feat: Set vars when TLS disabled or Dev enabled #2008

Callisto13 · 2022-04-26T14:05:18Z

This is so that the UI can query what has been set on the server and
display appropriate warning messages.

It will also be logged on each request whether TLS is enabled or not.

Part of #1959

This is so that the UI can query what has been set on the server and display appropriate warning messages. It will also be logged on each request whether TLS is enabled or not.

ozamosi · 2022-04-26T14:26:01Z

cmd/gitops-server/cmd/cmd.go

@@ -286,7 +287,10 @@ func runCmd(cmd *cobra.Command, args []string) error {

 func listenAndServe(log logr.Logger, srv *http.Server, options Options) error {
 	if options.Insecure {
-		log.Info("TLS connections disabled")
+		log.Info(
+			"WARNING: TLS connections disabled by the `--insecure` flag. All data INCLUDING AUTH TOKENS will be transmitted without encryption.")


I'm not sure this makes sense - we expect --insecure to pretty much always be set for security reasons: you'll have a separate ingress to encrypt the data, so you don't need to worry about how to configure allowed ciphers, special-case certificate renewal, and so on. That doesn't mean anything will be transmitted without encryption.

Oh i didn't realised we did that now. In that case, why do we offer TLS at all?

looool excellent

i might be closing this one then

That other ingress is on the user to configure though right? And I assume we'd have no way of knowing whether they have appropriately configured? In which case a warning still feels valid but perhaps the wording changes to more of a "ensure you have an appropriately configured ingress..."

additionally, if we do indeed expect --insecure to be the default in a secure configuration... maybe we need to think about renaming :)

Opened #2010 to discuss what we really want to do around this

Callisto13 · 2022-04-26T15:10:22Z

closing for now, may open again later

feat: Set vars when TLS disabled or Dev enabled

4cabef5

This is so that the UI can query what has been set on the server and display appropriate warning messages. It will also be logged on each request whether TLS is enabled or not.

Callisto13 added type/enhancement New feature or request team/mauvelous area/ui Issues that require front-end work and removed area/ui Issues that require front-end work labels Apr 26, 2022

ozamosi reviewed Apr 26, 2022

View reviewed changes

Callisto13 mentioned this pull request Apr 26, 2022

Question: Do we need to have TLS on Core? #2010

Closed

Callisto13 closed this Apr 26, 2022

makkes deleted the insecure-warning branch December 9, 2022 09:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Set vars when TLS disabled or Dev enabled #2008

feat: Set vars when TLS disabled or Dev enabled #2008

Callisto13 commented Apr 26, 2022

ozamosi Apr 26, 2022

Callisto13 Apr 26, 2022

ozamosi Apr 26, 2022

Callisto13 Apr 26, 2022

sympatheticmoose Apr 27, 2022

sympatheticmoose Apr 27, 2022

Callisto13 Apr 27, 2022

Callisto13 commented Apr 26, 2022

feat: Set vars when TLS disabled or Dev enabled #2008

feat: Set vars when TLS disabled or Dev enabled #2008

Conversation

Callisto13 commented Apr 26, 2022

ozamosi Apr 26, 2022

Choose a reason for hiding this comment

Callisto13 Apr 26, 2022

Choose a reason for hiding this comment

ozamosi Apr 26, 2022

Choose a reason for hiding this comment

Callisto13 Apr 26, 2022

Choose a reason for hiding this comment

sympatheticmoose Apr 27, 2022

Choose a reason for hiding this comment

sympatheticmoose Apr 27, 2022

Choose a reason for hiding this comment

Callisto13 Apr 27, 2022

Choose a reason for hiding this comment

Callisto13 commented Apr 26, 2022