Skip to content

add tinkerbell-insecure-tls param to control InsecureSkipVerify #960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 9, 2024
Merged

add tinkerbell-insecure-tls param to control InsecureSkipVerify #960

merged 1 commit into from
Jul 9, 2024

Conversation

@rpardini
Copy link
Member

@rpardini rpardini commented Jul 3, 2024
edited
Loading

add tinkerbell-insecure-tls param to control InsecureSkipVerify

  • this allows using TLS but without verifying certificates/CAs/hostnames etc
  • fix e2e tests for new tlsInsecure parameter
  • add // #nosec G402 so we can actually use InsecureSkipVerify
  • make gofumpt happy

Signed-off-by: Ricardo Pardini ricardo@pardini.net

@rpardini
Copy link
Member Author

rpardini commented Jul 3, 2024

Small justification here: when using an Ingress in front of tink (eg: ingress-nginx), having TLS enabled is essential, as non-TLS gRPC is generally not supported by Ingresses (as it would require disabling http/1.1 support in favor of http/2 on port 80). But enabling TLS before this implied the full TLS verification as well (CA/certs/CN+SAN matching etc). This allows to have TLS enabled, but with InsecureSkipVerify. It defaults to false so no unexpected changes should be introduced.

@rpardini rpardini force-pushed the add-tls-insecure branch from 9306325 to e803be8 Compare July 3, 2024 13:35
@rpardini
Copy link
Member Author

rpardini commented Jul 3, 2024

updated after making CI pass (gofumpt, gosec, etc)

@rpardini
Copy link
Member Author

rpardini commented Jul 3, 2024

Reference kubernetes/ingress-nginx#3897

@codecov
Copy link

codecov bot commented Jul 3, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.

Project coverage is 28.00%. Comparing base (376c9ae) to head (1fa6c71).

Files Patch % Lines
internal/client/client.go 0.00% 3 Missing ⚠️
cmd/tink-worker/cmd/root.go 0.00% 2 Missing ⚠️
cmd/virtual-worker/cmd/root.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #960      +/-   ##
==========================================
- Coverage   28.02%   28.00%   -0.03%     
==========================================
  Files          70       70              
  Lines        3486     3489       +3     
==========================================
  Hits          977      977              
- Misses       2447     2450       +3     
  Partials       62       62

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@rpardini
add tinkerbell-insecure-tls param to control InsecureSkipVerify
1fa6c71 
- this allows using TLS but without verifying certificates/CAs/hostnames etc
- fix e2e tests for new tlsInsecure parameter
- add `// #nosec G402` so we can actually use InsecureSkipVerify
- make gofumpt happy

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
@rpardini rpardini force-pushed the add-tls-insecure branch from e803be8 to 1fa6c71 Compare July 6, 2024 08:19
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 9, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
58cff02 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 9, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
8543424 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 9, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
b9ea57b 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
@rpardini rpardini mentioned this pull request Jul 9, 2024
Merged
@jacobweinstock jacobweinstock added the ready-to-merge Signal to Mergify to merge the PR. label Jul 9, 2024
@mergify mergify bot merged commit a3d4371 into tinkerbell:main Jul 9, 2024
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 11, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
3b12ab9 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 11, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
624057e 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 11, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
ef6d7eb 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
@rpardini rpardini mentioned this pull request Jul 11, 2024
Merged
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 11, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
75bb9cf 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 11, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
d4ed1c3 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
@rpardini rpardini mentioned this pull request Jul 11, 2024
Merged
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 12, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
d6f150f 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 20, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
0952d06 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 20, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
b7d2545 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Jul 21, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
c31023f 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
mergify bot added a commit to tinkerbell/hook that referenced this pull request Jul 23, 2024
@mergify
hook-bootkit: read tinkerbell_insecure_tls from kernel cmdline and …
a4b37a7 
…pass it to worker as TINKERBELL_INSECURE_TLS (#234)

#### hook-bootkit: read `tinkerbell_insecure_tls` from kernel cmdline and pass it to worker as TINKERBELL_INSECURE_TLS

- this fits in with
  -  tinkerbell/smee#479
  -  tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Jul 24, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
717980a 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 3, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
026e419 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 3, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
ea7d903 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 4, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
0c7c0c7 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 4, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
42ff05a 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 5, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
ec73039 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 5, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
dddec5b 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 5, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
09253d6 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-charts that referenced this pull request Aug 5, 2024
@rpardini
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
fb961c1 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
6ef048c 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
df6f6c7 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
f9fbf65 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
93f403f 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
950eee3 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
rpardini added a commit to rpardini/tinkerbell-smee that referenced this pull request Aug 17, 2024
@rpardini
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
7e803b4 
…ll_insecure_tls` kernel parameter

- for usage with tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
mergify bot added a commit to tinkerbell/smee that referenced this pull request Aug 27, 2024
@mergify
smee: introduce bool tink-server-insecure-tls controlling `tinkerbe…
6e912d3 
…ll_insecure_tls` kernel parameter (#479)

#### smee: introduce bool `tink-server-insecure-tls` controlling `tinkerbell_insecure_tls` kernel parameter

- for usage with `tink-worker`'s tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
jacobweinstock pushed a commit to rpardini/tinkerbell-charts that referenced this pull request Oct 24, 2024
@rpardini @jacobweinstock
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
ea6293f 
…ure-tls`

- for usage combined with
  - tinkerbell/tink#960

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
mergify bot added a commit to tinkerbell/charts that referenced this pull request Oct 24, 2024
@mergify
smee: add http.tinkServer.insecureTLS controlling `-tink-server-insec…
7b28867 
…ure-tls` (#114)

#### smee: add http.tinkServer.insecureTLS controlling `-tink-server-insecure-tls`

- this fits in with
  -  tinkerbell/smee#479
  -  tinkerbell/tink#960
  - tinkerbell/hook#234

Signed-off-by: Ricardo Pardini <ricardo@pardini.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jacobweinstock jacobweinstock jacobweinstock approved these changes

Assignees

No one assigned

Labels

ready-to-merge Signal to Mergify to merge the PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rpardini @jacobweinstock