Add global quarkus.tls.trust-all configuration property

core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java

@@ -0,0 +1,19 @@
+package io.quarkus.runtime;
+
+import io.quarkus.runtime.annotations.ConfigItem;
+import io.quarkus.runtime.annotations.ConfigPhase;
+import io.quarkus.runtime.annotations.ConfigRoot;
+
+/**
+ * Configuration class allowing to globally set TLS properties.
+ */
+@ConfigRoot(phase = ConfigPhase.RUN_TIME)
+public class TlsConfig {
+
+    /**
+     * Enable trusting all certificates. Disable by default.
+     */
+    @ConfigItem(defaultValue = "false")
+    public boolean trustAll;
+
+}

extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java

@@ -12,8 +12,10 @@ public class KubernetesClientBuildConfig {
 
     /**
      * Whether or not the client should trust a self signed certificate if so presented by the API server
+     * 
+     * @deprecated use quarkus.tls.trust-all instead
      */
-    @ConfigItem
+    @ConfigItem(defaultValue = "${quarkus.tls.trust-all:unset}")
     public boolean trustCerts;
 
     /**

extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java

@@ -66,8 +66,10 @@ public class MailConfig {
     /**
      * Set whether to trust all certificates on ssl connect the option is also
      * applied to {@code STARTTLS} operation. {@code false} by default.
+     * 
+     * @deprecated use quarkus.tls.trust-all instead
      */
-    @ConfigItem
+    @ConfigItem(defaultValue = "${quarkus.tls.trust-all:false}")
     public boolean trustAll;
 
     /**

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java

@@ -120,31 +120,14 @@ public class OidcTenantConfig {
 
     @ConfigGroup
     public static class Tls {
-        public enum Verification {
-            /**
-             * Certificates are validated and hostname verification is enabled. This is the default value.
-             */
-            REQUIRED,
-            /**
-             * All certificated are trusted and hostname verification is disabled.
-             */
-            NONE
-        }
 
         /**
-         * Certificate validation and hostname verification, which can be one of the following values from enum
-         * {@link Verification}. Default is required.
+         * Enable or disable certificate validation and hostname verification. Enable by default.
+         * 
+         * @deprecated use quarkus.tls.trust-all instead
          */
-        @ConfigItem(defaultValue = "REQUIRED")
-        public Verification verification;
-
-        public Verification getVerification() {
-            return verification;
-        }
-
-        public void setVerification(Verification verification) {
-            this.verification = verification;
-        }
+        @ConfigItem(defaultValue = "${quarkus.tls.trust-all:false}")
+        public boolean verification;
 
     }
 

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java

@@ -15,7 +15,6 @@
 import io.quarkus.oidc.OidcTenantConfig.ApplicationType;
 import io.quarkus.oidc.OidcTenantConfig.Credentials;
 import io.quarkus.oidc.OidcTenantConfig.Credentials.Secret;
-import io.quarkus.oidc.OidcTenantConfig.Tls.Verification;
 import io.quarkus.runtime.annotations.Recorder;
 import io.quarkus.runtime.configuration.ConfigurationException;
 import io.vertx.core.AsyncResult;
@@ -141,7 +140,7 @@ private TenantConfigContext createTenantContext(Vertx vertx, OidcTenantConfig oi
             options.setProxyOptions(proxyOpt.get());
         }
 
-        if (oidcConfig.tls.verification == Verification.NONE) {
+        if (oidcConfig.tls.verification) {
             options.setTrustAll(true);
             options.setVerifyHost(false);
         }

extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java

@@ -3,7 +3,7 @@
 import static io.quarkus.vault.runtime.client.CertificateHelper.createSslContext;
 import static io.quarkus.vault.runtime.client.CertificateHelper.createTrustManagers;
 import static io.quarkus.vault.runtime.config.VaultAuthenticationType.KUBERNETES;
-import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.KUBERNETES_CACERT;
+import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.*;
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;

extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java

@@ -1,6 +1,5 @@
 package io.quarkus.vault.runtime.config;
 
-import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY;
 import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.DEFAULT_TLS_USE_KUBERNETES_CACERT;
 
 import java.util.Optional;
@@ -17,8 +16,10 @@ public class VaultTlsConfig {
      * If true this will allow TLS communications with Vault, without checking the validity of the
      * certificate presented by Vault. This is discouraged in production because it allows man in the middle
      * type of attacks.
+     * 
+     * @deprecated use quarkus.tls.trust-all instead
      */
-    @ConfigItem(defaultValue = DEFAULT_TLS_SKIP_VERIFY)
+    @ConfigItem(defaultValue = "${quarkus.tls.trust-all}")
     public boolean skipVerify;
 
     /**

extensions/vertx-core/runtime/src/main/java/io/quarkus/vertx/core/runtime/config/EventBusConfiguration.java

@@ -138,8 +138,10 @@ public class EventBusConfiguration {
 
     /**
      * Enables or disables the trust all parameter.
+     * 
+     * @deprecated use quarkus.tls.trust-all instead
      */
-    @ConfigItem
+    @ConfigItem(defaultValue = "${quarkus.tls.trust-all:unset}")
     public boolean trustAll;
 
 }

integration-tests/oidc/src/main/resources/application.properties

@@ -3,4 +3,4 @@ quarkus.oidc.auth-server-url=${keycloak.ssl.url}/realms/quarkus
 quarkus.oidc.client-id=quarkus-app
 quarkus.oidc.token.principal-claim=email
 quarkus.http.cors=true
-quarkus.oidc.tls.verification=none
+quarkus.tls.trust-all=true

integration-tests/vault/src/test/resources/application-vault-multi-path.properties

@@ -4,7 +4,8 @@ quarkus.vault.authentication.userpass.password=sinclair
 quarkus.vault.secret-config-kv-path=multi/default1,multi/default2
 quarkus.vault.secret-config-kv-path.singer=multi/singer1,multi/singer2
 
-quarkus.vault.tls.skip-verify=true
+#quarkus.vault.tls.skip-verify=true
 
+quarkus.tls.trust-all=true
 # CI can sometimes be slow, there is no need to fail a test if Vault doesn't respond in 1 second which is the default
 quarkus.vault.read-timeout=5S

integration-tests/vault/src/test/resources/application-vault-totp.properties

@@ -2,7 +2,8 @@ quarkus.vault.url=https://localhost:8200
 quarkus.vault.authentication.userpass.username=bob
 quarkus.vault.authentication.userpass.password=sinclair
 
-quarkus.vault.tls.skip-verify=true
+#quarkus.vault.tls.skip-verify=true
+quarkus.tls.trust-all=true
 
 # CI can sometimes be slow, there is no need to fail a test if Vault doesn't respond in 1 second which is the default
 quarkus.vault.read-timeout=5S

integration-tests/vault/src/test/resources/application-vault-userpass-kvv2-wrap.properties

@@ -9,7 +9,6 @@ quarkus.vault.tls.ca-cert=src/test/resources/vault-tls.crt
 
 quarkus.vault.log-confidentiality-level=low
 quarkus.vault.renew-grace-period=10
-
 quarkus.log.category."io.quarkus.vault".level=DEBUG
 
 # CI can sometimes be slow, there is no need to fail a test if Vault doesn't respond in 1 second which is the default