Inherit insecureSkipTLSVerify from BSL config for CLI downloads#9768
Open
Joeavaikath wants to merge 2 commits into
Open
Inherit insecureSkipTLSVerify from BSL config for CLI downloads#9768Joeavaikath wants to merge 2 commits into
Joeavaikath wants to merge 2 commits into
Conversation
When a BackupStorageLocation has spec.config.insecureSkipTLSVerify set to "true", the CLI now inherits this for download requests (backup logs, backup download, backup describe, restore logs, restore describe). This follows the same pattern used for caCert inheritance. The CLI flag --insecure-skip-tls-verify still works and overrides the BSL value. Signed-off-by: Joseph <jvaikath@redhat.com>
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
kaovilai
approved these changes
Apr 30, 2026
kaovilai
reviewed
Apr 30, 2026
kaovilai
left a comment
kaovilai
left a comment
Member
There was a problem hiding this comment.
didn't include this in prior cacert-from-bsl cli work because insecure flag was easy enough. plus its insecure depends on local system executing. if host machine had trusted the cert, it may not be insecure on the host, only in the k8s server.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When a BackupStorageLocation has
spec.config.insecureSkipTLSVerifyset to"true", the Velero CLI now inherits this setting for download requests. Previously, users had to manually pass--insecure-skip-tls-verifyon every CLI command (velero backup logs,velero backup download,velero backup describe,velero restore logs,velero restore describe), even though the BSL already declared the endpoint as untrusted.This follows the same pattern used for
caCert/caCertRefinheritance — the CLI already reads CA certificates from the BSL viapkg/cmd/util/cacert/bsl_cacert.goand passes them to the download HTTP client automatically. This change adds the same treatment forinsecureSkipTLSVerify.Changes
pkg/cmd/util/cacert/bsl_insecure_tls.go—GetInsecureSkipTLSVerifyFromBSL,FromBackup,FromRestorefunctions mirroring the existing cacert patternpkg/cmd/util/cacert/bsl_insecure_tls_test.go— 15 table-driven test cases (true/false/case-insensitive/nil-config/missing-key/not-found scenarios)pkg/builder/backup_storage_location_builder.go— addedConfig(map[string]string)builder method for testsbackup/logs.go,backup/download.go,restore/logs.go,backup/describe.go,restore/describe.go) — each now reads the BSL value and merges with the CLI flagBehavior
effectiveSkipTLS = cliFlag || bslConfigValue--insecure-skip-tls-verifyCLI flag still works and overrides the BSL valueDoes your change fix a particular issue?
Fixes #(issue)
Please indicate you've done the following:
make new-changelog) or comment/kind changelog-not-requiredon this PR.site/content/docs/main.