Skip to content

Commit

Permalink
Add support for --insecure-skip-tls-verify option
Browse files Browse the repository at this point in the history
Some users are stuck behind corporate HTTP proxies that MITM
all traffic and are forced to sacrifice TLS security. This
allows those users to use the tool despite the proxy messing
with the certificates.

Signed-off-by: Geoff Baskwill <[email protected]>
  • Loading branch information
glb committed Nov 19, 2019
1 parent c8b9314 commit 0b09e3a
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
5 changes: 5 additions & 0 deletions kubeval/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ type Config struct {
// Quiet indicates whether non-results output should be emitted to the applications
// log.
Quiet bool

// InsecureSkipTLSVerify controls whether to skip TLS certificate validation
// when retrieving schema content over HTTPS
InsecureSkipTLSVerify bool
}

// NewDefaultConfig creates a Config with default values
Expand All @@ -80,6 +84,7 @@ func AddKubevalFlags(cmd *cobra.Command, config *Config) *cobra.Command {
cmd.Flags().StringVarP(&config.KubernetesVersion, "kubernetes-version", "v", "master", "Version of Kubernetes to validate against")
cmd.Flags().StringVarP(&config.OutputFormat, "output", "o", "", fmt.Sprintf("The format of the output of this script. Options are: %v", validOutputs()))
cmd.Flags().BoolVar(&config.Quiet, "quiet", false, "Silences any output aside from the direct results")
cmd.Flags().BoolVar(&config.InsecureSkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")

return cmd
}
13 changes: 13 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@ package main
import (
"bufio"
"bytes"
"crypto/tls"
"errors"
"fmt"
"io/ioutil"
"net/http"
"os"
"path/filepath"
"runtime"
Expand Down Expand Up @@ -43,6 +45,17 @@ var RootCmd = &cobra.Command{
if config.IgnoreMissingSchemas && !config.Quiet {
log.Warn("Set to ignore missing schemas")
}

// This is not particularly secure but we highlight that with the name of
// the config item. It would be good to also support a configurable set of
// trusted certificate authorities as in the `--certificate-authority`
// kubectl option.
if config.InsecureSkipTLSVerify {
http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
InsecureSkipVerify: true,
}
}

success := true
windowsStdinIssue := false
outputManager := kubeval.GetOutputManager(config.OutputFormat)
Expand Down

0 comments on commit 0b09e3a

Please sign in to comment.