ENGPLAT-399 Add --secure flag for TLS verification (#3781)

* ENGPLAT-399 respect platform insecure config

fix: respect platform insecure config instead of hardcoding InsecureSkipVerify

  Thread config.Platform.Insecure through all call sites so
  TLS verification is on by default and only skipped when the user
  explicitly opts in via --insecure.

  Closes ENGPLAT-399

* fix: preserve insecure TLS fallback during platform bootstrap

  The start command is the bootstrap flow — the platform always serves a
  self-signed certificate at this stage. Rather than reading
  config.Platform.Insecure (which defaults to false for fresh installs and
  has no --insecure flag on `vcluster platform start`), bootstrap probes
  and login should handle self-signed certs directly:

  - Readiness probes (port-forward, router, reachability) always skip TLS
    verification since they are unauthenticated health checks against a
    just-installed instance
  - Login tries secure first, falls back to insecure on TLS error, and
    persists the decision to config for future CLI operations

  The Transport(insecure), IsLoftReachable(insecure), and clihelper/http
  test additions from the original PR are preserved — post-bootstrap
  commands (login, connect) still respect config.Platform.Insecure.

* Revert " fix: preserve insecure TLS fallback during platform bootstrap"

This reverts commit d5181a1.

* feat: add --insecure flag to vcluster platform start

  Allows users to skip TLS certificate verification during bootstrap when
  the platform serves a self-signed certificate. The flag sets
  config.Platform.Insecure in memory so all downstream health checks and
  login calls respect it, and LoginWithAccessKey persists the value for
  future CLI operations.

* Switch flag from insecure to secure

Defaults to current insecure behavior to preserve current bootstrapping
functionality.

(cherry picked from commit 1499106)

# Conflicts:
#	.github/workflows/lint.yaml

Author: rlmcpherson

.github/workflows/lint.yaml

@@ -81,7 +81,41 @@ jobs:
         env:
           GOFLAGS: ""
 
+<<<<<<< HEAD
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:
           version: v2.4
+=======
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.7.0
+        env:
+          GOFLAGS: ""
+
+      - name: Build custom golangci-lint with plugins
+        if: github.event.pull_request.head.repo.full_name == github.repository
+        run: golangci-lint custom
+        env:
+          GOFLAGS: ""
+
+      - name: Run golangci-lint (with custom linters)
+        if: github.event.pull_request.head.repo.full_name == github.repository
+        run: ./tools/golangci-lint run --timeout 15m -- ./...
+
+      - name: Generate config without custom linters (fork PRs)
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          # Remove custom plugin definitions and their enable/exclusion entries
+          # so stock golangci-lint can run without the compiled plugin binary.
+          CUSTOM_LINTERS=$(yq '.linters.settings.custom | keys | .[]' .golangci.yml)
+          cp .golangci.yml .golangci-fork.yml
+          for linter in $CUSTOM_LINTERS; do
+            yq -i "del(.linters.settings.custom.\"$linter\")" .golangci-fork.yml
+            yq -i ".linters.enable -= [\"$linter\"]" .golangci-fork.yml
+            yq -i "del(.linters.exclusions.rules[] | select(.linters[] == \"$linter\"))" .golangci-fork.yml
+          done
+
+      - name: Run golangci-lint (fork PRs, without custom linters)
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: golangci-lint run --timeout 15m --config .golangci-fork.yml -- ./...
+>>>>>>> 1499106e9 (ENGPLAT-399 Add --secure flag for TLS verification (#3781))

cmd/vclusterctl/cmd/platform/start.go

@@ -82,13 +82,21 @@ before running this command:
 	startCmd.Flags().StringVar(&cmd.ChartRepo, "chart-repo", "https://charts.loft.sh/", "The chart repo to deploy vCluster platform")
 	startCmd.Flags().StringVar(&cmd.ChartName, "chart-name", "vcluster-platform", "The chart name to deploy vCluster platform")
 	startCmd.Flags().BoolVar(&cmd.Docker, "docker", false, "If true, vCluster platform will be installed in Docker")
+	startCmd.Flags().BoolVar(&cmd.Secure, "secure", false, "If true, verify TLS certificates when connecting to the platform (by default, TLS verification is skipped during bootstrap because the platform starts with a self-signed certificate)")
 
 	return startCmd
 }
 
 func (cmd *StartCmd) Run(ctx context.Context) error {
-	// automatically use docker mode if the driver is set to docker
 	cfg := cmd.LoadedConfig(cmd.Log)
+
+	// Bootstrap defaults to insecure because the platform starts with a
+	// self-signed certificate. Pass --secure to enforce TLS verification.
+	if !cmd.Secure {
+		cfg.Platform.Insecure = true
+	}
+
+	// automatically use docker mode if the driver is set to docker
 	if cfg.Driver.Type == config.DockerDriver && !cmd.Docker {
 		cmd.Log.Info("Automatically using --docker flag because driver is set to 'docker'")
 		cmd.Docker = true

cmd/vclusterctl/cmd/platform/start_test.go

@@ -8,6 +8,28 @@ import (
 	"github.com/loft-sh/vcluster/pkg/cli/start"
 )
 
+func TestNewStartCmd_SecureFlag(t *testing.T) {
+	globalFlags := &flags.GlobalFlags{}
+	cmd := NewStartCmd(globalFlags)
+
+	// Verify --secure flag exists and defaults to false (insecure by default).
+	f := cmd.Flags().Lookup("secure")
+	if f == nil {
+		t.Fatal("--secure flag not registered on start command")
+	}
+	if f.DefValue != "false" {
+		t.Errorf("expected --secure default to be 'false', got %q", f.DefValue)
+	}
+
+	// Simulate passing --secure on the command line.
+	if err := cmd.Flags().Set("secure", "true"); err != nil {
+		t.Fatalf("failed to set --secure flag: %v", err)
+	}
+	if f.Value.String() != "true" {
+		t.Errorf("expected --secure value to be 'true' after set, got %q", f.Value.String())
+	}
+}
+
 func TestPlatformUsesNewActivationFlow(t *testing.T) {
 	testCases := []struct {
 		version  string

pkg/cli/start/docker.go

@@ -133,7 +133,7 @@ func (l *LoftStarter) successDocker(ctx context.Context, containerID string) err
 			return false, fmt.Errorf("container failed (status: %s):\n %s", containerDetails.State.Status, logs)
 		}
 
-		return clihelper.IsLoftReachable(ctx, host)
+		return clihelper.IsLoftReachable(ctx, host, l.LoadedConfig(l.Log).Platform.Insecure)
 	})
 	if err != nil {
 		return fmt.Errorf(product.Replace("error waiting for loft: %v%w"), err)

pkg/cli/start/login.go

@@ -66,8 +66,9 @@ func (l *LoftStarter) loginViaCLI(url string) error {
 		return err
 	}
 
+	config := l.LoadedConfig(l.Log)
 	httpClient := &http.Client{Transport: &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: config.Platform.Insecure},
 	}}
 
 	// try a couple of times to login
@@ -99,7 +100,6 @@ func (l *LoftStarter) loginViaCLI(url string) error {
 	}
 
 	// log into loft
-	config := l.LoadedConfig(l.Log)
 	loginClient := platform.NewLoginClientFromConfig(config)
 	url = strings.TrimSuffix(url, "/")
 	err = loginClient.LoginWithAccessKey(url, accessKey.AccessKey, config.Platform.Insecure)

pkg/cli/start/port_forwarding.go

@@ -21,7 +21,7 @@ func (l *LoftStarter) startPortForwarding(ctx context.Context, loftPod *corev1.P
 
 	// wait until loft is reachable at the given url
 	httpClient := &http.Client{
-		Transport: utilhttp.InsecureTransport(),
+		Transport: utilhttp.Transport(l.LoadedConfig(l.Log).Platform.Insecure),
 	}
 	l.Log.Infof(product.Replace("Waiting until loft is reachable at https://localhost:%s"), l.LocalPort)
 	err = wait.PollUntilContextTimeout(ctx, time.Second, clihelper.Timeout(), true, func(ctx context.Context) (bool, error) {

pkg/cli/start/start.go

@@ -70,6 +70,7 @@ type StartOptions struct { //nolint:revive // linter suggests renaming to option
 	Upgrade          bool
 	ReuseValues      bool
 	Docker           bool
+	Secure           bool
 }
 
 func NewLoftStarter(options StartOptions) *LoftStarter {

pkg/cli/start/success.go

@@ -68,7 +68,8 @@ func (l *LoftStarter) success(ctx context.Context) error {
 	}
 
 	// check if loft is reachable
-	reachable, err := clihelper.IsLoftReachable(ctx, host)
+	insecure := l.LoadedConfig(l.Log).Platform.Insecure
+	reachable, err := clihelper.IsLoftReachable(ctx, host, insecure)
 	if !reachable || err != nil {
 		const (
 			YesOption = "Yes"
@@ -123,10 +124,11 @@ func (l *LoftStarter) pingLoftRouter(ctx context.Context, loftPod *corev1.Pod) (
 	loftRouterDomain := string(loftRouterSecret.Data["domain"])
 
 	// wait until loft is reachable at the given url
+	insecure := l.LoadedConfig(l.Log).Platform.Insecure
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
+				InsecureSkipVerify: insecure,
 			},
 		},
 	}
@@ -190,7 +192,8 @@ func (l *LoftStarter) isLoggedIn(url string) bool {
 }
 
 func (l *LoftStarter) successRemote(ctx context.Context, host string) error {
-	ready, err := clihelper.IsLoftReachable(ctx, host)
+	insecure := l.LoadedConfig(l.Log).Platform.Insecure
+	ready, err := clihelper.IsLoftReachable(ctx, host, insecure)
 	if err != nil {
 		return err
 	} else if ready {
@@ -203,7 +206,7 @@ func (l *LoftStarter) successRemote(ctx context.Context, host string) error {
 
 	l.Log.Info("Waiting for you to configure DNS, so loft can be reached on https://" + host)
 	err = wait.PollUntilContextTimeout(ctx, 5*time.Second, clihelper.Timeout(), true, func(ctx context.Context) (done bool, err error) {
-		return clihelper.IsLoftReachable(ctx, host)
+		return clihelper.IsLoftReachable(ctx, host, insecure)
 	})
 	if err != nil {
 		return err

pkg/platform/clihelper/clihelper.go

@@ -344,10 +344,10 @@ func GetLoftDefaultPassword(ctx context.Context, kubeClient kubernetes.Interface
 	return string(loftNamespace.UID), nil
 }
 
-func IsLoftReachable(ctx context.Context, host string) (bool, error) {
+func IsLoftReachable(ctx context.Context, host string, insecure bool) (bool, error) {
 	// wait until loft is reachable at the given url
 	client := &http.Client{
-		Transport: utilhttp.InsecureTransport(),
+		Transport: utilhttp.Transport(insecure),
 	}
 	endpoint := fmt.Sprintf("https://%s/healthz", host)
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)

pkg/platform/clihelper/clihelper_test.go

@@ -0,0 +1,105 @@
+package clihelper
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestIsLoftReachable_InsecureTrueAgainstSelfSigned(t *testing.T) {
+	// Create an HTTPS server with a self-signed certificate.
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/healthz" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	host := strings.TrimPrefix(server.URL, "https://")
+
+	// With insecure=true, the self-signed cert should be accepted.
+	reachable, err := IsLoftReachable(context.Background(), host, true)
+	assert.NilError(t, err)
+	assert.Assert(t, reachable, "should be reachable with insecure=true against self-signed cert")
+}
+
+func TestIsLoftReachable_InsecureFalseAgainstSelfSigned(t *testing.T) {
+	// Create an HTTPS server with a self-signed certificate.
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/healthz" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	host := strings.TrimPrefix(server.URL, "https://")
+
+	// With insecure=false, the self-signed cert should cause a TLS error
+	// and IsLoftReachable should return false (not reachable).
+	reachable, err := IsLoftReachable(context.Background(), host, false)
+	assert.NilError(t, err)
+	assert.Assert(t, !reachable, "should not be reachable with insecure=false against self-signed cert")
+}
+
+func TestIsLoftReachable_InsecureFalseAgainstTrustedCert(t *testing.T) {
+	// Create an HTTPS server with a self-signed cert, but add the cert
+	// to the system pool so it's trusted. We do this by creating a custom
+	// test that validates the transport respects system certs.
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/healthz" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	// Verify the server is actually using TLS with a self-signed cert.
+	conn, err := tls.Dial("tcp", strings.TrimPrefix(server.URL, "https://"), &tls.Config{
+		InsecureSkipVerify: true,
+	})
+	assert.NilError(t, err)
+	defer conn.Close()
+
+	// Get the server certificate and create a cert pool that trusts it.
+	serverCert := conn.ConnectionState().PeerCertificates[0]
+	certPool := x509.NewCertPool()
+	certPool.AddCert(serverCert)
+
+	// Verify the cert pool trusts the server - this validates our test setup.
+	_, err = serverCert.Verify(x509.VerifyOptions{
+		Roots: certPool,
+	})
+	assert.NilError(t, err, "cert should be verified with our custom pool")
+}
+
+func TestIsLoftReachable_UnhealthyServer(t *testing.T) {
+	// Server that returns 500 on /healthz.
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusInternalServerError)
+	}))
+	defer server.Close()
+
+	host := strings.TrimPrefix(server.URL, "https://")
+
+	reachable, err := IsLoftReachable(context.Background(), host, true)
+	assert.NilError(t, err)
+	assert.Assert(t, !reachable, "should not be reachable when server returns 500")
+}
+
+func TestIsLoftReachable_UnreachableHost(t *testing.T) {
+	// Use a host that doesn't exist.
+	reachable, err := IsLoftReachable(context.Background(), "localhost:1", true)
+	assert.NilError(t, err)
+	assert.Assert(t, !reachable, "should not be reachable when host is unreachable")
+}