Skip tls verification, if IP address is used for baseURL host

Signed-off-by: Tamal Saha <[email protected]>
open-viz · Jul 11, 2024 · b7b1dd8 · b7b1dd8
1 parent d4223ae
commit b7b1dd8
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 1 deletion.
diff --git a/pkg/controllers/prometheus/client.go b/pkg/controllers/prometheus/client.go
@@ -21,7 +21,9 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"io"
+	"net"
 	"net/http"
+	"net/url"
 	"path"
 
 	"go.openviz.dev/apimachinery/apis/openviz"
@@ -53,7 +55,18 @@ func NewClient(baseURL, token string, caCert []byte) (*Client, error) {
 		caCert:  caCert,
 	}
 	if len(caCert) == 0 {
-		c.client = http.DefaultClient
+		u, err := url.Parse(baseURL)
+		if err != nil {
+			return nil, err
+		}
+		// use InsecureSkipVerify, if IP address is used for baseURL host
+		if ip := net.ParseIP(u.Hostname()); ip != nil && u.Scheme == "https" {
+			customTransport := http.DefaultTransport.(*http.Transport).Clone()
+			customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+			c.client = &http.Client{Transport: customTransport}
+		} else {
+			c.client = http.DefaultClient
+		}
 	} else {
 		caCertPool := x509.NewCertPool()
 		caCertPool.AppendCertsFromPEM(caCert)

diff --git a/pkg/grafana/builder.go b/pkg/grafana/builder.go
@@ -18,7 +18,10 @@ package grafana
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
+	"net"
+	"net/url"
 	"sync"
 
 	sdk "go.openviz.dev/grafana-sdk"
@@ -194,6 +197,14 @@ func (r *ClientBuilder) GetGrafanaClient() (*sdk.Client, error) {
 	if cfg.TLS != nil && len(cfg.TLS.CABundle) > 0 {
 		httpClient.SetRootCertificateFromString(string(cfg.TLS.CABundle))
 	}
+	u, err := url.Parse(r.cfg.Addr)
+	if err != nil {
+		return nil, err
+	}
+	// use InsecureSkipVerify, if IP address is used for baseURL host
+	if ip := net.ParseIP(u.Hostname()); ip != nil && u.Scheme == "https" {
+		httpClient.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
+	}
 
 	gc, err := sdk.NewClient(r.cfg.Addr, r.cfg.AuthConfig, httpClient)
 	if err != nil {

diff --git a/pkg/grafana/client.go b/pkg/grafana/client.go
@@ -18,6 +18,9 @@ package grafana
 
 import (
 	"context"
+	"crypto/tls"
+	"net"
+	"net/url"
 
 	openvizapi "go.openviz.dev/apimachinery/apis/openviz/v1alpha1"
 	sdk "go.openviz.dev/grafana-sdk"
@@ -56,6 +59,14 @@ func newGrafanaClient(ctx context.Context, kc client.Client, ab *appcatalog.AppB
 	if cfg.TLS != nil && len(cfg.TLS.CABundle) > 0 {
 		httpClient.SetRootCertificateFromString(string(cfg.TLS.CABundle))
 	}
+	u, err := url.Parse(cfg.Addr)
+	if err != nil {
+		return nil, err
+	}
+	// use InsecureSkipVerify, if IP address is used for baseURL host
+	if ip := net.ParseIP(u.Hostname()); ip != nil && u.Scheme == "https" {
+		httpClient.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
+	}
 
 	return sdk.NewClient(cfg.Addr, cfg.AuthConfig, httpClient)
 }