Add warning when skipping TLS verification (spiffe#5058)

InverseIntegral · MarcosDY · commit 7c971cf7b71d · 2025-03-28T10:40:22.000-03:00
Signed-off-by: Matteo Kamm &lt;github@matteokamm.ch&gt;
diff --git a/doc/plugin_server_keymanager_hashicorp_vault.md b/doc/plugin_server_keymanager_hashicorp_vault.md
@@ -13,7 +13,7 @@ The plugin accepts the following configuration options:
 | namespace            | string |          | Name of the Vault namespace. This is only available in the Vault Enterprise.                             | `${VAULT_NAMESPACE}` |
 | transit_engine_path  | string |          | Path of the transit engine that stores the keys.                                                         | transit              |
 | ca_cert_path         | string |          | Path to a CA certificate file used to verify the Vault server certificate. Only PEM format is supported. | `${VAULT_CACERT}`    |
-| insecure_skip_verify | bool   |          | If true, vault client accepts any server certificates                                                    | false                |
+| insecure_skip_verify | bool   |          | If true, vault client accepts any server certificates. Should only be used for test environments.        | false                |
 | cert_auth            | struct |          | Configuration for the Client Certificate authentication method                                           |                      |
 | token_auth           | struct |          | Configuration for the Token authentication method                                                        |                      |
 | approle_auth         | struct |          | Configuration for the AppRole authentication method                                                      |                      |
diff --git a/pkg/server/plugin/keymanager/hashicorpvault/hashicorp_vault.go b/pkg/server/plugin/keymanager/hashicorpvault/hashicorp_vault.go
@@ -156,6 +156,10 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest)
 		return nil, status.Errorf(codes.InvalidArgument, "unable to decode configuration: %v", err)
 	}
 
+	if config.InsecureSkipVerify {
+		p.logger.Warn("TLS verification of Vault certificates is skipped. This is only recommended for test environments.")
+	}
+
 	p.mu.Lock()
 	defer p.mu.Unlock()
 

Original file line number	Diff line number	Diff line change
`@@ -156,6 +156,10 @@ func (p Plugin) Configure(ctx context.Context, req configv1.ConfigureRequest)`
`156`	`156`	`return nil, status.Errorf(codes.InvalidArgument, "unable to decode configuration: %v", err)`
`157`	`157`	`}`
`158`	`158`
	`159`	`+ if config.InsecureSkipVerify {`
	`160`	`+ p.logger.Warn("TLS verification of Vault certificates is skipped. This is only recommended for test environments.")`
	`161`	`+ }`
	`162`	`+`
`159`	`163`	`p.mu.Lock()`
`160`	`164`	`defer p.mu.Unlock()`
`161`	`165`