ENGPLAT-399 respect platform insecure config

fix: respect platform insecure config instead of hardcoding InsecureSkipVerify

  The vcluster platform start flow hardcoded InsecureSkipVerify: true in
  several HTTP clients, bypassing TLS certificate verification regardless
  of user configuration. Thread config.Platform.Insecure through all call sites so
  TLS verification is on by default and only skipped when the user
  explicitly opts in via --insecure.

  Closes ENGPLAT-399

Author: rlmcpherson

.github/workflows/lint.yaml

@@ -98,6 +98,19 @@ jobs:
         if: github.event.pull_request.head.repo.full_name == github.repository
         run: ./tools/golangci-lint run --timeout 15m -- ./...
 
+      - name: Generate config without custom linters (fork PRs)
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          # Remove custom plugin definitions and their enable/exclusion entries
+          # so stock golangci-lint can run without the compiled plugin binary.
+          CUSTOM_LINTERS=$(yq '.linters.settings.custom | keys | .[]' .golangci.yml)
+          cp .golangci.yml .golangci-fork.yml
+          for linter in $CUSTOM_LINTERS; do
+            yq -i "del(.linters.settings.custom.\"$linter\")" .golangci-fork.yml
+            yq -i ".linters.enable -= [\"$linter\"]" .golangci-fork.yml
+            yq -i "del(.linters.exclusions.rules[] | select(.linters[] == \"$linter\"))" .golangci-fork.yml
+          done
+
       - name: Run golangci-lint (fork PRs, without custom linters)
         if: github.event.pull_request.head.repo.full_name != github.repository
-        run: golangci-lint run --timeout 15m -- ./...
+        run: golangci-lint run --timeout 15m --config .golangci-fork.yml -- ./...

pkg/cli/start/docker.go

@@ -133,7 +133,7 @@ func (l *LoftStarter) successDocker(ctx context.Context, containerID string) err
 			return false, fmt.Errorf("container failed (status: %s):\n %s", containerDetails.State.Status, logs)
 		}
 
-		return clihelper.IsLoftReachable(ctx, host)
+		return clihelper.IsLoftReachable(ctx, host, l.LoadedConfig(l.Log).Platform.Insecure)
 	})
 	if err != nil {
 		return fmt.Errorf(product.Replace("error waiting for loft: %v%w"), err)

pkg/cli/start/login.go

@@ -66,8 +66,9 @@ func (l *LoftStarter) loginViaCLI(url string) error {
 		return err
 	}
 
+	config := l.LoadedConfig(l.Log)
 	httpClient := &http.Client{Transport: &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: config.Platform.Insecure},
 	}}
 
 	// try a couple of times to login
@@ -99,7 +100,6 @@ func (l *LoftStarter) loginViaCLI(url string) error {
 	}
 
 	// log into loft
-	config := l.LoadedConfig(l.Log)
 	loginClient := platform.NewLoginClientFromConfig(config)
 	url = strings.TrimSuffix(url, "/")
 	err = loginClient.LoginWithAccessKey(url, accessKey.AccessKey, config.Platform.Insecure)

pkg/cli/start/port_forwarding.go

@@ -21,7 +21,7 @@ func (l *LoftStarter) startPortForwarding(ctx context.Context, loftPod *corev1.P
 
 	// wait until loft is reachable at the given url
 	httpClient := &http.Client{
-		Transport: utilhttp.InsecureTransport(),
+		Transport: utilhttp.Transport(l.LoadedConfig(l.Log).Platform.Insecure),
 	}
 	l.Log.Infof(product.Replace("Waiting until loft is reachable at https://localhost:%s"), l.LocalPort)
 	err = wait.PollUntilContextTimeout(ctx, time.Second, clihelper.Timeout(), true, func(ctx context.Context) (bool, error) {

pkg/cli/start/success.go

@@ -68,7 +68,8 @@ func (l *LoftStarter) success(ctx context.Context) error {
 	}
 
 	// check if loft is reachable
-	reachable, err := clihelper.IsLoftReachable(ctx, host)
+	insecure := l.LoadedConfig(l.Log).Platform.Insecure
+	reachable, err := clihelper.IsLoftReachable(ctx, host, insecure)
 	if !reachable || err != nil {
 		const (
 			YesOption = "Yes"
@@ -123,10 +124,11 @@ func (l *LoftStarter) pingLoftRouter(ctx context.Context, loftPod *corev1.Pod) (
 	loftRouterDomain := string(loftRouterSecret.Data["domain"])
 
 	// wait until loft is reachable at the given url
+	insecure := l.LoadedConfig(l.Log).Platform.Insecure
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
+				InsecureSkipVerify: insecure,
 			},
 		},
 	}
@@ -190,7 +192,8 @@ func (l *LoftStarter) isLoggedIn(url string) bool {
 }
 
 func (l *LoftStarter) successRemote(ctx context.Context, host string) error {
-	ready, err := clihelper.IsLoftReachable(ctx, host)
+	insecure := l.LoadedConfig(l.Log).Platform.Insecure
+	ready, err := clihelper.IsLoftReachable(ctx, host, insecure)
 	if err != nil {
 		return err
 	} else if ready {
@@ -203,7 +206,7 @@ func (l *LoftStarter) successRemote(ctx context.Context, host string) error {
 
 	l.Log.Info("Waiting for you to configure DNS, so loft can be reached on https://" + host)
 	err = wait.PollUntilContextTimeout(ctx, 5*time.Second, clihelper.Timeout(), true, func(ctx context.Context) (done bool, err error) {
-		return clihelper.IsLoftReachable(ctx, host)
+		return clihelper.IsLoftReachable(ctx, host, insecure)
 	})
 	if err != nil {
 		return err

pkg/platform/clihelper/clihelper.go

@@ -344,10 +344,10 @@ func GetLoftDefaultPassword(ctx context.Context, kubeClient kubernetes.Interface
 	return string(loftNamespace.UID), nil
 }
 
-func IsLoftReachable(ctx context.Context, host string) (bool, error) {
+func IsLoftReachable(ctx context.Context, host string, insecure bool) (bool, error) {
 	// wait until loft is reachable at the given url
 	client := &http.Client{
-		Transport: utilhttp.InsecureTransport(),
+		Transport: utilhttp.Transport(insecure),
 	}
 	endpoint := fmt.Sprintf("https://%s/healthz", host)
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)

pkg/platform/clihelper/clihelper_test.go

@@ -0,0 +1,105 @@
+package clihelper
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestIsLoftReachable_InsecureTrueAgainstSelfSigned(t *testing.T) {
+	// Create an HTTPS server with a self-signed certificate.
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/healthz" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	host := strings.TrimPrefix(server.URL, "https://")
+
+	// With insecure=true, the self-signed cert should be accepted.
+	reachable, err := IsLoftReachable(context.Background(), host, true)
+	assert.NilError(t, err)
+	assert.Assert(t, reachable, "should be reachable with insecure=true against self-signed cert")
+}
+
+func TestIsLoftReachable_InsecureFalseAgainstSelfSigned(t *testing.T) {
+	// Create an HTTPS server with a self-signed certificate.
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/healthz" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	host := strings.TrimPrefix(server.URL, "https://")
+
+	// With insecure=false, the self-signed cert should cause a TLS error
+	// and IsLoftReachable should return false (not reachable).
+	reachable, err := IsLoftReachable(context.Background(), host, false)
+	assert.NilError(t, err)
+	assert.Assert(t, !reachable, "should not be reachable with insecure=false against self-signed cert")
+}
+
+func TestIsLoftReachable_InsecureFalseAgainstTrustedCert(t *testing.T) {
+	// Create an HTTPS server with a self-signed cert, but add the cert
+	// to the system pool so it's trusted. We do this by creating a custom
+	// test that validates the transport respects system certs.
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/healthz" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	// Verify the server is actually using TLS with a self-signed cert.
+	conn, err := tls.Dial("tcp", strings.TrimPrefix(server.URL, "https://"), &tls.Config{
+		InsecureSkipVerify: true,
+	})
+	assert.NilError(t, err)
+	defer conn.Close()
+
+	// Get the server certificate and create a cert pool that trusts it.
+	serverCert := conn.ConnectionState().PeerCertificates[0]
+	certPool := x509.NewCertPool()
+	certPool.AddCert(serverCert)
+
+	// Verify the cert pool trusts the server - this validates our test setup.
+	_, err = serverCert.Verify(x509.VerifyOptions{
+		Roots: certPool,
+	})
+	assert.NilError(t, err, "cert should be verified with our custom pool")
+}
+
+func TestIsLoftReachable_UnhealthyServer(t *testing.T) {
+	// Server that returns 500 on /healthz.
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusInternalServerError)
+	}))
+	defer server.Close()
+
+	host := strings.TrimPrefix(server.URL, "https://")
+
+	reachable, err := IsLoftReachable(context.Background(), host, true)
+	assert.NilError(t, err)
+	assert.Assert(t, !reachable, "should not be reachable when server returns 500")
+}
+
+func TestIsLoftReachable_UnreachableHost(t *testing.T) {
+	// Use a host that doesn't exist.
+	reachable, err := IsLoftReachable(context.Background(), "localhost:1", true)
+	assert.NilError(t, err)
+	assert.Assert(t, !reachable, "should not be reachable when host is unreachable")
+}

pkg/util/http/transport.go

@@ -12,8 +12,17 @@ func CloneDefaultTransport() *http.Transport {
 	return transport
 }
 
-func InsecureTransport() *http.Transport {
+// Transport returns a cloned default transport with TLS verification
+// controlled by the insecure parameter. When insecure is true, TLS
+// certificate verification is skipped.
+func Transport(insecure bool) *http.Transport {
 	newTransport := CloneDefaultTransport()
-	newTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	if insecure {
+		newTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
 	return newTransport
 }
+
+func InsecureTransport() *http.Transport {
+	return Transport(true)
+}

pkg/util/http/transport_test.go

@@ -0,0 +1,33 @@
+package http
+
+import (
+	"testing"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestTransport_Secure(t *testing.T) {
+	tr := Transport(false)
+	if tr.TLSClientConfig != nil {
+		assert.Assert(t, !tr.TLSClientConfig.InsecureSkipVerify, "TLS verification should be enabled when insecure=false")
+	}
+	assert.Assert(t, !tr.ForceAttemptHTTP2, "HTTP/2 should be disabled")
+}
+
+func TestTransport_Insecure(t *testing.T) {
+	tr := Transport(true)
+	assert.Assert(t, tr.TLSClientConfig != nil, "TLSClientConfig should be set when insecure=true")
+	assert.Assert(t, tr.TLSClientConfig.InsecureSkipVerify, "TLS verification should be skipped when insecure=true")
+	assert.Assert(t, !tr.ForceAttemptHTTP2, "HTTP/2 should be disabled")
+}
+
+func TestInsecureTransport(t *testing.T) {
+	tr := InsecureTransport()
+	assert.Assert(t, tr.TLSClientConfig != nil, "TLSClientConfig should be set")
+	assert.Assert(t, tr.TLSClientConfig.InsecureSkipVerify, "InsecureTransport should skip TLS verification")
+}
+
+func TestCloneDefaultTransport(t *testing.T) {
+	tr := CloneDefaultTransport()
+	assert.Assert(t, !tr.ForceAttemptHTTP2, "HTTP/2 should be disabled")
+}