Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to skip TLS verification #2202

Merged
merged 1 commit into from
Nov 24, 2020
Merged

Add support to skip TLS verification #2202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions config/configtls/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@ A certificate authority may also need to be defined:
certificate. For a server this verifies client certificates. If empty uses
system root CA. Should only be used if `insecure` is set to false.

Additionally you can configure TLS to be enabled but skip verifying the server's
certificate chain. This cannot be combined with `insecure` since `insecure`
won't use TLS at all.

- `insecure_skip_verify` (default = false): whether to skip verifying the
certificate or not.

How TLS/mTLS is configured depends on whether configuring the client or server.
See below for examples.

Expand Down Expand Up @@ -59,6 +66,10 @@ exporters:
otlp/insecure:
endpoint: myserver.local:55690
insecure: true
otlp/secure_no_verify:
endpoint: myserver.local:55690
insecure: false
insecure_skip_verify: true
```
## Server Configuration
Expand Down
6 changes: 3 additions & 3 deletions config/configtls/configtls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,9 @@ type TLSClientSetting struct {
// (InsecureSkipVerify in the tls Config). Please refer to
// https://godoc.org/crypto/tls#Config for more information.
// (optional, default false)
// TODO(ccaraman): With further research InsecureSkipVerify is a valid option
// for gRPC connections. Add that ability to the TLSClientSettings in a subsequent
// pr.
Insecure bool `mapstructure:"insecure"`
// InsecureSkipVerify will enable TLS but not verify the certificate.
InsecureSkipVerify bool `mapstructure:"insecure_skip_verify"`
// ServerName requested by client for virtual hosting.
// This sets the ServerName in the TLSConfig. Please refer to
// https://godoc.org/crypto/tls#Config for more information. (optional)
Expand Down Expand Up @@ -131,6 +130,7 @@ func (c TLSClientSetting) LoadTLSConfig() (*tls.Config, error) {
return nil, fmt.Errorf("failed to load TLS config: %w", err)
}
tlsCfg.ServerName = c.ServerName
tlsCfg.InsecureSkipVerify = c.InsecureSkipVerify
return tlsCfg, nil
}

Expand Down
8 changes: 8 additions & 0 deletions config/configtls/configtls_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,14 @@ func TestLoadTLSClientConfig(t *testing.T) {
tlsCfg, err = tlsSetting.LoadTLSConfig()
assert.NoError(t, err)
assert.NotNil(t, tlsCfg)

tlsSetting = TLSClientSetting{
InsecureSkipVerify: true,
}
tlsCfg, err = tlsSetting.LoadTLSConfig()
assert.NoError(t, err)
assert.NotNil(t, tlsCfg)
assert.True(t, tlsCfg.InsecureSkipVerify)
}

func TestLoadTLSServerConfigError(t *testing.T) {
Expand Down