[PATCH] improve client insecure mode

[mapperr]

Hi everyone,

this is a patch with a re-apply the now missing parts of #718 from @PascalChardon on master and cover the etcd --auto-tls use case (more on commit message).

Sorry to send it to you instead of pull-requesting, I'm currently too lazy to fork/clone/patch/gotogithubagain/pullrequest.

From 0d6bd81079d04cb8e3c099bbc1c7397cc5eb7ffa Mon Sep 17 00:00:00 2001
From: mapperr <mapperr@sdf.ee>
Date: Mon, 25 Sep 2023 20:11:36 +0200
Subject: [PATCH] improve client insecure mode

Cover the case of --auto-tls,
when you want transport security,
but not client authentication with certificates.
---
 backends/client.go        |  4 ++--
 backends/config.go        | 44 +++++++++++++++++++--------------------
 backends/etcd/client.go   |  6 +++++-
 backends/etcdv3/client.go |  8 +++++--
 4 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/backends/client.go b/backends/client.go
index 2c34d4c..74a7012 100644
--- a/backends/client.go
+++ b/backends/client.go
@@ -49,9 +49,9 @@ func New(config Config) (StoreClient, error) {
 		)
 	case "etcd":
 		// etcd v2 has been deprecated and etcdv3 is now the client for both the etcd and etcdv3 backends.
-		return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.BasicAuth, config.Username, config.Password)
+		return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.ClientInsecure, config.BasicAuth, config.Username, config.Password)
 	case "etcdv3":
-		return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.BasicAuth, config.Username, config.Password)
+		return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.ClientInsecure, config.BasicAuth, config.Username, config.Password)
 	case "zookeeper":
 		return zookeeper.NewZookeeperClient(backendNodes)
 	case "rancher":
diff --git a/backends/config.go b/backends/config.go
index 9f58127..a080d18 100644
--- a/backends/config.go
+++ b/backends/config.go
@@ -5,26 +5,26 @@ import (
 )
 
 type Config struct {
-	AuthToken    string     `toml:"auth_token"`
-	AuthType     string     `toml:"auth_type"`
-	Backend      string     `toml:"backend"`
-	BasicAuth    bool       `toml:"basic_auth"`
-	ClientCaKeys string     `toml:"client_cakeys"`
-	ClientCert   string     `toml:"client_cert"`
-	ClientKey    string     `toml:"client_key"`
-        ClientInsecure bool     `toml:"client_insecure"`
-	BackendNodes util.Nodes `toml:"nodes"`
-	Password     string     `toml:"password"`
-	Scheme       string     `toml:"scheme"`
-	Table        string     `toml:"table"`
-	Separator    string     `toml:"separator"`
-	Username     string     `toml:"username"`
-	AppID        string     `toml:"app_id"`
-	UserID       string     `toml:"user_id"`
-	RoleID       string     `toml:"role_id"`
-	SecretID     string     `toml:"secret_id"`
-	YAMLFile     util.Nodes `toml:"file"`
-	Filter       string     `toml:"filter"`
-	Path         string     `toml:"path"`
-	Role         string
+	AuthToken      string     `toml:"auth_token"`
+	AuthType       string     `toml:"auth_type"`
+	Backend        string     `toml:"backend"`
+	BasicAuth      bool       `toml:"basic_auth"`
+	ClientCaKeys   string     `toml:"client_cakeys"`
+	ClientCert     string     `toml:"client_cert"`
+	ClientKey      string     `toml:"client_key"`
+	ClientInsecure bool       `toml:"client_insecure"`
+	BackendNodes   util.Nodes `toml:"nodes"`
+	Password       string     `toml:"password"`
+	Scheme         string     `toml:"scheme"`
+	Table          string     `toml:"table"`
+	Separator      string     `toml:"separator"`
+	Username       string     `toml:"username"`
+	AppID          string     `toml:"app_id"`
+	UserID         string     `toml:"user_id"`
+	RoleID         string     `toml:"role_id"`
+	SecretID       string     `toml:"secret_id"`
+	YAMLFile       util.Nodes `toml:"file"`
+	Filter         string     `toml:"filter"`
+	Path           string     `toml:"path"`
+	Role           string
 }
diff --git a/backends/etcd/client.go b/backends/etcd/client.go
index 2e3d3a6..daa5255 100644
--- a/backends/etcd/client.go
+++ b/backends/etcd/client.go
@@ -119,7 +119,11 @@ func NewEtcdClient(machines []string, cert, key, caCert string, basicAuth bool,
 
 	tlsEnabled := false
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: false,
+		InsecureSkipVerify: true,
+	}
+
+	if clientInsecure {
+		tlsEnabled = true
 	}
 
 	if caCert != "" {
diff --git a/backends/etcdv3/client.go b/backends/etcdv3/client.go
index a3dc0a0..f1a3b1a 100644
--- a/backends/etcdv3/client.go
+++ b/backends/etcdv3/client.go
@@ -104,7 +104,7 @@ type Client struct {
 }
 
 // NewEtcdClient returns an *etcdv3.Client with a connection to named machines.
-func NewEtcdClient(machines []string, cert, key, caCert string, basicAuth bool, username string, password string) (*Client, error) {
+func NewEtcdClient(machines []string, cert, key, caCert string, clientInsecure bool, basicAuth bool, username string, password string) (*Client, error) {
 	cfg := clientv3.Config{
 		Endpoints:            machines,
 		DialTimeout:          5 * time.Second,
@@ -119,7 +119,11 @@ func NewEtcdClient(machines []string, cert, key, caCert string, basicAuth bool,
 
 	tlsEnabled := false
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: false,
+		InsecureSkipVerify: clientInsecure,
+	}
+
+	if clientInsecure {
+		tlsEnabled = true
 	}
 
 	if caCert != "" {
-- 
2.42.0