feat(interceptor): Add possibility to skip tls verification for upstreams (#1307)

* Feat(interceptor): Add possibility to skip tls verification for upstreams

Signed-off-by: Ilia Medvedev <ilia.medvedev@codefresh.io>

* Update readme

Signed-off-by: Ilia Medvedev <ilia.medvedev@codefresh.io>

* Update CHANGELOG.md

Signed-off-by: ilia-medvedev-codefresh <ilia.medvedev@codefresh.io>

* run goimports

Signed-off-by: Ilia Medvedev <ilia.medvedev@codefresh.io>

---------

Signed-off-by: Ilia Medvedev <ilia.medvedev@codefresh.io>
Signed-off-by: ilia-medvedev-codefresh <ilia.medvedev@codefresh.io>

Author: ilia-medvedev-codefresh

CHANGELOG.md

@@ -28,7 +28,7 @@ This changelog keeps track of work items that have been completed and are ready
 - **General**: Add configurable tracing support to the interceptor proxy ([#1021](https://github.com/kedacore/http-add-on/pull/1021))
 - **General**: Allow using HSO and SO with different names ([#1293](https://github.com/kedacore/http-add-on/issues/1293))
 - **General**: Support profiling for KEDA components ([#4789](https://github.com/kedacore/keda/issues/4789))
-
+- **General**: Add possibility to skip TLS verification for upstreams in interceptor ([#1307](https://github.com/kedacore/http-add-on/pull/1307))
 ### Improvements
 
 - **General**: TODO ([#TODO](https://github.com/kedacore/http-add-on/issues/TODO))

docs/operate.md

@@ -28,6 +28,8 @@ For setting multiple TLS certs, set `KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS` with
 * `XYZ.crt` + `XYZ.key` - this is a convention when using Kubernetes Secrets of type tls
 * `XYZ.pem` + `XYZ-key.pem`
 
+To disable certificate chain verification, set `KEDA_HTTP_PROXY_TLS_SKIP_VERIFY` to `false`
+
 The matching between certs and requests is performed during the TLS ClientHelo message, where the SNI service name is compared to SANs provided in each cert and the first matching cert will be used for the rest of the TLS handshake.
 # Configuring tracing for the KEDA HTTP Add-on interceptor proxy
 

interceptor/config/serving.go

@@ -43,6 +43,8 @@ type Serving struct {
 	TLSKeyPath string `envconfig:"KEDA_HTTP_PROXY_TLS_KEY_PATH" default:"/certs/tls.key"`
 	// TLSCertStorePaths is a comma separated list of paths to read the certificate/key pairs for the TLS server
 	TLSCertStorePaths string `envconfig:"KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS" default:""`
+	// TLSSkipVerify is a boolean flag to specify whether the interceptor should skip TLS verification for upstreams
+	TLSSkipVerify bool `envconfig:"KEDA_HTTP_PROXY_TLS_SKIP_VERIFY" default:"false"`
 	// TLSPort is the port that the server should serve on if TLS is enabled
 	TLSPort int `envconfig:"KEDA_HTTP_PROXY_TLS_PORT" default:"8443"`
 	// ProfilingAddr if not empty, pprof will be available on this address, assuming host:port here

interceptor/main.go

@@ -192,7 +192,7 @@ func main() {
 	// start a proxy server with TLS
 	if proxyTLSEnabled {
 		eg.Go(func() error {
-			proxyTLSConfig := map[string]string{"certificatePath": servingCfg.TLSCertPath, "keyPath": servingCfg.TLSKeyPath, "certstorePaths": servingCfg.TLSCertStorePaths}
+			proxyTLSConfig := map[string]interface{}{"certificatePath": servingCfg.TLSCertPath, "keyPath": servingCfg.TLSKeyPath, "certstorePaths": servingCfg.TLSCertStorePaths, "skipVerify": servingCfg.TLSSkipVerify}
 			proxyTLSPort := servingCfg.TLSPort
 			k8sSharedInformerFactory.WaitForCacheSync(ctx.Done())
 
@@ -308,12 +308,15 @@ func defaultCertPool(logger logr.Logger) *x509.CertPool {
 
 // getTLSConfig creates a TLS config from KEDA_HTTP_PROXY_TLS_CERT_PATH, KEDA_HTTP_PROXY_TLS_KEY_PATH and KEDA_HTTP_PROXY_TLS_CERTSTORE_PATHS
 // The matching between request and certificate is performed by comparing TLS/SNI server name with x509 SANs
-func getTLSConfig(tlsConfig map[string]string, logger logr.Logger) (*tls.Config, error) {
-	certPath := tlsConfig["certificatePath"]
-	keyPath := tlsConfig["keyPath"]
-	certStorePaths := tlsConfig["certstorePaths"]
+func getTLSConfig(tlsConfig map[string]interface{}, logger logr.Logger) (*tls.Config, error) {
+	certPath, _ := tlsConfig["certificatePath"].(string)
+	keyPath, _ := tlsConfig["keyPath"].(string)
+	certStorePaths, _ := tlsConfig["certstorePaths"].(string)
+	insecureSkipVerify, _ := tlsConfig["skipVerify"].(bool)
+
 	servingTLS := &tls.Config{
-		RootCAs: defaultCertPool(logger),
+		RootCAs:            defaultCertPool(logger),
+		InsecureSkipVerify: insecureSkipVerify,
 	}
 	var defaultCert *tls.Certificate
 
@@ -404,7 +407,7 @@ func runProxyServer(
 	timeouts *config.Timeouts,
 	port int,
 	tlsEnabled bool,
-	tlsConfig map[string]string,
+	tlsConfig map[string]interface{},
 	tracingConfig *config.Tracing,
 ) error {
 	dialer := kedanet.NewNetDialer(timeouts.Connect, timeouts.KeepAlive)
@@ -430,6 +433,7 @@ func runProxyServer(
 	if tlsCfg != nil {
 		forwardingTLSCfg.RootCAs = tlsCfg.RootCAs
 		forwardingTLSCfg.Certificates = tlsCfg.Certificates
+		forwardingTLSCfg.InsecureSkipVerify = tlsCfg.InsecureSkipVerify
 	}
 
 	upstreamHandler = newForwardingHandler(

interceptor/main_test.go

@@ -92,7 +92,7 @@ func TestRunProxyServerCountMiddleware(t *testing.T) {
 			timeouts,
 			port,
 			false,
-			map[string]string{},
+			map[string]interface{}{},
 			&tracingCfg,
 		)
 	})
@@ -232,7 +232,7 @@ func TestRunProxyServerWithTLSCountMiddleware(t *testing.T) {
 			timeouts,
 			port,
 			true,
-			map[string]string{"certificatePath": "../certs/tls.crt", "keyPath": "../certs/tls.key"},
+			map[string]interface{}{"certificatePath": "../certs/tls.crt", "keyPath": "../certs/tls.key", "skipVerify": true},
 			&tracingCfg,
 		)
 	})
@@ -382,7 +382,7 @@ func TestRunProxyServerWithMultipleCertsTLSCountMiddleware(t *testing.T) {
 			timeouts,
 			port,
 			true,
-			map[string]string{"certstorePaths": "../certs"},
+			map[string]interface{}{"certstorePaths": "../certs"},
 			&tracingCfg,
 		)
 	})