From 705bf8bd83b4f8892863dd8cafffea7bb10a7d47 Mon Sep 17 00:00:00 2001 From: gsakun Date: Sat, 22 Mar 2025 04:09:24 +0800 Subject: [PATCH] add insecure-no-tls flag (#281) * support enable tls flag * modify tls enable control flag Co-authored-by: Nikolay Edigaryev * Optimize message print * Avoid unrelated changes to the bootstrap message * Consistent command-line argument order * Extra spacing * No need to shadow controllerCert --------- Co-authored-by: Nikolay Edigaryev --- internal/command/controller/bootstrap.go | 13 +++++++++---- internal/command/controller/run.go | 22 +++++++++++++++------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/internal/command/controller/bootstrap.go b/internal/command/controller/bootstrap.go index cb6bcf6..fee4a1f 100644 --- a/internal/command/controller/bootstrap.go +++ b/internal/command/controller/bootstrap.go @@ -84,14 +84,19 @@ func Bootstrap(controllerInstance *controller.Controller, controllerCert tls.Cer serviceAccountTokenToDisplay = orchardBootstrapAdminToken } - pterm.Info.Print( + messages := []any{ pterm.Sprintf("%s:\n", reasonToDisplay), pterm.Sprintln(), pterm.Sprintf("Service account name: %s\n", pterm.Bold.Sprint(BootstrapAdminName)), pterm.Sprintf("Service account token: %s\n", pterm.Bold.Sprint(serviceAccountTokenToDisplay)), - pterm.Sprintf("Certificate SHA-256 fingerprint: %s.\n", - pterm.Bold.Sprint(certificatefingerprint.CertificateFingerprint(controllerCert.Certificate[0]))), - ) + } + + if !noTLS { + messages = append(messages, pterm.Sprintf("Certificate SHA-256 fingerprint: %s.\n", + pterm.Bold.Sprint(certificatefingerprint.CertificateFingerprint(controllerCert.Certificate[0])))) + } + + pterm.Info.Print(messages...) return nil } diff --git a/internal/command/controller/run.go b/internal/command/controller/run.go index 0dd7036..7e67a7d 100644 --- a/internal/command/controller/run.go +++ b/internal/command/controller/run.go @@ -18,6 +18,7 @@ var ErrRunFailed = errors.New("failed to run controller") var address string var addressSSH string var debug bool +var noTLS bool var sshNoClientAuth bool var experimentalRPCV2 bool var noExperimentalRPCV2 bool @@ -50,6 +51,8 @@ func newRunCommand() *cobra.Command { " (requires --controller-cert)") cmd.PersistentFlags().StringVar(&sshHostKeyPath, "ssh-host-key", "", "use the SSH private host key from the specified path instead of the auto-generated one") + cmd.PersistentFlags().BoolVar(&noTLS, "insecure-no-tls", false, + "disable TLS, making all connections to the controller unencrypted") cmd.PersistentFlags().BoolVar(&sshNoClientAuth, "insecure-ssh-no-client-auth", false, "allow SSH clients to connect to the controller's SSH server without authentication, "+ "thus only authenticating on the target worker/VM's SSH server") @@ -93,16 +96,21 @@ func runController(cmd *cobra.Command, args []string) (err error) { return err } - controllerCert, err := FindControllerCertificate(dataDir) - if err != nil { - return err - } - controllerOpts := []controller.Option{ controller.WithListenAddr(address), controller.WithDataDir(dataDir), controller.WithLogger(logger), - controller.WithTLSConfig(&tls.Config{ + } + + var controllerCert tls.Certificate + + if !noTLS { + controllerCert, err = FindControllerCertificate(dataDir) + if err != nil { + return err + } + + controllerOpts = append(controllerOpts, controller.WithTLSConfig(&tls.Config{ MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{ controllerCert, @@ -111,7 +119,7 @@ func runController(cmd *cobra.Command, args []string) (err error) { // // See https://github.com/grpc/grpc-go/issues/7922 for more details. NextProtos: []string{"http/1.1", "h2"}, - }), + })) } if addressSSH != "" {