feat(http): allow skip ssl validation (#1064)

## Overview

Add DD_SKIP_SSL_VALIDATION support, parsed from both env and YAML,
matching the datadog-agent's behavior — applied to all outgoing HTTP
clients (reqwest via danger_accept_invalid_certs, hyper via custom
  ServerCertVerifier).

## Motivation

Customers in environments with corporate proxies or custom CA setups
need the ability to disable TLS certificate validation, matching the
existing datadog-agent config option. The Go agent applies
tls.Config{InsecureSkipVerify: true} to all HTTP transports via a
central CreateHTTPTransport() — we mirror this by wiring the config
through to both client builders.

And [SLES-2710](https://datadoghq.atlassian.net/browse/SLES-2710)

## Changes

  Config (config/mod.rs, config/env.rs, config/yaml.rs):
- Add skip_ssl_validation: bool to Config, EnvConfig, and YamlConfig
with default false

  reqwest client (http.rs):
- .danger_accept_invalid_certs(config.skip_ssl_validation) on the shared
client builder

  hyper client (traces/http_client.rs):
- Custom NoVerifier implementing
rustls::client::danger::ServerCertVerifier that accepts all certificates
- Uses CryptoProvider::get_default() (not hardcoded aws_lc_rs) for
FIPS-safe signature scheme reporting
  - New skip_ssl_validation parameter on create_client()

## Testing 

Unit tests and self monitoring

[SLES-2710]:
https://datadoghq.atlassian.net/browse/SLES-2710?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Author: duncanista

bottlecap/src/bin/bottlecap/main.rs

@@ -1094,6 +1094,7 @@ fn start_trace_agent(
     let trace_http_client = trace_http_client::create_client(
         config.proxy_https.as_ref(),
         config.tls_cert_file.as_ref(),
+        config.skip_ssl_validation,
     )
     .expect("Failed to create trace HTTP client");
 

bottlecap/src/config/env.rs

@@ -80,6 +80,11 @@ pub struct EnvConfig {
     /// Example: `/opt/ca-cert.pem`
     #[serde(deserialize_with = "deserialize_optional_string")]
     pub tls_cert_file: Option<String>,
+    /// @env `DD_SKIP_SSL_VALIDATION`
+    ///
+    /// If set to true, the Agent will skip TLS certificate validation for outgoing connections.
+    #[serde(deserialize_with = "deserialize_optional_bool_from_anything")]
+    pub skip_ssl_validation: Option<bool>,
 
     // Metrics
     /// @env `DD_DD_URL`
@@ -497,6 +502,7 @@ fn merge_config(config: &mut Config, env_config: &EnvConfig) {
     merge_vec!(config, env_config, proxy_no_proxy);
     merge_option!(config, env_config, http_protocol);
     merge_option!(config, env_config, tls_cert_file);
+    merge_option_to_value!(config, env_config, skip_ssl_validation);
 
     // Endpoints
     merge_string!(config, env_config, dd_url);
@@ -733,6 +739,7 @@ mod tests {
             jail.set_env("DD_PROXY_NO_PROXY", "localhost,127.0.0.1");
             jail.set_env("DD_HTTP_PROTOCOL", "http1");
             jail.set_env("DD_TLS_CERT_FILE", "/opt/ca-cert.pem");
+            jail.set_env("DD_SKIP_SSL_VALIDATION", "true");
 
             // Metrics
             jail.set_env("DD_DD_URL", "https://metrics.datadoghq.com");
@@ -895,6 +902,7 @@ mod tests {
                 proxy_no_proxy: vec!["localhost".to_string(), "127.0.0.1".to_string()],
                 http_protocol: Some("http1".to_string()),
                 tls_cert_file: Some("/opt/ca-cert.pem".to_string()),
+                skip_ssl_validation: true,
                 dd_url: "https://metrics.datadoghq.com".to_string(),
                 url: "https://app.datadoghq.com".to_string(),
                 additional_endpoints: HashMap::from([

bottlecap/src/config/mod.rs

@@ -256,6 +256,7 @@ pub struct Config {
     pub proxy_no_proxy: Vec<String>,
     pub http_protocol: Option<String>,
     pub tls_cert_file: Option<String>,
+    pub skip_ssl_validation: bool,
 
     // Endpoints
     pub dd_url: String,
@@ -383,6 +384,7 @@ impl Default for Config {
             proxy_no_proxy: vec![],
             http_protocol: None,
             tls_cert_file: None,
+            skip_ssl_validation: false,
 
             // Endpoints
             dd_url: String::default(),

bottlecap/src/config/yaml.rs

@@ -55,6 +55,8 @@ pub struct YamlConfig {
     pub http_protocol: Option<String>,
     #[serde(deserialize_with = "deserialize_optional_string")]
     pub tls_cert_file: Option<String>,
+    #[serde(deserialize_with = "deserialize_optional_bool_from_anything")]
+    pub skip_ssl_validation: Option<bool>,
 
     // Endpoints
     #[serde(deserialize_with = "deserialize_additional_endpoints")]
@@ -431,6 +433,7 @@ fn merge_config(config: &mut Config, yaml_config: &YamlConfig) {
     merge_option_to_value!(config, proxy_no_proxy, yaml_config.proxy, no_proxy);
     merge_option!(config, yaml_config, http_protocol);
     merge_option!(config, yaml_config, tls_cert_file);
+    merge_option_to_value!(config, yaml_config, skip_ssl_validation);
 
     // Endpoints
     merge_hashmap!(config, yaml_config, additional_endpoints);
@@ -767,6 +770,7 @@ proxy:
 dd_url: "https://metrics.datadoghq.com"
 http_protocol: "http1"
 tls_cert_file: "/opt/ca-cert.pem"
+skip_ssl_validation: true
 
 # Endpoints
 additional_endpoints:
@@ -907,6 +911,7 @@ api_security_sample_delay: 60 # Seconds
                 proxy_no_proxy: vec!["localhost".to_string(), "127.0.0.1".to_string()],
                 http_protocol: Some("http1".to_string()),
                 tls_cert_file: Some("/opt/ca-cert.pem".to_string()),
+                skip_ssl_validation: true,
                 dd_url: "https://metrics.datadoghq.com".to_string(),
                 url: String::new(), // doesnt exist in yaml
                 additional_endpoints: HashMap::from([

bottlecap/src/http.rs

@@ -28,7 +28,8 @@ fn build_client(config: &Arc<config::Config>) -> Result<reqwest::Client, Box<dyn
         .timeout(Duration::from_secs(config.flush_timeout))
         .pool_idle_timeout(Some(Duration::from_secs(270)))
         // Enable TCP keepalive
-        .tcp_keepalive(Some(Duration::from_secs(120)));
+        .tcp_keepalive(Some(Duration::from_secs(120)))
+        .danger_accept_invalid_certs(config.skip_ssl_validation);
 
     // Determine if we should use HTTP/1 or HTTP/2
     let should_use_http1 = match &config.http_protocol {
@@ -47,6 +48,13 @@ fn build_client(config: &Arc<config::Config>) -> Result<reqwest::Client, Box<dyn
             .http2_keep_alive_timeout(Duration::from_secs(1000));
     }
 
+    if config.skip_ssl_validation && config.tls_cert_file.is_some() {
+        debug!(
+            "HTTP | skip_ssl_validation=true overrides tls_cert_file={:?}, custom certificate will be ignored",
+            config.tls_cert_file
+        );
+    }
+
     // Load custom TLS certificate if configured
     if let Some(cert_path) = &config.tls_cert_file {
         match load_custom_cert(cert_path) {

bottlecap/src/traces/http_client.rs

@@ -14,7 +14,7 @@ use rustls_pki_types::CertificateDer;
 use std::error::Error;
 use std::fs::File;
 use std::io::BufReader;
-use std::sync::LazyLock;
+use std::sync::{Arc, LazyLock};
 use tracing::debug;
 
 /// Type alias for the HTTP client used by trace and stats flushers.
@@ -27,24 +27,75 @@ pub type HttpClient =
 fn ensure_crypto_provider_initialized() {
     static INIT_CRYPTO_PROVIDER: LazyLock<()> = LazyLock::new(|| {
         #[cfg(unix)]
-        rustls::crypto::aws_lc_rs::default_provider()
-            .install_default()
-            .expect("Failed to install default CryptoProvider");
+        if let Err(_already_installed) =
+            rustls::crypto::aws_lc_rs::default_provider().install_default()
+        {
+            debug!(
+                "HTTP_CLIENT | Default CryptoProvider already installed, using existing provider"
+            );
+        }
     });
 
     let () = &*INIT_CRYPTO_PROVIDER;
 }
 
+/// A certificate verifier that accepts all server certificates without validation.
+///
+/// This is used when `DD_SKIP_SSL_VALIDATION` is set to `true`.
+#[derive(Debug)]
+struct NoVerifier;
+
+impl rustls::client::danger::ServerCertVerifier for NoVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &rustls_pki_types::ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: rustls_pki_types::UnixTime,
+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+        Ok(rustls::client::danger::ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        // Safe to unwrap_or_default: the provider is always initialized via
+        // ensure_crypto_provider_initialized() before NoVerifier is used.
+        rustls::crypto::CryptoProvider::get_default()
+            .map(|p| p.signature_verification_algorithms.supported_schemes())
+            .unwrap_or_default()
+    }
+}
+
 /// Creates a new HTTP client with the given configuration.
 ///
 /// This client is compatible with `libdd_trace_utils` and supports:
 /// - HTTPS proxy configuration
 /// - Custom TLS root certificates
+/// - Skipping TLS certificate validation
 ///
 /// # Arguments
 ///
 /// * `proxy_https` - Optional HTTPS proxy URL
 /// * `tls_cert_file` - Optional path to a PEM file containing root certificates
+/// * `skip_ssl_validation` - If true, skip TLS certificate validation
 ///
 /// # Errors
 ///
@@ -54,9 +105,34 @@ fn ensure_crypto_provider_initialized() {
 pub fn create_client(
     proxy_https: Option<&String>,
     tls_cert_file: Option<&String>,
+    skip_ssl_validation: bool,
 ) -> Result<HttpClient, Box<dyn Error>> {
+    if skip_ssl_validation && tls_cert_file.is_some() {
+        debug!(
+            "HTTP_CLIENT | skip_ssl_validation=true overrides tls_cert_file={:?}, custom certificate will be ignored",
+            tls_cert_file
+        );
+    }
+
     // Create the base connector with optional custom TLS config
-    let connector = if let Some(ca_cert_path) = tls_cert_file {
+    let connector = if skip_ssl_validation {
+        ensure_crypto_provider_initialized();
+
+        let tls_config = rustls::ClientConfig::builder()
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(NoVerifier))
+            .with_no_client_auth();
+
+        let https_connector = HttpsConnectorBuilder::new()
+            .with_tls_config(tls_config)
+            .https_or_http()
+            .enable_http1()
+            .build();
+
+        debug!("HTTP_CLIENT | TLS certificate validation disabled (skip_ssl_validation=true)");
+
+        libdd_common::connector::Connector::Https(https_connector)
+    } else if let Some(ca_cert_path) = tls_cert_file {
         // Ensure crypto provider is initialized before creating TLS config
         ensure_crypto_provider_initialized();