Skip to content
This repository was archived by the owner on Aug 14, 2020. It is now read-only.

Make insecure flag in discovery granular #545

Closed
krnowak opened this issue Nov 30, 2015 · 6 comments
Closed

Make insecure flag in discovery granular #545

krnowak opened this issue Nov 30, 2015 · 6 comments
Labels
component/discovery component/tooling help wanted

Comments

@krnowak
Copy link
Member

krnowak commented Nov 30, 2015

In the beginning insecure only meant "I want to perform discovery over HTTP if HTTPS didn't work". But right now it means "I want to perform discovery over HTTP if HTTPS didn't work and I even want to send my credentials over HTTP". These meaning should be split.

The functions with insecure flag are discovery.DiscoverPublicKeys, discovery.DiscoverEndpoints and discovery.DiscoverWalk. I only checked discovery/discovery.go and discovery/http.go.

I didn't check if there are some other parts of this project that do similar things.
@krnowak krnowak mentioned this issue Nov 30, 2015
Open
@alban
Copy link
Member

alban commented Dec 2, 2015

I would like an insecure flag to allow https with invalid certificates. Right now, it is not possible to use https with invalid certificate even if insecure=true. That would be useful for some tests such as rkt/rkt#1822.

So we'd need several flags:

  • insecureTls: don't check certificates
  • insecureHttp: allow fallback on http
  • maybe: insecureCredentials: allow sending credentials on http or on https with unchecked certificate.

alban added a commit to kinvolk-archives/appc-spec that referenced this issue Dec 2, 2015
@alban
discovery: add insecureTls flag to skip TLS checks
7600119 
The "insecure" was previously used to allow http. This is now split into
two flags "insecureHttp" and "insecureTls".

Related to appc#545
@alban alban mentioned this issue Dec 2, 2015
Merged
alban added a commit to kinvolk-archives/appc-spec that referenced this issue Dec 2, 2015
@alban
discovery: add insecureTls flag to skip TLS checks
fe1d9d1 
The "insecure" was previously used to allow http. This is now split into
two flags "insecureHttp" and "insecureTls".

Related to appc#545
alban added a commit to kinvolk-archives/appc-spec that referenced this issue Dec 3, 2015
@alban
discovery: add insecure flags for http and tls
29bafaa 
The "insecure" bool was previously used to allow http. This is now
changed to a bit field with "InsecureHttp" and "InsecureTls".

Related to appc#545
alban added a commit to kinvolk-archives/appc-spec that referenced this issue Dec 3, 2015
@alban
discovery: add insecure flags for http and tls
296ac04 
The "insecure" bool was previously used to allow http. This is now
changed to a bit field with "InsecureHttp" and "InsecureTls".

Related to appc#545
alban added a commit to kinvolk-archives/appc-spec that referenced this issue Dec 3, 2015
@alban
discovery: add insecure flags for http and tls
dec3590 
The "insecure" bool was previously used to allow http. This is now
changed to a bit field with "InsecureHttp" and "InsecureTls".

Related to appc#545
@blixtra blixtra mentioned this issue Jan 7, 2016
Closed
@blixtra
Copy link
Contributor

blixtra commented Jan 7, 2016

What's the status of the insecureCredentials? Is this deemed worth having?

@jonboulle
Copy link
Contributor

Do we have a use case? Would someone want one but not the other?

@blixtra
Copy link
Contributor

blixtra commented Jan 8, 2016

IMO, we should just go with insecureHTTP. I would assume that if one uses insecureHTTP then one knows secrets may be sent in the clear and is ok with that.

@jonboulle
Copy link
Contributor

Seems reasonable to me.

Chris Kühl [email protected] schrieb am Fr., 8. Jan. 2016 10:40:

IMO, we should just go with insecureHTTP. I would assume that if one uses
insecureHTTP then one knows secrets may be sent in the clear and is ok with
that.


Reply to this email directly or view it on GitHub
#545 (comment).

@blixtra
Copy link
Contributor

blixtra commented Jan 8, 2016

Is it fair to close this then?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
component/discovery component/tooling help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alban @krnowak @blixtra @jonboulle