Allow disabling Vault SSL verify

Question

Allow disabling Vault SSL verify

aslafy-z opened this issue 3 years ago · comments

Zadkiel AHARONIAN commented 3 years ago

Expected Behaviour

VAULT_SKIP_VERIFY=1 himl myvaultyaml.yaml

=> Just works

Actual Behaviour

requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.xx.com', port=443): Max retries exceeded with url: /v1/auth/token/lookup-self (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))

Costi Muraru · Answer 1 · Tue Apr 13 2021 16:06:16 GMT+0800 (China Standard Time)

@aslafy-z is this something we really want? Skipping the certificate validation for a secret store pretty much renders the security model ineffective.

Daniel Coman · Answer 2 · Wed Apr 14 2021 01:19:06 GMT+0800 (China Standard Time)

@costimuraru This is supported by the upstream vault client, I think we should expose it as-well. Can be useful for dev.
@aslafy-z What I think should be change is the SSL warning suppression. It should be clear what the connection state is and the warning presented to the user.