Avoid verifying SSL on local connections

Since these will almost always connect to an IP rather than a "real"
hostname, don't verify the SSL cert (if applicable). Also allow the
overriding of SSL verification via an environment variable.

As a consequence, to reduce spam, SSL warnings are disabled for urllib3.
Instead, we warn in the "Using cluster" output whenever verification is
disabled.
This commit is contained in:
Joshua Boniface 2020-08-27 13:23:24 -04:00
parent 7bf91b1003
commit 45542bfd67
2 changed files with 22 additions and 6 deletions

View File

@ -26,6 +26,7 @@ import math
import time import time
import requests import requests
import click import click
from urllib3 import disable_warnings
def format_bytes(size_bytes): def format_bytes(size_bytes):
byte_unit_matrix = { byte_unit_matrix = {
@ -125,13 +126,15 @@ def call_api(config, operation, request_uri, headers={}, params=None, data=None,
headers['X-Api-Key'] = config['api_key'] headers['X-Api-Key'] = config['api_key']
# Determine the request type and hit the API # Determine the request type and hit the API
disable_warnings()
try: try:
if operation == 'get': if operation == 'get':
response = requests.get( response = requests.get(
uri, uri,
headers=headers, headers=headers,
params=params, params=params,
data=data data=data,
verify=config['verify_ssl']
) )
if operation == 'post': if operation == 'post':
response = requests.post( response = requests.post(
@ -139,7 +142,8 @@ def call_api(config, operation, request_uri, headers={}, params=None, data=None,
headers=headers, headers=headers,
params=params, params=params,
data=data, data=data,
files=files files=files,
verify=config['verify_ssl']
) )
if operation == 'put': if operation == 'put':
response = requests.put( response = requests.put(
@ -147,21 +151,24 @@ def call_api(config, operation, request_uri, headers={}, params=None, data=None,
headers=headers, headers=headers,
params=params, params=params,
data=data, data=data,
files=files files=files,
verify=config['verify_ssl']
) )
if operation == 'patch': if operation == 'patch':
response = requests.patch( response = requests.patch(
uri, uri,
headers=headers, headers=headers,
params=params, params=params,
data=data data=data,
verify=config['verify_ssl']
) )
if operation == 'delete': if operation == 'delete':
response = requests.delete( response = requests.delete(
uri, uri,
headers=headers, headers=headers,
params=params, params=params,
data=data data=data,
verify=config['verify_ssl']
) )
except Exception as e: except Exception as e:
message = 'Failed to connect to the API: {}'.format(e) message = 'Failed to connect to the API: {}'.format(e)

View File

@ -106,6 +106,10 @@ def get_config(store_data, cluster=None):
config['api_scheme'] = scheme config['api_scheme'] = scheme
config['api_key'] = api_key config['api_key'] = api_key
config['api_prefix'] = prefix config['api_prefix'] = prefix
if cluster == 'local':
config['verify_ssl'] = False
else:
config['verify_ssl'] = bool(strtobool(os.environ.get('PVC_CLIENT_VERIFY_SSL', 'True')))
return config return config
@ -3626,11 +3630,16 @@ def cli(_cluster, _debug, _quiet):
config['debug'] = _debug config['debug'] = _debug
if not _quiet: if not _quiet:
if config['api_scheme'] == 'https' and not config['verify_ssl']:
ssl_unverified_msg=' (unverified)'
else:
ssl_unverified_msg=''
click.echo( click.echo(
'Using cluster "{}" - Host: "{}" Scheme: "{}" Prefix: "{}"'.format( 'Using cluster "{}" - Host: "{}" Scheme: "{}{}" Prefix: "{}"'.format(
config['cluster'], config['cluster'],
config['api_host'], config['api_host'],
config['api_scheme'], config['api_scheme'],
ssl_unverified_msg,
config['api_prefix'] config['api_prefix']
), ),
err=True err=True