summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--python/vyos/http_api_client.py14
-rw-r--r--src/op_mode/config_sync.py10
2 files changed, 20 insertions, 4 deletions
diff --git a/python/vyos/http_api_client.py b/python/vyos/http_api_client.py
index ae16cfa54..c40621bc7 100644
--- a/python/vyos/http_api_client.py
+++ b/python/vyos/http_api_client.py
@@ -19,6 +19,7 @@ import json
import urllib3
import requests
from typing import Optional
+from typing import Union
from dataclasses import dataclass
from vyos.version import get_version
@@ -51,7 +52,11 @@ class ApiClientConfig:
key: str
port: int = 443
timeout: Optional[int] = None
- verify_tls: bool = False
+ # TLS peer verification, forwarded verbatim to requests' ``verify``:
+ # True - verify against the system CA store (secure default)
+ # False - disable verification (insecure; opt-in only)
+ # "<path>" - verify against a custom CA bundle file/dir
+ verify_tls: Union[bool, str] = True
class ApiClient:
@@ -60,7 +65,8 @@ class ApiClient:
Design goals:
- minimal surface area (thin wrapper around requests)
- consistent error handling + typed exceptions
- - safe defaults for VyOS typical self-signed HTTPS usage (verify_tls=False)
+ - secure defaults (verify_tls=True); deployments using self-signed
+ certificates opt into verify_tls=False or supply a CA bundle path
"""
_DEFAULT_HEADERS = {
@@ -77,7 +83,9 @@ class ApiClient:
self._session = requests.Session()
self._session.headers.update(self._DEFAULT_HEADERS)
- if not config.verify_tls:
+ # Only silence the insecure-request warning when verification has been
+ # explicitly disabled. A CA bundle path or True must keep warnings on.
+ if config.verify_tls is False:
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
@property
diff --git a/src/op_mode/config_sync.py b/src/op_mode/config_sync.py
index d6eff7cd2..2cce972e8 100644
--- a/src/op_mode/config_sync.py
+++ b/src/op_mode/config_sync.py
@@ -68,13 +68,21 @@ def _load_config_sync_settings() -> dict:
key = secondary.get('key')
port = int(secondary.get('port', 443))
timeout = int(secondary.get('timeout')) if secondary.get('timeout') else None
+ # config-sync talks to a remote secondary over HTTPS. TLS verification is
+ # off by default because secondary nodes typically present a self-signed
+ # certificate; an operator can opt in (True, or a CA bundle path) once the
+ # runtime config exposes it. TODO: surface as a proper CLI knob
+ # (set service config-sync secondary verify-tls / ca-certificate).
+ verify_tls = secondary.get('verify_tls', False)
if not address or not key:
raise opmode.UnconfiguredObject(
'Config-sync is not fully configured: missing secondary address/key'
)
- return dict(host=address, key=key, port=port, timeout=timeout)
+ return dict(
+ host=address, key=key, port=port, timeout=timeout, verify_tls=verify_tls
+ )
class ConfigSyncDiffManager: