From 582af464c0bd395d1b2172bc22861960d4631c57 Mon Sep 17 00:00:00 2001 From: EndlessSeeker <153817598+EndlessSeeker@users.noreply.github.com> Date: Wed, 24 Jun 2026 15:39:32 +0800 Subject: [PATCH] Revert "fix: Skip TLS certificate verification for HTTPS upstreams" (#4016) Signed-off-by: EndlessSeeker <1766508902@qq.com> --- pkg/ingress/kube/annotations/upstreamtls.go | 3 --- pkg/ingress/kube/annotations/upstreamtls_test.go | 9 +-------- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/pkg/ingress/kube/annotations/upstreamtls.go b/pkg/ingress/kube/annotations/upstreamtls.go index 68b9681a9..f4745c7c7 100644 --- a/pkg/ingress/kube/annotations/upstreamtls.go +++ b/pkg/ingress/kube/annotations/upstreamtls.go @@ -170,9 +170,6 @@ func processMTLS(config *Ingress) *networking.ClientTLSSettings { func processSimple(config *Ingress) *networking.ClientTLSSettings { tls := &networking.ClientTLSSettings{ Mode: networking.ClientTLSSettings_SIMPLE, - InsecureSkipVerify: &wrappers.BoolValue{ - Value: true, - }, } if config.UpstreamTLS.EnableSNI && config.UpstreamTLS.SNI != "" { diff --git a/pkg/ingress/kube/annotations/upstreamtls_test.go b/pkg/ingress/kube/annotations/upstreamtls_test.go index 8f78c668d..61d909b31 100644 --- a/pkg/ingress/kube/annotations/upstreamtls_test.go +++ b/pkg/ingress/kube/annotations/upstreamtls_test.go @@ -17,10 +17,8 @@ package annotations import ( "testing" - "github.com/golang/protobuf/ptypes/wrappers" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" - "google.golang.org/protobuf/testing/protocmp" networking "istio.io/api/networking/v1alpha3" ) @@ -131,9 +129,6 @@ func TestApplyTrafficPolicy(t *testing.T) { Tls: &networking.ClientTLSSettings{ Mode: networking.ClientTLSSettings_SIMPLE, Sni: "SNI", - InsecureSkipVerify: &wrappers.BoolValue{ - Value: true, - }, }, }, }, @@ -163,9 +158,7 @@ func TestApplyTrafficPolicy(t *testing.T) { for _, testCase := range testCases { t.Run("", func(t *testing.T) { parser.ApplyTrafficPolicy(nil, testCase.input, testCase.config) - if diff := cmp.Diff(testCase.expect, testCase.input, protocmp.Transform(), - cmpopts.IgnoreUnexported(unexportedIgnoredTypes...), - ); diff != "" { + if diff := cmp.Diff(testCase.expect, testCase.input, cmpopts.IgnoreUnexported(unexportedIgnoredTypes...)); diff != "" { t.Fatalf("TestApplyTrafficPolicy() mismatch (-want +got): \n%s", diff) } })