diff --git a/config/config.go b/config/config.go index d6ed96879f..a24beffd0e 100644 --- a/config/config.go +++ b/config/config.go @@ -53,6 +53,9 @@ type Config interface { // use for peer management. GetUseTLS() (bool, error) + // UseTLSInsecure returns true when certificate checks are disabled + GetUseTLSInsecure() (bool, error) + // GetHoneycombAPI returns the base URL (protocol, hostname, and port) of // the upstream Honeycomb API server GetHoneycombAPI() (string, error) diff --git a/config/file_config.go b/config/file_config.go index 60f75de1ca..536ac5a997 100644 --- a/config/file_config.go +++ b/config/file_config.go @@ -112,6 +112,7 @@ type PeerManagementConfig struct { RedisHost string RedisPassword string UseTLS bool + UseTLSInsecure bool IdentifierInterfaceName string UseIPV6Identifier bool RedisIdentifier string @@ -132,6 +133,7 @@ func NewConfig(config, rules string, errorCallback func(error)) (Config, error) c.SetDefault("PeerManagement.Peers", []string{"http://127.0.0.1:8081"}) c.SetDefault("PeerManagement.Type", "file") c.SetDefault("PeerManagement.UseTLS", false) + c.SetDefault("PeerManagement.UseTLSInsecure", false) c.SetDefault("PeerManagement.UseIPV6Identifier", false) c.SetDefault("HoneycombAPI", "https://api.honeycomb.io") c.SetDefault("Logger", "logrus") @@ -452,6 +454,13 @@ func (f *fileConfig) GetUseTLS() (bool, error) { return f.config.GetBool("PeerManagement.UseTLS"), nil } +func (f *fileConfig) GetUseTLSInsecure() (bool, error) { + f.mux.RLock() + defer f.mux.RUnlock() + + return f.config.GetBool("PeerManagement.UseTLSInsecure"), nil +} + func (f *fileConfig) GetIdentifierInterfaceName() (string, error) { f.mux.RLock() defer f.mux.RUnlock() diff --git a/config/mock.go b/config/mock.go index bcd50e086b..7bf07c2a0a 100644 --- a/config/mock.go +++ b/config/mock.go @@ -42,6 +42,8 @@ type MockConfig struct { GetRedisPasswordVal string GetUseTLSErr error GetUseTLSVal bool + GetUseTLSInsecureErr error + GetUseTLSInsecureVal bool GetSamplerTypeErr error GetSamplerTypeVal interface{} GetMetricsTypeErr error @@ -182,6 +184,12 @@ func (m *MockConfig) GetUseTLS() (bool, error) { return m.GetUseTLSVal, m.GetUseTLSErr } +func (m *MockConfig) GetUseTLSInsecure() (bool, error) { + m.Mux.RLock() + defer m.Mux.RUnlock() + + return m.GetUseTLSInsecureVal, m.GetUseTLSInsecureErr +} func (m *MockConfig) GetMetricsType() (string, error) { m.Mux.RLock() defer m.Mux.RUnlock() diff --git a/config_complete.toml b/config_complete.toml index 67be1efeb0..70978294a7 100644 --- a/config_complete.toml +++ b/config_complete.toml @@ -159,6 +159,10 @@ Metrics = "honeycomb" # Not eligible for live reload. # UseTLS = false +# UseTLSInsecure disables certificate checks +# Not eligible for live reload. +# UseTLSInsecure = false + # IdentifierInterfaceName is optional. By default, when using RedisHost, Refinery will use # the local hostname to identify itself to other peers in Redis. If your environment # requires that you use IPs as identifiers (for example, if peers can't resolve eachother diff --git a/internal/peer/redis.go b/internal/peer/redis.go index 370cdf3ea5..aa88bb06e7 100644 --- a/internal/peer/redis.go +++ b/internal/peer/redis.go @@ -177,13 +177,18 @@ func buildOptions(c config.Config) []redis.DialOption { } useTLS, _ := c.GetUseTLS() + tlsInsecure, _ := c.GetUseTLSInsecure() if useTLS { tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, } + + if tlsInsecure { + tlsConfig.InsecureSkipVerify = true + } + options = append(options, redis.DialTLSConfig(tlsConfig), - redis.DialTLSSkipVerify(true), redis.DialUseTLS(true)) }