Skip to content

add insecureSkipVerify to http source type#4167

Open
xphyr wants to merge 11 commits into
kubevirt:mainfrom
xphyr:skiptlsverify
Open

add insecureSkipVerify to http source type#4167
xphyr wants to merge 11 commits into
kubevirt:mainfrom
xphyr:skiptlsverify

Conversation

@xphyr

@xphyr xphyr commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:
This PR adds an insecureSkipVerify field to http DavaVolume imports. This helps to support connections to https datasources that have corrupt, or incomplete TLS certificates but the user still wants to connect anyway. For example, connections to sources that have a self signed certificate, but no SAN defined for the IP address, will not import, even if you have defined a certConfigMap. This option allows you to bypass this check on a specific DataVolume. This also simplifies the process for downloading from a source using a self-signed certificate, IF you are OK with completely bypassing the check.

This leverages the existing code/process for skipping TLS verification that is used by the imageio importer.

I have updated the documentation, as well as the go unit tests, and functional test.

Which issue(s) this PR fixes *:
Fixes #4166

Special notes for your reviewer:
This work was discussed on Slack in the following thread: https://kubernetes.slack.com/archives/C8ED7RKFE/p1780500582897189

Release note:

Added insecureSkipVerify to http source type to support connecting to https endpoints with invalid certificates. 
By default this option is set to false, and must be explicitly set to "true" to use. 
This will not break any existing datavolume definitions.

xphyr added 4 commits June 5, 2026 12:31
This option allows a user to explicitly override TLS for self-signed certificates on specific data sources
This option uses existing framework for overriding TLS settings in storageio importer for consistency
All existing go tests have been updated to use the default setting "false" to maintain the existing tests

Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Jun 9, 2026
@kubevirt-bot

Copy link
Copy Markdown
Contributor

Hi @xphyr. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubevirt-bot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign aglitke for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Signed-off-by: xphyr <xphyr@users.noreply.github.com>

@akalenyu akalenyu left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

Overall this makes sense, but I am slightly worried on the security side;
There is no admin level config to say "no one in this cluster may skip TLS on imports".
This is also a problem for existing ImageIO but arguably those are more controlled environments to begin with. Maybe we could require checksum when using insecure imports?
/cc @Acedus
Network policies may be reducing the blast radius here

EDIT:
I guess we could also put a insecureHTTPEndpoints next to existing CDI CR insecureRegistries and inherit it from the platform (OpenShift configuration CR, but from a quick search there isn't one).

Comment on lines +1756 to +1758
if http.InsecureSkipVerify != nil && *http.InsecureSkipVerify {
annotations[AnnInsecureSkipVerify] = "true"
}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we get some unit tests that validate AnnInsecureSkipVerify is correctly set when InsecureSkipVerify is true, or correctly absent when nil/false?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I think I now have this covered here: 8b34ebd Please be sure to take a close look, writing unit tests is NOT a strength of mine, so I relied on the help of AI to build this.

@akalenyu akalenyu Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also a solid unit test, but I think we could take a similar approach to my suggestion #4167 (comment) in pkg/controller/populators/import-populator_test.go

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this unit test, I feel like we are testing at the proper level... reviewing the rest of the tests for this package none of them appear to be going through the process of checking the environment variables assigned to a pod. While I agree testing for this in the import-controller makes sense, since this is a helper package/function should we not just be testing the results of calling the helper function? Perhaps I am misunderstanding how you would like me to test this. Please advise and thanks for the assistance.

source, sourceOk := pvc.Annotations[cc.AnnSource]
if sourceOk && source == cc.SourceImageio {
if sourceOk && (source == cc.SourceImageio || source == cc.SourceHTTP) {
if insecureSkipVerify, ok := pvc.Annotations[cc.AnnInsecureSkipVerify]; ok && insecureSkipVerify == "true" {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some unit tests for this would also be great, specifically that no AnnInsecureSkipVerify results in no env var for TLS bypass. Just trying to cover everything that guards the runtime importer app receiving insecure=true

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have also written a test here: 2aea8ad with the help of AI. I think that does what you are suggesting.

@akalenyu akalenyu Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good! I was hoping to assert on the resulting pod env vars though to cover more ground. We should have existing tests that do something along the lines of

_, err := reconciler.Reconcile(context.TODO(), reconcile.Request{NamespacedName: types.NamespacedName{Name: "testPvc1", Namespace: "default"}})
Expect(err).ToNot(HaveOccurred())
pod := &corev1.Pod{}
err = reconciler.client.Get(context.TODO(), types.NamespacedName{Name: "importer-testPvc1", Namespace: "default"}, pod)
<ASSERTION>

@xphyr xphyr Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am attempting to re-write the test as you are looking for. Before I move forward with the other unit test, can you review this to see if it is what you were looking for. fixed the issue with my first unit test If this is the proper direction, I will review the unit test for util.go. Please note I have not yet removed the other test. I wanted to ensure that this was the way you wanted to go, before deleting that code. If this is good, I will delete the first test that I wrote.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this was the direction. I was looking for something along those lines:
akalenyu@d6c22d0

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I have integrated that into the most recent change. I think we are all set. Thank you for your continued assistance.

@kubevirt-bot kubevirt-bot requested a review from Acedus June 10, 2026 11:32
@akalenyu

Copy link
Copy Markdown
Collaborator

/test all

@coveralls

coveralls commented Jun 10, 2026

Copy link
Copy Markdown

Coverage Status

coverage: 49.85% (+0.07%) from 49.783% — xphyr:skiptlsverify into kubevirt:main

@Acedus

Acedus commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Thank you!

Overall this makes sense, but I am slightly worried on the security side; There is no admin level config to say "no one in this cluster may skip TLS on imports". This is also a problem for existing ImageIO but arguably those are more controlled environments to begin with. Maybe we could require checksum when using insecure imports? /cc @Acedus Network policies may be reducing the blast radius here

EDIT: I guess we could also put a insecureHTTPEndpoints next to existing CDI CR insecureRegistries and inherit it from the platform (OpenShift configuration CR, but from a quick search there isn't one).

I'd say it would be the admin's responsibility to prevent this using something like a VAP.

xphyr and others added 2 commits June 10, 2026 12:01
…Verify

Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: Mark DeNeve <3779715+xphyr@users.noreply.github.com>
@xphyr

xphyr commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

I'd say it would be the admin's responsibility to prevent this using something like a VAP.

This was my thought as well. I feel like an admission policy would be the way to ensure that end user(s) cant use an insecureHTTP endpoint. I feel like this is a less complicated and more universal way to handle this sort of control. Something like this would handle it base on some quick testing:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: deny-datavolume-insecure-http
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups: ["cdi.kubevirt.io"]
      apiVersions: ["v1beta1"]
      operations: ["CREATE", "UPDATE"]
      resources: ["datavolumes"]
  validations:
    - expression: >
        !has(object.spec.source) || 
        !has(object.spec.source.http) || 
        !has(object.spec.source.http.insecureSkipVerify) || 
        object.spec.source.http.insecureSkipVerify == false
      message: "Setting insecureSkipVerify to true on an HTTP source is forbidden for security compliance."
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: deny-datavolume-insecure-http-binding
spec:
  policyName: deny-datavolume-insecure-http
  validationActions: [Deny]
  matchResources:
    namespaceSelector: {}

@kubevirt-bot

Copy link
Copy Markdown
Contributor

@xphyr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-containerized-data-importer-e2e-s390x 02e1bee link unknown /test pull-containerized-data-importer-e2e-s390x
Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@akalenyu

Copy link
Copy Markdown
Collaborator

Yeah VAP is good but we could follow the admin controlled flow similarly to insecureRegistries (insecureHTTPEndpoints?). What do folks think? I know we went with DV spec for ImageIO and I realize that I am effectively challenging that too.
/cc @Acedus @awels

@kubevirt-bot kubevirt-bot requested a review from awels June 11, 2026 10:37
@akalenyu

Copy link
Copy Markdown
Collaborator

/cc @mhenriks

@kubevirt-bot kubevirt-bot requested a review from mhenriks June 11, 2026 10:37
@xphyr

xphyr commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

@akalenyu Here are my thoughts on insecureHTTPEndpoints and why I think defining the override as part of DataSource definition:

  • Primary concern is that this does not allow for dynamic endpoints. Every time someone wants/needs to pull from an insecure endpoint they will need to contact/work with a cluster admin to pull from an insecure site. This will be the only way to do it. This puts extra burden on the end user and cluster admin in all scenarios.
  • The secondary concern is that I think that this adds extra complexity to the code base (not a lot) needing to check the config and validating the config.
  • I would also argue that the ImageIO code should be updated to follow the same pattern so that the process is the same across multiple providers
  • The OpenStack importer also uses "insecureSkipVerify" as part of its process https://github.com/kubevirt/containerized-data-importer/blob/main/cmd/openstack-populator/openstack-populator.go#L49 so to maintain consistency this would probably need to be updated as well
  • Finally, it just feels cleaner ... if you want to understand a DataSource everything about it is defined in one place, with this implementation, if I want to know if insecureSkipVerify is required, I need only look at the datasource definition. To understand the same using the insecureHTTPEndpoints solution I need to look at the DataSource definition as well as the CDIConfig. As an end user, I wont have permissions to view the CDIConfig to see if my endpoint is even allowed.

Leveraging VAP is an existing solution that requires no extra code to write/test/maintain and is arguably more flexible allowing a Cluster Admin to:

  • do nothing, and let the end user "do the right thing"
  • disable it entirely with a VAP
  • allow specific endpoints as part of the VAP definition if this level of control is required

@kubevirt-bot kubevirt-bot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. and removed dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Jun 12, 2026
xphyr and others added 2 commits June 16, 2026 10:38
Signed-off-by: Mark DeNeve <3779715+xphyr@users.noreply.github.com>
Signed-off-by: Mark DeNeve <3779715+xphyr@users.noreply.github.com>
@kubevirt-bot kubevirt-bot removed the dco-signoff: no Indicates the PR's author has not DCO signed all their commits. label Jun 16, 2026
@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Jun 16, 2026
@akalenyu

Copy link
Copy Markdown
Collaborator

/test all

@akalenyu akalenyu left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for sticking through! I went ahead and prompted Claude to help with the unit test direction, something along those lines should be good

checksumValidator *ChecksumValidator

n image.NbdkitOperation
n image.NbdkitOperation

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my editor corrects this back, how come you had to pad the spaces?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its funny, my editor puts all the spaces in. Even when I remove them, it puts them back. (vscode). If you want I will edit the file outside vscode and commit to remove this change.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dug into this, its go fmt that is making this formatting change. I am using go1.25 on my dev machine ...

source, sourceOk := pvc.Annotations[cc.AnnSource]
if sourceOk && source == cc.SourceImageio {
if sourceOk && (source == cc.SourceImageio || source == cc.SourceHTTP) {
if insecureSkipVerify, ok := pvc.Annotations[cc.AnnInsecureSkipVerify]; ok && insecureSkipVerify == "true" {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this was the direction. I was looking for something along those lines:
akalenyu@d6c22d0

@kubevirt-prow kubevirt-prow Bot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. and removed dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Jul 1, 2026
xphyr added 2 commits July 6, 2026 16:11
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
@kubevirt-prow kubevirt-prow Bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Jul 6, 2026
@akalenyu

akalenyu commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

/test all

@kubevirt-prow

kubevirt-prow Bot commented Jul 7, 2026

Copy link
Copy Markdown

@xphyr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-containerized-data-importer-e2e-s390x ab32873 link false /test pull-containerized-data-importer-e2e-s390x
Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@xphyr xphyr marked this pull request as ready for review July 7, 2026 12:32
@kubevirt-prow kubevirt-prow Bot requested a review from arnongilboa July 7, 2026 12:33
@akalenyu

akalenyu commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

/approve
/cc @Acedus

@kubevirt-prow

kubevirt-prow Bot commented Jul 7, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: akalenyu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-prow kubevirt-prow Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L

Projects

None yet

Development

Successfully merging this pull request may close these issues.

http source data importer can not import from a https source with missing/invalid SAN

5 participants