Fix TLSContextWrapper to not override tls_verify

[fanny-jiang]

What does this PR do?

Previously, the TLSContextWrapper was overriding the configured tls_verify value and forcing it to True if any of these configs were present, tls_ca_cert, tls_cert, tls_private_key, tls_private_key_password even if tls_verify: false is configured. This PR updates the override to only force tls_verify: true if tls_ca_cert is configured.

Motivation

Customer support case

Additional Notes

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• PR title must be written as a CHANGELOG entry (see why)
• Files changes must correspond to the primary purpose of the PR as described in the title (small unrelated changes should have their own PR)
• PR must have changelog/ and integration/ labels attached

[codecov]

Codecov Report

Merging #10098 (776e59f) into master (9ea51ab) will increase coverage by 0.01%.
The diff coverage is 100.00%.

Flag	Coverage Δ
active_directory	100.00% <ø> (ø)
activemq_xml	82.31% <ø> (ø)
aerospike	86.97% <ø> (+0.36%)	⬆️
airflow	90.00% <ø> (ø)
amazon_msk	87.94% <ø> (ø)
ambari	86.87% <ø> (ø)
apache	95.43% <ø> (ø)
aspdotnet	93.87% <ø> (ø)
avi_vantage	92.07% <ø> (ø)
azure_iot_edge	82.01% <ø> (ø)
btrfs	82.91% <ø> (ø)
cacti	83.95% <ø> (ø)
cassandra_nodetool	94.19% <ø> (ø)
ceph	91.02% <ø> (ø)
cilium	85.84% <ø> (+1.88%)	⬆️
cisco_aci	95.88% <ø> (ø)
clickhouse	96.65% <ø> (ø)
cloud_foundry_api	95.98% <ø> (+0.12%)	⬆️
cockroachdb	97.18% <ø> (ø)
consul	91.74% <ø> (ø)
coredns	96.36% <ø> (ø)
couch	95.19% <ø> (+0.24%)	⬆️
couchbase	81.45% <ø> (ø)
crio	100.00% <ø> (ø)
datadog_checks_base	89.75% <100.00%> (+0.38%)	⬆️
datadog_checks_dev	78.73% <ø> (ø)
datadog_checks_downloader	80.64% <ø> (ø)
datadog_cluster_agent	97.50% <ø> (ø)
directory	94.87% <ø> (ø)
disk	91.15% <ø> (-0.49%)	⬇️
dns_check	94.00% <ø> (ø)
dotnetclr	100.00% <ø> (ø)
druid	97.70% <ø> (ø)
ecs_fargate	77.65% <ø> (ø)
eks_fargate	94.05% <ø> (ø)
elastic	88.65% <ø> (ø)
envoy	93.77% <ø> (+0.25%)	⬆️
etcd	93.09% <ø> (ø)
exchange_server	100.00% <ø> (ø)
external_dns	100.00% <ø> (ø)
fluentd	94.77% <ø> (ø)
gearmand	77.27% <ø> (+1.29%)	⬆️
gitlab	89.94% <ø> (ø)
gitlab_runner	91.94% <ø> (ø)
glusterfs	80.09% <ø> (+0.92%)	⬆️
go_expvar	92.49% <ø> (ø)
gunicorn	92.85% <ø> (ø)
haproxy	95.22% <ø> (+0.17%)	⬆️
harbor	91.58% <ø> (ø)
hazelcast	92.39% <ø> (ø)
hdfs_datanode	90.00% <ø> (ø)
hdfs_namenode	87.94% <ø> (ø)
http_check	90.00% <ø> (+1.81%)	⬆️
ibm_db2	94.79% <ø> (ø)
ibm_mq	89.61% <ø> (-0.18%)	⬇️
ibm_was	97.44% <ø> (ø)
iis	93.01% <ø> (ø)
istio	77.67% <ø> (+0.59%)	⬆️
kafka_consumer	81.87% <ø> (ø)
kong	92.21% <ø> (ø)
kube_apiserver_metrics	97.35% <ø> (ø)
kube_controller_manager	96.85% <ø> (ø)
kube_dns	98.85% <ø> (ø)
kube_metrics_server	100.00% <ø> (ø)
kube_proxy	100.00% <ø> (ø)
kube_scheduler	96.20% <ø> (ø)
kubelet	89.47% <ø> (ø)
kubernetes_state	89.67% <ø> (ø)
kyototycoon	85.96% <ø> (ø)
lighttpd	83.64% <ø> (ø)
linkerd	85.14% <ø> (+1.14%)	⬆️
linux_proc_extras	96.22% <ø> (ø)
mapr	82.62% <ø> (ø)
mapreduce	81.81% <ø> (ø)
marathon	83.12% <ø> (ø)
marklogic	95.33% <ø> (ø)
mcache	93.48% <ø> (ø)
mesos_master	90.68% <ø> (ø)
mesos_slave	93.63% <ø> (ø)
mongo	94.43% <ø> (-0.03%)	⬇️
mysql	86.32% <ø> (+0.13%)	⬆️
nagios	89.53% <ø> (ø)
network	77.76% <ø> (+1.00%)	⬆️
nfsstat	95.20% <ø> (ø)
nginx	95.11% <ø> (+0.93%)	⬆️
nginx_ingress_controller	98.30% <ø> (ø)
openldap	96.33% <ø> (ø)
openmetrics	97.14% <ø> (ø)
openstack	51.30% <ø> (ø)
openstack_controller	90.74% <ø> (ø)
oracle	93.65% <ø> (+0.52%)	⬆️
pdh_check	97.77% <ø> (ø)
pgbouncer	90.45% <ø> (ø)
php_fpm	90.04% <ø> (+0.43%)	⬆️
postfix	88.04% <ø> (ø)
postgres	91.53% <ø> (+0.23%)	⬆️
powerdns_recursor	95.93% <ø> (ø)
process	85.20% <ø> (+0.28%)	⬆️
prometheus	94.17% <ø> (ø)
proxysql	98.97% <ø> (ø)
rabbitmq	93.74% <ø> (ø)
redisdb	86.96% <ø> (-0.32%)	⬇️
rethinkdb	97.93% <ø> (ø)
riak	99.22% <ø> (ø)
riakcs	93.61% <ø> (ø)
sap_hana	93.04% <ø> (ø)
scylla	100.00% <ø> (ø)
snmp	91.18% <ø> (+0.04%)	⬆️
snowflake	94.01% <ø> (-0.11%)	⬇️
sonarqube	95.69% <ø> (ø)
spark	93.64% <ø> (ø)
sqlserver	82.38% <ø> (ø)
squid	100.00% <ø> (ø)
ssh_check	91.58% <ø> (ø)
statsd	87.36% <ø> (+1.05%)	⬆️
supervisord	92.30% <ø> (ø)
system_core	91.04% <ø> (ø)
system_swap	98.30% <ø> (ø)
tcp_check	88.83% <ø> (ø)
teamcity	80.00% <ø> (ø)
tls	97.04% <ø> (+0.87%)	⬆️
tokumx	58.40% <ø> (?)
twemproxy	78.33% <ø> (ø)
twistlock	80.80% <ø> (ø)
varnish	84.57% <ø> (+0.24%)	⬆️
vault	94.91% <ø> (+0.53%)	⬆️
vertica	92.33% <ø> (ø)
voltdb	96.81% <ø> (ø)
vsphere	89.78% <ø> (+0.08%)	⬆️
win32_event_log	86.03% <ø> (+0.28%)	⬆️
windows_service	95.83% <ø> (ø)
wmi_check	92.91% <ø> (ø)
yarn	90.30% <ø> (ø)
zk	84.96% <ø> (+0.25%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

[yzhan289]

LGTM, although I wonder why tls_verify was originally overridden to true whenever tls_* were options configured.

[FlorianVeaux]

Couple of thoughts:

1. This is a breaking behavioral change, a few integrations rely on this. It's not clear to me how much impact this change can have for integrations and users who are relying on this behavior. Maybe worse case scenario is that certs won't be verified anymore ?
2. It still makes sense to force tls_verify to True if tls_ca_cert is set. Indeed, passing tls_ca_cert is only required for verifying a given cert based on some list of Certificat Authority. Passing tls_ca_cert is useless if we don't plan to verify the cert.

[FlorianVeaux]

I wonder why tls_verify was originally overridden to true whenever tls_* were options configured.

I did that, initially because it doesn't make sense to set tls_ca_cert if you are not verifying the certificate. I assumed the same for the three other options (that were related to the client certificate), but that's not true. It is possible to securely connect to a remote server, by passing some client certificats and by having the server verifying the authenticity of the client, while not wanting to check the server certificate from the client side.

[fanny-jiang]

Couple of thoughts:

1. This is a breaking behavioral change, a few integrations rely on this. It's not clear to me how much impact this change can have for integrations and users who are relying on this behavior. Maybe worse case scenario is that certs won't be verified anymore ?
2. It still makes sense to force tls_verify to True if tls_ca_cert is set. Indeed, passing tls_ca_cert is only required for verifying a given cert based on some list of Certificat Authority. Passing tls_ca_cert is useless if we don't plan to verify the cert.

Thanks Florian, that makes sense. I've addressed this and added back the override for tls_ca_cert in my latest change: 99c4b4f

[FlorianVeaux]

You should keep tls_verify: False here because the default is True.
And remove all but tls_ca_cert from the parametrize decorator

[FlorianVeaux]

Good if tests are passing