add insecureSkipVerify to http source type#4167
Conversation
This option allows a user to explicitly override TLS for self-signed certificates on specific data sources This option uses existing framework for overriding TLS settings in storageio importer for consistency All existing go tests have been updated to use the default setting "false" to maintain the existing tests Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
|
Hi @xphyr. Thanks for your PR. PRs from untrusted users cannot be marked as trusted with I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
There was a problem hiding this comment.
Thank you!
Overall this makes sense, but I am slightly worried on the security side;
There is no admin level config to say "no one in this cluster may skip TLS on imports".
This is also a problem for existing ImageIO but arguably those are more controlled environments to begin with. Maybe we could require checksum when using insecure imports?
/cc @Acedus
Network policies may be reducing the blast radius here
EDIT:
I guess we could also put a insecureHTTPEndpoints next to existing CDI CR insecureRegistries and inherit it from the platform (OpenShift configuration CR, but from a quick search there isn't one).
| if http.InsecureSkipVerify != nil && *http.InsecureSkipVerify { | ||
| annotations[AnnInsecureSkipVerify] = "true" | ||
| } |
There was a problem hiding this comment.
could we get some unit tests that validate AnnInsecureSkipVerify is correctly set when InsecureSkipVerify is true, or correctly absent when nil/false?
There was a problem hiding this comment.
OK, I think I now have this covered here: 8b34ebd Please be sure to take a close look, writing unit tests is NOT a strength of mine, so I relied on the help of AI to build this.
There was a problem hiding this comment.
This is also a solid unit test, but I think we could take a similar approach to my suggestion #4167 (comment) in pkg/controller/populators/import-populator_test.go
There was a problem hiding this comment.
For this unit test, I feel like we are testing at the proper level... reviewing the rest of the tests for this package none of them appear to be going through the process of checking the environment variables assigned to a pod. While I agree testing for this in the import-controller makes sense, since this is a helper package/function should we not just be testing the results of calling the helper function? Perhaps I am misunderstanding how you would like me to test this. Please advise and thanks for the assistance.
| source, sourceOk := pvc.Annotations[cc.AnnSource] | ||
| if sourceOk && source == cc.SourceImageio { | ||
| if sourceOk && (source == cc.SourceImageio || source == cc.SourceHTTP) { | ||
| if insecureSkipVerify, ok := pvc.Annotations[cc.AnnInsecureSkipVerify]; ok && insecureSkipVerify == "true" { |
There was a problem hiding this comment.
Some unit tests for this would also be great, specifically that no AnnInsecureSkipVerify results in no env var for TLS bypass. Just trying to cover everything that guards the runtime importer app receiving insecure=true
There was a problem hiding this comment.
I have also written a test here: 2aea8ad with the help of AI. I think that does what you are suggesting.
There was a problem hiding this comment.
This is good! I was hoping to assert on the resulting pod env vars though to cover more ground. We should have existing tests that do something along the lines of
_, err := reconciler.Reconcile(context.TODO(), reconcile.Request{NamespacedName: types.NamespacedName{Name: "testPvc1", Namespace: "default"}})
Expect(err).ToNot(HaveOccurred())
pod := &corev1.Pod{}
err = reconciler.client.Get(context.TODO(), types.NamespacedName{Name: "importer-testPvc1", Namespace: "default"}, pod)
<ASSERTION>There was a problem hiding this comment.
I am attempting to re-write the test as you are looking for. Before I move forward with the other unit test, can you review this to see if it is what you were looking for. fixed the issue with my first unit test If this is the proper direction, I will review the unit test for util.go. Please note I have not yet removed the other test. I wanted to ensure that this was the way you wanted to go, before deleting that code. If this is good, I will delete the first test that I wrote.
There was a problem hiding this comment.
Yeah this was the direction. I was looking for something along those lines:
akalenyu@d6c22d0
There was a problem hiding this comment.
OK, I have integrated that into the most recent change. I think we are all set. Thank you for your continued assistance.
|
/test all |
I'd say it would be the admin's responsibility to prevent this using something like a VAP. |
…Verify Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: Mark DeNeve <3779715+xphyr@users.noreply.github.com>
This was my thought as well. I feel like an admission policy would be the way to ensure that end user(s) cant use an insecureHTTP endpoint. I feel like this is a less complicated and more universal way to handle this sort of control. Something like this would handle it base on some quick testing: apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: deny-datavolume-insecure-http
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["cdi.kubevirt.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE"]
resources: ["datavolumes"]
validations:
- expression: >
!has(object.spec.source) ||
!has(object.spec.source.http) ||
!has(object.spec.source.http.insecureSkipVerify) ||
object.spec.source.http.insecureSkipVerify == false
message: "Setting insecureSkipVerify to true on an HTTP source is forbidden for security compliance."
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: deny-datavolume-insecure-http-binding
spec:
policyName: deny-datavolume-insecure-http
validationActions: [Deny]
matchResources:
namespaceSelector: {} |
|
@xphyr: The following test failed, say
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/cc @mhenriks |
|
@akalenyu Here are my thoughts on
Leveraging VAP is an existing solution that requires no extra code to write/test/maintain and is arguably more flexible allowing a Cluster Admin to:
|
Signed-off-by: Mark DeNeve <3779715+xphyr@users.noreply.github.com>
Signed-off-by: Mark DeNeve <3779715+xphyr@users.noreply.github.com>
|
/test all |
akalenyu
left a comment
There was a problem hiding this comment.
Thanks for sticking through! I went ahead and prompted Claude to help with the unit test direction, something along those lines should be good
| checksumValidator *ChecksumValidator | ||
|
|
||
| n image.NbdkitOperation | ||
| n image.NbdkitOperation |
There was a problem hiding this comment.
my editor corrects this back, how come you had to pad the spaces?
There was a problem hiding this comment.
Its funny, my editor puts all the spaces in. Even when I remove them, it puts them back. (vscode). If you want I will edit the file outside vscode and commit to remove this change.
There was a problem hiding this comment.
I dug into this, its go fmt that is making this formatting change. I am using go1.25 on my dev machine ...
| source, sourceOk := pvc.Annotations[cc.AnnSource] | ||
| if sourceOk && source == cc.SourceImageio { | ||
| if sourceOk && (source == cc.SourceImageio || source == cc.SourceHTTP) { | ||
| if insecureSkipVerify, ok := pvc.Annotations[cc.AnnInsecureSkipVerify]; ok && insecureSkipVerify == "true" { |
There was a problem hiding this comment.
Yeah this was the direction. I was looking for something along those lines:
akalenyu@d6c22d0
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
Signed-off-by: xphyr <xphyr@users.noreply.github.com>
|
/test all |
|
@xphyr: The following test failed, say
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akalenyu The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
This PR adds an
insecureSkipVerifyfield tohttpDavaVolume imports. This helps to support connections to https datasources that have corrupt, or incomplete TLS certificates but the user still wants to connect anyway. For example, connections to sources that have a self signed certificate, but no SAN defined for the IP address, will not import, even if you have defined acertConfigMap. This option allows you to bypass this check on a specific DataVolume. This also simplifies the process for downloading from a source using a self-signed certificate, IF you are OK with completely bypassing the check.This leverages the existing code/process for skipping TLS verification that is used by the imageio importer.
I have updated the documentation, as well as the go unit tests, and functional test.
Which issue(s) this PR fixes *:
Fixes #4166
Special notes for your reviewer:
This work was discussed on Slack in the following thread: https://kubernetes.slack.com/archives/C8ED7RKFE/p1780500582897189
Release note: