From 74c68180c83d6c3c0a90c42155ab97627fc55a71 Mon Sep 17 00:00:00 2001 From: Kent Dong Date: Wed, 29 Apr 2026 17:15:54 +0800 Subject: [PATCH] fix: Skip TLS certificate verification for HTTPS upstreams (#3770) Signed-off-by: CH3CHO --- pkg/ingress/kube/annotations/upstreamtls.go | 3 +++ pkg/ingress/kube/annotations/upstreamtls_test.go | 9 ++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/pkg/ingress/kube/annotations/upstreamtls.go b/pkg/ingress/kube/annotations/upstreamtls.go index f4745c7c7..68b9681a9 100644 --- a/pkg/ingress/kube/annotations/upstreamtls.go +++ b/pkg/ingress/kube/annotations/upstreamtls.go @@ -170,6 +170,9 @@ func processMTLS(config *Ingress) *networking.ClientTLSSettings { func processSimple(config *Ingress) *networking.ClientTLSSettings { tls := &networking.ClientTLSSettings{ Mode: networking.ClientTLSSettings_SIMPLE, + InsecureSkipVerify: &wrappers.BoolValue{ + Value: true, + }, } if config.UpstreamTLS.EnableSNI && config.UpstreamTLS.SNI != "" { diff --git a/pkg/ingress/kube/annotations/upstreamtls_test.go b/pkg/ingress/kube/annotations/upstreamtls_test.go index 61d909b31..8f78c668d 100644 --- a/pkg/ingress/kube/annotations/upstreamtls_test.go +++ b/pkg/ingress/kube/annotations/upstreamtls_test.go @@ -17,8 +17,10 @@ package annotations import ( "testing" + "github.com/golang/protobuf/ptypes/wrappers" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" + "google.golang.org/protobuf/testing/protocmp" networking "istio.io/api/networking/v1alpha3" ) @@ -129,6 +131,9 @@ func TestApplyTrafficPolicy(t *testing.T) { Tls: &networking.ClientTLSSettings{ Mode: networking.ClientTLSSettings_SIMPLE, Sni: "SNI", + InsecureSkipVerify: &wrappers.BoolValue{ + Value: true, + }, }, }, }, @@ -158,7 +163,9 @@ func TestApplyTrafficPolicy(t *testing.T) { for _, testCase := range testCases { t.Run("", func(t *testing.T) { parser.ApplyTrafficPolicy(nil, testCase.input, testCase.config) - if diff := cmp.Diff(testCase.expect, testCase.input, cmpopts.IgnoreUnexported(unexportedIgnoredTypes...)); diff != "" { + if diff := cmp.Diff(testCase.expect, testCase.input, protocmp.Transform(), + cmpopts.IgnoreUnexported(unexportedIgnoredTypes...), + ); diff != "" { t.Fatalf("TestApplyTrafficPolicy() mismatch (-want +got): \n%s", diff) } })