fix: dont use custom tls verification logic in connector

infrahq · Mar 26, 2022 · 0268f7e · 0268f7e
1 parent d5e34c9
commit 0268f7e
Showing 1 changed file with 5 additions and 27 deletions.
diff --git a/internal/connector/connector.go b/internal/connector/connector.go
@@ -348,31 +348,9 @@ func updateRoles(c *api.Client, k *kubernetes.Kubernetes, grants []api.Grant) er
 }
 
 func Run(options Options) error {
-	hostTLSConfig := &tls.Config{MinVersion: tls.VersionTLS12}
-
-	if options.SkipTLSVerify {
-		// TODO (https://github.com/infrahq/infra/issues/174)
-		// Find a way to re-use the built-in TLS verification code vs
-		// this custom code based on the official go TLS example code
-		// which states this is approximately the same.
-		hostTLSConfig.InsecureSkipVerify = true
-		hostTLSConfig.VerifyConnection = func(cs tls.ConnectionState) error {
-			opts := x509.VerifyOptions{
-				DNSName:       cs.ServerName,
-				Intermediates: x509.NewCertPool(),
-			}
-
-			for _, cert := range cs.PeerCertificates[1:] {
-				opts.Intermediates.AddCert(cert)
-			}
-
-			_, err := cs.PeerCertificates[0].Verify(opts)
-			if err != nil {
-				logging.S.Warnf("could not verify Infra TLS certificates: %s", err.Error())
-			}
-
-			return nil
-		}
+	serverTLSConfig := &tls.Config{
+		//nolint:gosec // We may purposely set insecureskipverify via a flag
+		InsecureSkipVerify: options.SkipTLSVerify,
 	}
 
 	k8s, err := kubernetes.NewKubernetes()
@@ -470,7 +448,7 @@ func Run(options Options) error {
 			AccessKey: accessKey,
 			HTTP: http.Client{
 				Transport: &http.Transport{
-					TLSClientConfig: hostTLSConfig,
+					TLSClientConfig: serverTLSConfig,
 				},
 			},
 		}
@@ -574,7 +552,7 @@ func Run(options Options) error {
 		client: &http.Client{
 			Transport: &BearerTransport{
 				Transport: &http.Transport{
-					TLSClientConfig: hostTLSConfig,
+					TLSClientConfig: serverTLSConfig,
 				},
 			},
 		},