allow self signed certs with insecureSkipVerify #1769
Conversation
you'll get this error otherwise: x509: certificate signed by unknown authority Signed-off-by: Steven Chung <[email protected]>
you'll get this error otherwise: x509: certificate signed by unknown authority Signed-off-by: Steven Chung <[email protected]>
|
Thanks @s12chung! I'm curious, what object storage system are you using with self-signed certs? |
|
happy to contribute :) we're using minio |
Signed-off-by: Steven Chung <[email protected]>
pkg/cmd/cli/backup/describe.go
Outdated
| @@ -85,6 +86,7 @@ func NewDescribeCommand(f client.Factory, use string) *cobra.Command { | |||
|
|
|||
| c.Flags().StringVarP(&listOptions.LabelSelector, "selector", "l", listOptions.LabelSelector, "only show items matching this label selector") | |||
| c.Flags().BoolVar(&details, "details", details, "display additional detail in the command output") | |||
| c.Flags().BoolVar(&insecureSkipVerify, "insecureskipverify", insecureSkipVerify, "accept any TLS certificate presented by the storage service") | |||
There was a problem hiding this comment.
Would it be good to add something like not secure, or not recommended for production to all the cli documentation?
There was a problem hiding this comment.
do not verify the TLS certificate for storage requests. This is susceptible to man-in-the-middle attacks. -- think man-in-the-middle attacks says it's dangerous. since this is the client and the flag is non-permanent, I kept it shorter.
| @@ -53,6 +53,7 @@ The configurable parameters are as follows: | |||
| | `kmsKeyId` | string | Empty | *Example*: "502b409c-4da1-419f-a16e-eif453b3i49f" or "alias/`<KMS-Key-Alias-Name>`"<br><br>Specify an [AWS KMS key][10] id or alias to enable encryption of the backups stored in S3. Only works with AWS S3 and may require explicitly granting key usage rights.| | |||
| | `signatureVersion` | string | `"4"` | Version of the signature algorithm used to create signed URLs that are used by velero cli to download backups or fetch logs. Possible versions are "1" and "4". Usually the default version 4 is correct, but some S3-compatible providers like Quobyte only support version 1.| | |||
| | `profile` | string | "default" | AWS profile within the credential file to use for given store | | |||
| | `insecureSkipVerify` | bool | `false` | Set this to `true` if you do not want to verify the CA certificate for storage requests--like self-signed certs in Minio. | | |||
There was a problem hiding this comment.
Please add text warning that this is unsafe.
There was a problem hiding this comment.
Set this to true if you do not want to verify the TLS certificate for storage requests--like self-signed certs in Minio. This is susceptible to man-in-the-middle attacks and is not recommended for production.
Signed-off-by: Steven Chung <[email protected]>
pkg/cmd/cli/backup/describe.go
Outdated
| @@ -85,6 +86,7 @@ func NewDescribeCommand(f client.Factory, use string) *cobra.Command { | |||
|
|
|||
| c.Flags().StringVarP(&listOptions.LabelSelector, "selector", "l", listOptions.LabelSelector, "only show items matching this label selector") | |||
| c.Flags().BoolVar(&details, "details", details, "display additional detail in the command output") | |||
| c.Flags().BoolVar(&insecureSkipVerify, "insecureskipverify", insecureSkipVerify, "do not verify the TLS certificate for storage requests. This is susceptible to man-in-the-middle attacks.") | |||
There was a problem hiding this comment.
Any reason to not have this be insecure-skip-verify? It might also be a good idea to use the same flag kubectl uses: insecure-skip-tls-verify.
There was a problem hiding this comment.
good idea. changed it all to insecure-skip-tls-verify
pkg/cmd/cli/backup/describe.go
Outdated
| @@ -85,6 +86,7 @@ func NewDescribeCommand(f client.Factory, use string) *cobra.Command { | |||
|
|
|||
| c.Flags().StringVarP(&listOptions.LabelSelector, "selector", "l", listOptions.LabelSelector, "only show items matching this label selector") | |||
| c.Flags().BoolVar(&details, "details", details, "display additional detail in the command output") | |||
| c.Flags().BoolVar(&insecureSkipVerify, "insecureskipverify", insecureSkipVerify, "do not verify the TLS certificate for storage requests. This is susceptible to man-in-the-middle attacks.") | |||
There was a problem hiding this comment.
We should also probably clarify here that this flag is for storage bucket requests and not requests to the Kubernetes API server
There was a problem hiding this comment.
hmm... it already says do not verify the TLS certificate for storage requests
so I only to the end of that: do not verify the TLS certificate for storage requests only
There was a problem hiding this comment.
sorry I misread that, you're right that it was good as it was, but the change doesn't hurt, thanks!
Signed-off-by: Steven Chung <[email protected]>
Signed-off-by: Steven Chung <[email protected]>
…#1769)" This reverts commit 8e35ce0. Signed-off-by: Carlisia <[email protected]>
|
we need to discuss further if we want to make this option available to folks. the better change would be to support custom CA bundles per #1027 (comment). @s12chung is that an option for you? Regardless, we're not going to include this in v1.1 so we're backing out the merge with #1776. |
|
My bad for merging! |
|
@skriss then both the server and client would have to retrieve the certs in order to do operations. am I correct? hmm.... would need to talk to product owners about this. and need to play around with the code of course. would it be ok to keep |
* upstream/master: (118 commits) restore: rename PV when remapping a namespace if PV exists in-cluster (vmware-tanzu#1779) when backing up PVCs with restic, explicitly specify --parent (vmware-tanzu#1807) Unit tests for restic restore (vmware-tanzu#1747) Upgrade kubernetes dependencies to 1.15.3 (vmware-tanzu#1808) create backups from schedules using velero create backup (vmware-tanzu#1734) remove calls to restic check before/after prune (vmware-tanzu#1794) Propose adding feature flags to velero restic backup and restore progress proposal (vmware-tanzu#1765) allow custom restic repo prefix to be specified in BSL config error if restic repo identifier can't be determined update nokogiri dep for website update links on website home page for latest release (vmware-tanzu#1789) Velero 1.1 blog post v1.1.0 changelog fix error formatting Revert "allow self signed certs with insecureSkipVerify (vmware-tanzu#1769)" allow self signed certs with insecureSkipVerify (vmware-tanzu#1769) v1.1.0 docs Add the prefix to BSL config map so that object stores can use it when initializing (vmware-tanzu#1767) add stable/velero to helm commands ...
* upstream/master: (118 commits) restore: rename PV when remapping a namespace if PV exists in-cluster (vmware-tanzu#1779) when backing up PVCs with restic, explicitly specify --parent (vmware-tanzu#1807) Unit tests for restic restore (vmware-tanzu#1747) Upgrade kubernetes dependencies to 1.15.3 (vmware-tanzu#1808) create backups from schedules using velero create backup (vmware-tanzu#1734) remove calls to restic check before/after prune (vmware-tanzu#1794) Propose adding feature flags to velero restic backup and restore progress proposal (vmware-tanzu#1765) allow custom restic repo prefix to be specified in BSL config error if restic repo identifier can't be determined update nokogiri dep for website update links on website home page for latest release (vmware-tanzu#1789) Velero 1.1 blog post v1.1.0 changelog fix error formatting Revert "allow self signed certs with insecureSkipVerify (vmware-tanzu#1769)" allow self signed certs with insecureSkipVerify (vmware-tanzu#1769) v1.1.0 docs Add the prefix to BSL config map so that object stores can use it when initializing (vmware-tanzu#1767) add stable/velero to helm commands ...
* upstream/master: (118 commits) restore: rename PV when remapping a namespace if PV exists in-cluster (vmware-tanzu#1779) when backing up PVCs with restic, explicitly specify --parent (vmware-tanzu#1807) Unit tests for restic restore (vmware-tanzu#1747) Upgrade kubernetes dependencies to 1.15.3 (vmware-tanzu#1808) create backups from schedules using velero create backup (vmware-tanzu#1734) remove calls to restic check before/after prune (vmware-tanzu#1794) Propose adding feature flags to velero restic backup and restore progress proposal (vmware-tanzu#1765) allow custom restic repo prefix to be specified in BSL config error if restic repo identifier can't be determined update nokogiri dep for website update links on website home page for latest release (vmware-tanzu#1789) Velero 1.1 blog post v1.1.0 changelog fix error formatting Revert "allow self signed certs with insecureSkipVerify (vmware-tanzu#1769)" allow self signed certs with insecureSkipVerify (vmware-tanzu#1769) v1.1.0 docs Add the prefix to BSL config map so that object stores can use it when initializing (vmware-tanzu#1767) add stable/velero to helm commands ...
* jesse/20190828_merge: (511 commits) fix(ci): Update arm32 target. feat(ci): Auto-build restic-restore-helper image in CI. restore: rename PV when remapping a namespace if PV exists in-cluster (vmware-tanzu#1779) when backing up PVCs with restic, explicitly specify --parent (vmware-tanzu#1807) Unit tests for restic restore (vmware-tanzu#1747) Upgrade kubernetes dependencies to 1.15.3 (vmware-tanzu#1808) create backups from schedules using velero create backup (vmware-tanzu#1734) remove calls to restic check before/after prune (vmware-tanzu#1794) Propose adding feature flags to velero restic backup and restore progress proposal (vmware-tanzu#1765) allow custom restic repo prefix to be specified in BSL config error if restic repo identifier can't be determined update nokogiri dep for website update links on website home page for latest release (vmware-tanzu#1789) Velero 1.1 blog post v1.1.0 changelog fix error formatting Revert "allow self signed certs with insecureSkipVerify (vmware-tanzu#1769)" allow self signed certs with insecureSkipVerify (vmware-tanzu#1769) v1.1.0 docs ...
|
I thought that skipping is merged into the master, but I still get this error: velero install --provider aws --bucket velero-2c2fe3cc --secret-file ./credentials-velero --use-volume-snapshots=false --backup-location-config region=default,s3ForcePathStyle="true",s3Url=https://os-s3.domain.de --plugins velero/velero-plugin-for-aws:v1.0.0 --image velero/velero:v1.3.0 --insecure-skip-tls-verify
Error: unknown flag: --insecure-skip-tls-verifyAny ideas? |
|
@macevil for the server, this is a config option on BackupStorageLocations, so you should append |
|
@skriss Oh, thanks, I was on the hose. 🤦🏻♂️ |
adds
insecureSkipVerifyserver config for AWS storage and--insecureSkipVerifyflag on client for self-signed certsif needed, let me know how to add a test. I've tested manually and we're using a variant of the code as a team. most of the code is simply passing along the
insecureSkipVerifyflag around untilInsecureSkipVerifyis set on the http client.closes #1027