make insecure TLS settings a config option (honeycombio#254)

opsramp · May 17, 2021 · 20996fb · 20996fb
1 parent 829145a
commit 20996fb
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 1 deletion.
diff --git a/config/config.go b/config/config.go
@@ -53,6 +53,9 @@ type Config interface {
 	// use for peer management.
 	GetUseTLS() (bool, error)
 
+	// UseTLSInsecure returns true when certificate checks are disabled
+	GetUseTLSInsecure() (bool, error)
+
 	// GetHoneycombAPI returns the base URL (protocol, hostname, and port) of
 	// the upstream Honeycomb API server
 	GetHoneycombAPI() (string, error)

diff --git a/config/file_config.go b/config/file_config.go
@@ -112,6 +112,7 @@ type PeerManagementConfig struct {
 	RedisHost               string
 	RedisPassword           string
 	UseTLS                  bool
+	UseTLSInsecure          bool
 	IdentifierInterfaceName string
 	UseIPV6Identifier       bool
 	RedisIdentifier         string
@@ -132,6 +133,7 @@ func NewConfig(config, rules string, errorCallback func(error)) (Config, error)
 	c.SetDefault("PeerManagement.Peers", []string{"http://127.0.0.1:8081"})
 	c.SetDefault("PeerManagement.Type", "file")
 	c.SetDefault("PeerManagement.UseTLS", false)
+	c.SetDefault("PeerManagement.UseTLSInsecure", false)
 	c.SetDefault("PeerManagement.UseIPV6Identifier", false)
 	c.SetDefault("HoneycombAPI", "https://api.honeycomb.io")
 	c.SetDefault("Logger", "logrus")
@@ -452,6 +454,13 @@ func (f *fileConfig) GetUseTLS() (bool, error) {
 	return f.config.GetBool("PeerManagement.UseTLS"), nil
 }
 
+func (f *fileConfig) GetUseTLSInsecure() (bool, error) {
+	f.mux.RLock()
+	defer f.mux.RUnlock()
+
+	return f.config.GetBool("PeerManagement.UseTLSInsecure"), nil
+}
+
 func (f *fileConfig) GetIdentifierInterfaceName() (string, error) {
 	f.mux.RLock()
 	defer f.mux.RUnlock()

diff --git a/config/mock.go b/config/mock.go
@@ -42,6 +42,8 @@ type MockConfig struct {
 	GetRedisPasswordVal           string
 	GetUseTLSErr                  error
 	GetUseTLSVal                  bool
+	GetUseTLSInsecureErr          error
+	GetUseTLSInsecureVal          bool
 	GetSamplerTypeErr             error
 	GetSamplerTypeVal             interface{}
 	GetMetricsTypeErr             error
@@ -182,6 +184,12 @@ func (m *MockConfig) GetUseTLS() (bool, error) {
 
 	return m.GetUseTLSVal, m.GetUseTLSErr
 }
+func (m *MockConfig) GetUseTLSInsecure() (bool, error) {
+	m.Mux.RLock()
+	defer m.Mux.RUnlock()
+
+	return m.GetUseTLSInsecureVal, m.GetUseTLSInsecureErr
+}
 func (m *MockConfig) GetMetricsType() (string, error) {
 	m.Mux.RLock()
 	defer m.Mux.RUnlock()

diff --git a/config_complete.toml b/config_complete.toml
@@ -159,6 +159,10 @@ Metrics = "honeycomb"
 # Not eligible for live reload.
 # UseTLS = false
 
+# UseTLSInsecure disables certificate checks
+# Not eligible for live reload.
+# UseTLSInsecure = false
+
 # IdentifierInterfaceName is optional. By default, when using RedisHost, Refinery will use
 # the local hostname to identify itself to other peers in Redis. If your environment
 # requires that you use IPs as identifiers (for example, if peers can't resolve eachother

diff --git a/internal/peer/redis.go b/internal/peer/redis.go
@@ -177,13 +177,18 @@ func buildOptions(c config.Config) []redis.DialOption {
 	}
 
 	useTLS, _ := c.GetUseTLS()
+	tlsInsecure, _ := c.GetUseTLSInsecure()
 	if useTLS {
 		tlsConfig := &tls.Config{
 			MinVersion: tls.VersionTLS12,
 		}
+
+		if tlsInsecure {
+			tlsConfig.InsecureSkipVerify = true
+		}
+
 		options = append(options,
 			redis.DialTLSConfig(tlsConfig),
-			redis.DialTLSSkipVerify(true),
 			redis.DialUseTLS(true))
 	}