20, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
b7d2545 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 21, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
c31023f 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
mergify bot added a commit to tinkerbell/hook that referenced this pull request Jul 23, 2024
@mergify
hook-bootkit: read tinkerbell_insecure_tls from kernel cmdline and …
a4b37a7 
…pass it to worker as TINKERBELL_INSECURE_TLS (#234)

#### hook-bootkit: read `tinkerbell_insecure_tls` from kernel cmdline and pass it to worker as TINKERBELL_INSECURE_TLS

- this fits in with
  -  tinkerbell/smee#479
  -  tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 24, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
717980a 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 3, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
026e419 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 3, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
ea7d903 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 4, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
0c7c0c7 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 4, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
42ff05a 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 5, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
ec73039 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 5, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
dddec5b 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 5, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
09253d6 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 5, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
fb961c1 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
6ef048c 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
df6f6c7 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
f9fbf65 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
93f403f 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
950eee3 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
7e803b4 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
mergify bot added a commit to tinkerbell/smee that referenced this pull request Aug 27, 2024
@mergify
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
6e912d3 
…ll_insecure_tls` kernel parameter (#479)

#### smee: introduce bool `tink-server-insecure-tls` controlling `tinkerbell_insecure_tls` kernel parameter

- for usage with `tink-worker`'s tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
jacobweinstock pushed a commit to rpardini/tinkerbell-charts that referenced this pull request Oct 24, 2024
@rpardini @jacobweinstock
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
ea6293f 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <[email protected]>
mergify bot added a commit to tinkerbell/charts that referenced this pull request Oct 24, 2024
@mergify
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
7b28867 
…ure-tls` (#114)

#### smee: add http.tinkServer.insecureTLS controlling `-tink-server-insecure-tls`

- this fits in with
  -  tinkerbell/smee#479
  -  tinkerbell/tink#960
  - tinkerbell/hook#234

Signed-off-by: Ricardo Pardini <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jacobweinstock jacobweinstock jacobweinstock approved these changes

Assignees
No one assigned
Labels
ready-to-merge Signal to Mergify to merge the PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rpardini @jacobweinstock