Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for TLS skip verification #306

Merged
merged 2 commits into from
Aug 26, 2024
Merged

Add support for TLS skip verification #306

merged 2 commits into from
Aug 26, 2024

Conversation

tuxillo
Copy link
Contributor

@tuxillo tuxillo commented Jun 16, 2024

As mentioned here: k3s-io/k3s#1093 , it is not possible to skip TLS verification. This patch adds support for skipping it. Not sure if it's the correct approach tho :)

@tuxillo tuxillo requested a review from a team as a code owner June 16, 2024 12:36
@tuxillo
Add support for TLS skip verification
5850fc2 
Signed-off-by: Antonio Huete Jimenez <tuxillo@quantumachine.net>
@tuxillo
Copy link
Contributor Author

tuxillo commented Jun 16, 2024

This is how I tested it:

No skip:

~/s/kine$ ./bin/kine --endpoint "mysql://root:root@tcp(localhost:3306)/kine" --ca-file ~/s/docker-mysql-tls/ssl/ca.pem --cert-file ~/s/docker-mysql-tls/ssl/client-cert.pem --key-file ~/s/docker-mysql-tls/ssl/client-key.pem
INFO[2024-06-16T14:45:36.513918611+02:00] metrics server is starting to listen at :8080
INFO[2024-06-16T14:45:36.51409881+02:00] starting metrics server path /metrics
WARN[2024-06-16T14:45:36.51729253+02:00] failed to check existence of database kine, going to attempt create: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match localhost
FATA[2024-06-16T14:45:36.518841498+02:00] building kine: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match localhost

Skip:

~/s/kine$ ./bin/kine --endpoint "mysql://root:root@tcp(localhost:3306)/kine" --skip-verify true --ca-file ~/s/docker-mysql-tls/ssl/ca.pem --cert-file ~/s/docker-mysql-tls/ssl/client-cert.pem --key-file ~/s/docker-mysql-tls/ssl/client-key.pem
INFO[2024-06-16T14:46:15.788047808+02:00] metrics server is starting to listen at :8080
INFO[2024-06-16T14:46:15.788228418+02:00] starting metrics server path /metrics
INFO[2024-06-16T14:46:15.78989117+02:00] Configuring mysql database connection pooling: maxIdleConns=2, maxOpenConns=0, connMaxLifetime=0s
INFO[2024-06-16T14:46:15.78994924+02:00] Configuring database table schema and indexes, this may take a moment...
INFO[2024-06-16T14:46:15.79032638+02:00] Database tables and indexes are up to date
INFO[2024-06-16T14:46:15.792272429+02:00] Kine available at http://127.0.0.1:2379

brandond
brandond requested changes Aug 21, 2024
View reviewed changes
Copy link
Member

@brandond brandond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! One nit, LGTM otherwise.

main.go Outdated
@@ -56,6 +56,12 @@ func main() {
Usage: "Key file for etcd connection",
Destination: &config.ServerTLSConfig.KeyFile,
},
&cli.BoolFlag{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can you move this up, directly below the Destination: &config.BackendTLSConfig.CertFile flag? We could probably move the Destination: &config.BackendTLSConfig.KeyFile flag up as well, just to keep all the backend flags together.

@tuxillo
Reorganize options a bit
55a0a9d 
Signed-off-by: Antonio Huete Jimenez <tuxillo@quantumachine.net>
@brandond brandond merged commit cb8c874 into k3s-io:master Aug 26, 2024
3 checks passed
@tuxillo tuxillo deleted the skip-verify branch August 27, 2024 08:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brandond brandond brandond approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tuxillo @brandond