Add global quarkus.tls.trust-all configuration property

core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java

@@ -0,0 +1,19 @@
+package io.quarkus.runtime;
+
+import io.quarkus.runtime.annotations.ConfigItem;
+import io.quarkus.runtime.annotations.ConfigPhase;
+import io.quarkus.runtime.annotations.ConfigRoot;
+
+/**
+ * Configuration class allowing to globally set TLS properties.
+ */
+@ConfigRoot(phase = ConfigPhase.RUN_TIME)
+public class TlsConfig {
+
+    /**
+     * Enable trusting all certificates. Disable by default.
+     */
+    @ConfigItem(defaultValue = "false")
+    public boolean trustAll;
+
+}

extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java

@@ -12,8 +12,10 @@ public class KubernetesClientBuildConfig {
 
     /**
      * Whether or not the client should trust a self signed certificate if so presented by the API server
+     * 
+     * @deprecated use quarkus.tls.trust-all instead
      */
-    @ConfigItem
+    @ConfigItem(defaultValue = "${quarkus.tls.trust-all}")
     public boolean trustCerts;
 
     /**

extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java

@@ -66,8 +66,10 @@ public class MailConfig {
     /**
      * Set whether to trust all certificates on ssl connect the option is also
      * applied to {@code STARTTLS} operation. {@code false} by default.
+     * 
+     * @deprecated use quarkus.tls.trust-all instead
      */
-    @ConfigItem
+    @ConfigItem(defaultValue = "${quarkus.tls.trust-all}")
     public boolean trustAll;
 
     /**

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java

@@ -166,31 +166,14 @@ public class OidcTenantConfig {
 
     @ConfigGroup
     public static class Tls {
-        public enum Verification {
-            /**
-             * Certificates are validated and hostname verification is enabled. This is the default value.
-             */
-            REQUIRED,
-            /**
-             * All certificated are trusted and hostname verification is disabled.
-             */
-            NONE
-        }
 
         /**
-         * Certificate validation and hostname verification, which can be one of the following values from enum
-         * {@link Verification}. Default is required.
+         * Enable or disable certificate validation and hostname verification. Enable by default.
+         * 
+         * @deprecated use quarkus.tls.trust-all instead
          */
-        @ConfigItem(defaultValue = "REQUIRED")
-        public Verification verification;
-
-        public Verification getVerification() {
-            return verification;
-        }
-
-        public void setVerification(Verification verification) {
-            this.verification = verification;
-        }
+        @ConfigItem(defaultValue = "${quarkus.tls.trust-all}")
+        public boolean verification;
 
     }
 

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java

@@ -16,7 +16,6 @@
 import io.quarkus.oidc.OidcTenantConfig.Credentials;
 import io.quarkus.oidc.OidcTenantConfig.Credentials.Secret;
 import io.quarkus.oidc.OidcTenantConfig.Roles.Source;
-import io.quarkus.oidc.OidcTenantConfig.Tls.Verification;
 import io.quarkus.runtime.annotations.Recorder;
 import io.quarkus.runtime.configuration.ConfigurationException;
 import io.smallrye.mutiny.Uni;
@@ -192,7 +191,7 @@ private TenantConfigContext createTenantContext(Vertx vertx, OidcTenantConfig oi
             options.setProxyOptions(proxyOpt.get());
         }
 
-        if (oidcConfig.tls.verification == Verification.NONE) {
+        if (oidcConfig.tls.verification) {
             options.setTrustAll(true);
             options.setVerifyHost(false);
         }

extensions/vault/deployment/src/main/java/io/quarkus/vault/VaultProcessor.java

@@ -17,6 +17,7 @@
 import io.quarkus.deployment.builditem.RunTimeConfigurationSourceBuildItem;
 import io.quarkus.deployment.builditem.SslNativeConfigBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.smallrye.health.deployment.spi.HealthBuildItem;
 import io.quarkus.vault.runtime.Base64StringDeserializer;
 import io.quarkus.vault.runtime.Base64StringSerializer;
@@ -73,8 +74,9 @@ AdditionalBeanBuildItem registerAdditionalBeans() {
 
     @Record(ExecutionTime.RUNTIME_INIT)
     @BuildStep
-    void configure(VaultRecorder recorder, VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig) {
-        recorder.configureRuntimeProperties(buildTimeConfig, serverConfig);
+    void configure(VaultRecorder recorder, VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig,
+            TlsConfig tlsConfig) {
+        recorder.configureRuntimeProperties(buildTimeConfig, serverConfig, tlsConfig);
     }
 
     @BuildStep

extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultManager.java

@@ -1,5 +1,6 @@
 package io.quarkus.vault.runtime;
 
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.vault.runtime.client.OkHttpVaultClient;
 import io.quarkus.vault.runtime.client.VaultClient;
 import io.quarkus.vault.runtime.config.VaultBuildTimeConfig;
@@ -11,6 +12,7 @@ public class VaultManager {
 
     private VaultRuntimeConfig serverConfig;
     private VaultBuildTimeConfig buildTimeConfig;
+    private TlsConfig tlsConfig;
 
     private VaultClient vaultClient;
     private VaultAuthManager vaultAuthManager;
@@ -26,23 +28,25 @@ public static VaultManager getInstance() {
         return instance;
     }
 
-    public static void init(VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig) {
+    public static void init(VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) {
         if (instance == null) {
-            instance = new VaultManager(buildTimeConfig, serverConfig);
+            instance = new VaultManager(buildTimeConfig, serverConfig, tlsConfig);
         }
     }
 
     public static void reset() {
         instance = null;
     }
 
-    public VaultManager(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig serverConfig) {
-        this(vaultBuildTimeConfig, serverConfig, new OkHttpVaultClient(serverConfig));
+    public VaultManager(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) {
+        this(vaultBuildTimeConfig, serverConfig, new OkHttpVaultClient(serverConfig, tlsConfig), tlsConfig);
     }
 
-    public VaultManager(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig serverConfig, VaultClient vaultClient) {
+    public VaultManager(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig serverConfig, VaultClient vaultClient,
+            TlsConfig tlsConfig) {
         this.serverConfig = serverConfig;
         this.vaultClient = vaultClient;
+        this.tlsConfig = tlsConfig;
         this.buildTimeConfig = vaultBuildTimeConfig;
         this.vaultAuthManager = new VaultAuthManager(this.vaultClient, serverConfig);
         this.vaultKvManager = new VaultKvManager(this.vaultAuthManager, this.vaultClient, serverConfig);
@@ -87,6 +91,10 @@ public VaultRuntimeConfig getServerConfig() {
         return serverConfig;
     }
 
+    public TlsConfig getTlsConfig() {
+        return tlsConfig;
+    }
+
     public VaultBuildTimeConfig getBuildTimeConfig() {
         return buildTimeConfig;
     }

extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultRecorder.java

@@ -3,6 +3,7 @@
 import org.jboss.logging.Logger;
 
 import io.quarkus.arc.Arc;
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.runtime.annotations.Recorder;
 import io.quarkus.vault.runtime.config.VaultBuildTimeConfig;
 import io.quarkus.vault.runtime.config.VaultRuntimeConfig;
@@ -12,11 +13,12 @@ public class VaultRecorder {
 
     private static final Logger log = Logger.getLogger(VaultRecorder.class);
 
-    public void configureRuntimeProperties(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig vaultRuntimeConfig) {
+    public void configureRuntimeProperties(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig vaultRuntimeConfig,
+            TlsConfig tlsConfig) {
 
         if (vaultRuntimeConfig.url.isPresent()) {
             VaultServiceProducer producer = Arc.container().instance(VaultServiceProducer.class).get();
-            producer.setVaultConfigs(vaultBuildTimeConfig, vaultRuntimeConfig);
+            producer.setVaultConfigs(vaultBuildTimeConfig, vaultRuntimeConfig, tlsConfig);
         }
 
     }

extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultServiceProducer.java

@@ -6,6 +6,7 @@
 import javax.inject.Named;
 
 import io.quarkus.credentials.CredentialsProvider;
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.vault.VaultKVSecretEngine;
 import io.quarkus.vault.VaultSystemBackendEngine;
 import io.quarkus.vault.VaultTOTPSecretEngine;
@@ -58,7 +59,7 @@ public void close() {
         VaultManager.reset();
     }
 
-    public void setVaultConfigs(VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig) {
-        VaultManager.init(buildTimeConfig, serverConfig);
+    public void setVaultConfigs(VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) {
+        VaultManager.init(buildTimeConfig, serverConfig, tlsConfig);
     }
 }

extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java

@@ -3,7 +3,7 @@
 import static io.quarkus.vault.runtime.client.CertificateHelper.createSslContext;
 import static io.quarkus.vault.runtime.client.CertificateHelper.createTrustManagers;
 import static io.quarkus.vault.runtime.config.VaultAuthenticationType.KUBERNETES;
-import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.KUBERNETES_CACERT;
+import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.*;
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
@@ -17,6 +17,7 @@
 
 import org.jboss.logging.Logger;
 
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.runtime.util.JavaVersionUtil;
 import io.quarkus.vault.VaultException;
 import io.quarkus.vault.runtime.config.VaultRuntimeConfig;
@@ -27,7 +28,7 @@ public class OkHttpClientFactory {
 
     private static final Logger log = Logger.getLogger(OkHttpClientFactory.class.getName());
 
-    public static OkHttpClient createHttpClient(VaultRuntimeConfig serverConfig) {
+    public static OkHttpClient createHttpClient(VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) {
 
         OkHttpClient.Builder builder = new OkHttpClient.Builder()
                 .connectTimeout(serverConfig.connectTimeout)
@@ -40,7 +41,7 @@ public static OkHttpClient createHttpClient(VaultRuntimeConfig serverConfig) {
         }
 
         try {
-            if (serverConfig.tls.skipVerify) {
+            if (serverConfig.tls.skipVerify || tlsConfig.trustAll) {
                 skipVerify(builder);
             } else if (serverConfig.tls.caCert.isPresent()) {
                 cacert(builder, serverConfig.tls.caCert.get());

extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpVaultClient.java

@@ -16,6 +16,7 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.vault.VaultException;
 import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleAuth;
 import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleAuthBody;
@@ -83,8 +84,8 @@ public class OkHttpVaultClient implements VaultClient {
     private String kubernetesAuthMountPath;
     private ObjectMapper mapper = new ObjectMapper();
 
-    public OkHttpVaultClient(VaultRuntimeConfig serverConfig) {
-        this.client = createHttpClient(serverConfig);
+    public OkHttpVaultClient(VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) {
+        this.client = createHttpClient(serverConfig, tlsConfig);
         this.url = serverConfig.url.get();
         this.mapper.configure(FAIL_ON_UNKNOWN_PROPERTIES, false);
         this.mapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);

extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultConfigSource.java

@@ -43,6 +43,7 @@
 import org.eclipse.microprofile.config.spi.ConfigSource;
 import org.jboss.logging.Logger;
 
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.runtime.configuration.DurationConverter;
 import io.quarkus.vault.VaultException;
 import io.quarkus.vault.runtime.LogConfidentialityLevel;
@@ -61,6 +62,7 @@ public class VaultConfigSource implements ConfigSource {
     private AtomicReference<VaultCacheEntry<Map<String, String>>> cache = new AtomicReference<>(null);
     private AtomicReference<VaultRuntimeConfig> serverConfig = new AtomicReference<>(null);
     private AtomicReference<VaultBuildTimeConfig> buildServerConfig = new AtomicReference<>(null);
+    private AtomicReference<TlsConfig> tlsConfig = new AtomicReference<>(null);
 
     private AtomicBoolean init = new AtomicBoolean(false);
     private int ordinal;
@@ -154,10 +156,11 @@ private VaultManager getVaultManager() {
 
         VaultBuildTimeConfig buildTimeConfig = getBuildtimeConfig();
         VaultRuntimeConfig serverConfig = getRuntimeConfig();
+        TlsConfig tlsConfig = getTlsConfig();
 
         // init at most once
         if (init.compareAndSet(false, true)) {
-            VaultManager.init(buildTimeConfig, serverConfig);
+            VaultManager.init(buildTimeConfig, serverConfig, tlsConfig);
         }
 
         return VaultManager.getInstance();
@@ -167,6 +170,10 @@ private VaultRuntimeConfig getRuntimeConfig() {
         return getConfig(this.serverConfig, () -> loadRuntimeConfig(), "runtime");
     }
 
+    private TlsConfig getTlsConfig() {
+        return getConfig(this.tlsConfig, () -> loadTlsConfig(), "tls");
+    }
+
     private VaultBuildTimeConfig getBuildtimeConfig() {
         return getConfig(this.buildServerConfig, () -> loadBuildtimeConfig(), "buildtime");
     }
@@ -204,6 +211,7 @@ private VaultRuntimeConfig loadRuntimeConfig() {
 
         VaultRuntimeConfig serverConfig = new VaultRuntimeConfig();
         serverConfig.tls = new VaultTlsConfig();
+        serverConfig.tls.skipVerify = Boolean.parseBoolean(getProperty("quarkus.tls.trust-all", "false"));
         serverConfig.transit = new VaultTransitConfig();
         serverConfig.authentication = new VaultAuthenticationConfig();
         serverConfig.authentication.userpass = new VaultUserpassAuthenticationConfig();
@@ -250,6 +258,12 @@ private VaultRuntimeConfig loadRuntimeConfig() {
         return serverConfig;
     }
 
+    private TlsConfig loadTlsConfig() {
+        TlsConfig tlsConfig = new TlsConfig();
+        tlsConfig.trustAll = Boolean.parseBoolean(getProperty("quarkus.tls.trust-all", "false"));
+        return tlsConfig;
+    }
+
     private VaultMapConfigParser<CredentialsProviderConfig> createCredentialProviderConfigParser() {
         return new VaultMapConfigParser<>(CREDENTIALS_PATTERN, this::getCredentialsProviderConfig, getConfigSourceStream());
     }
@@ -312,9 +326,12 @@ private Duration getVaultDuration(String key, String defaultValue) {
 
     private String getVaultProperty(String key, String defaultValue) {
         String propertyName = PROPERTY_PREFIX + key;
+        return getProperty(propertyName, defaultValue);
+    }
 
+    private String getProperty(String key, String defaultValue) {
         return getConfigSourceStream()
-                .map(configSource -> configSource.getValue(propertyName))
+                .map(configSource -> configSource.getValue(key))
                 .filter(value -> value != null && value.length() != 0)
                 .map(String::trim)
                 .findFirst()

extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java

@@ -1,6 +1,5 @@
 package io.quarkus.vault.runtime.config;
 
-import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY;
 import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.DEFAULT_TLS_USE_KUBERNETES_CACERT;
 
 import java.util.Optional;
@@ -17,8 +16,10 @@ public class VaultTlsConfig {
      * If true this will allow TLS communications with Vault, without checking the validity of the
      * certificate presented by Vault. This is discouraged in production because it allows man in the middle
      * type of attacks.
+     * 
+     * @deprecated use quarkus.tls.trust-all instead
      */
-    @ConfigItem(defaultValue = DEFAULT_TLS_SKIP_VERIFY)
+    @ConfigItem(defaultValue = VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY)
     public boolean skipVerify;
 
     /**

extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultAuthManagerTest.java

@@ -11,6 +11,7 @@
 
 import org.junit.jupiter.api.Test;
 
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.vault.runtime.client.OkHttpVaultClient;
 import io.quarkus.vault.runtime.client.VaultClientException;
 import io.quarkus.vault.runtime.client.dto.auth.VaultLookupSelf;
@@ -117,7 +118,7 @@ private VaultRuntimeConfig createConfig() {
     }
 
     private OkHttpVaultClient createVaultClient() {
-        return new OkHttpVaultClient(config) {
+        return new OkHttpVaultClient(config, new TlsConfig()) {
             @Override
             public VaultUserPassAuth loginUserPass(String user, String password) {
                 return vaultUserPassAuth;

extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultDbManagerTest.java

@@ -14,6 +14,7 @@
 
 import org.junit.jupiter.api.Test;
 
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.vault.runtime.client.OkHttpVaultClient;
 import io.quarkus.vault.runtime.client.VaultClientException;
 import io.quarkus.vault.runtime.client.dto.database.VaultDatabaseCredentials;
@@ -123,7 +124,7 @@ private VaultRuntimeConfig createConfig() {
     }
 
     private OkHttpVaultClient createVaultClient() {
-        return new OkHttpVaultClient(config) {
+        return new OkHttpVaultClient(config, new TlsConfig()) {
             @Override
             public VaultDatabaseCredentials generateDatabaseCredentials(String token, String databaseCredentialsRole) {
                 return credentials;