Skip to content

Commit

Permalink
fix: dont use custom tls verification logic in connector
Browse files Browse the repository at this point in the history
  • Loading branch information
jmorganca committed Mar 26, 2022
1 parent d5e34c9 commit db27832
Showing 1 changed file with 4 additions and 24 deletions.
28 changes: 4 additions & 24 deletions internal/connector/connector.go
Original file line number Diff line number Diff line change
Expand Up @@ -348,31 +348,11 @@ func updateRoles(c *api.Client, k *kubernetes.Kubernetes, grants []api.Grant) er
}

func Run(options Options) error {
hostTLSConfig := &tls.Config{MinVersion: tls.VersionTLS12}

if options.SkipTLSVerify {
// TODO (https://github.com/infrahq/infra/issues/174)
// Find a way to re-use the built-in TLS verification code vs
// this custom code based on the official go TLS example code
// which states this is approximately the same.
hostTLSConfig.InsecureSkipVerify = true
hostTLSConfig.VerifyConnection = func(cs tls.ConnectionState) error {
opts := x509.VerifyOptions{
DNSName: cs.ServerName,
Intermediates: x509.NewCertPool(),
}

for _, cert := range cs.PeerCertificates[1:] {
opts.Intermediates.AddCert(cert)
}
hostTLSConfig := &tls.Config{
MinVersion: tls.VersionTLS12,

_, err := cs.PeerCertificates[0].Verify(opts)
if err != nil {
logging.S.Warnf("could not verify Infra TLS certificates: %s", err.Error())
}

return nil
}
//nolint:gosec // We may purposely set insecureskipverify via a flag
InsecureSkipVerify: options.SkipTLSVerify,
}

k8s, err := kubernetes.NewKubernetes()
Expand Down

0 comments on commit db27832

Please sign in to comment.