Merge pull request #217 from xmidt-org/hostname-validation

made insecure TLS configurable
xmidt-org · May 21, 2020 · 0b5d084 · 0b5d084
2 parents 9af6fcf + ed84c5b
commit 0b5d084
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,9 +4,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+# Notes
+- The next release needs to be v0.3.0 because #217 & #219.
+
 ## [Unreleased]
+- Made outgoing hostname validation configurable [#217](https://github.com/xmidt-org/caduceus/pull/217)
+  - **Note:** To be backwards compatable, the configuration value of `allowInsecureTLS: true` will need to be defined, otherwise hostname validation is enabled by default.
 - removed contentTypeCounter [#218](https://github.com/xmidt-org/caduceus/pull/218)
 - added configuration for which http codes Caduceus should retry on [#219](https://github.com/xmidt-org/caduceus/pull/219)
+  - **Note:** This configuration change causes the existing retry logic to change.
+
 
 ## [v0.2.8]
 ### Changed

diff --git a/caduceus.yaml b/caduceus.yaml
@@ -292,6 +292,11 @@
   # numWorkerThreads: 3000
   # jobQueueSize: 6000
 
+  # allowInsecureTLS provides a way to enable insecure TLS connections when  
+  # sending events to webhooks.
+  # (Optional) defaults to false
+  allowInsecureTLS: true 
+
   # sender provides the details for each "sender" that services the unique
   # webhook url endpoint
   sender:

diff --git a/caduceus_type.go b/caduceus_type.go
@@ -34,6 +34,7 @@ type CaduceusConfig struct {
 	JobQueueSize     int
 	Sender           SenderConfig
 	JWTValidators    []JWTValidator
+	AllowInsecureTLS bool
 }
 
 type SenderConfig struct {

diff --git a/main.go b/main.go
@@ -98,7 +98,7 @@ func caduceus(arguments []string) int {
 	}
 
 	tr := &http.Transport{
-		TLSClientConfig:       &tls.Config{InsecureSkipVerify: true},
+		TLSClientConfig:       &tls.Config{InsecureSkipVerify: caduceusConfig.AllowInsecureTLS},
 		MaxIdleConnsPerHost:   caduceusConfig.Sender.NumWorkersPerSender,
 		ResponseHeaderTimeout: caduceusConfig.Sender.ResponseHeaderTimeout,
 		IdleConnTimeout:       caduceusConfig.Sender.IdleConnTimeout,