configure Core -> Periphery insecure_tls

2026-03-11 17:44:19 -05:00 · 2025-10-05 17:36:07 -07:00
parent 03f577d22f
commit 098f23ac4c
13 changed files with 112 additions and 12 deletions
--- a/bin/core/src/api/write/build.rs
+++ b/bin/core/src/api/write/build.rs
@@ -438,6 +438,7 @@ async fn get_on_host_periphery(
          &ObjectId::new().to_hex(),
          &config,
        ),
+        config.insecure_tls,
        &config.passkey,
      )
      .await?;
--- a/bin/core/src/cloud/aws/ec2.rs
+++ b/bin/core/src/cloud/aws/ec2.rs
@@ -85,6 +85,7 @@ pub async fn launch_ec2_instance(
    use_public_ip,
    user_data,
    periphery_public_key: _,
+    insecure_tls: _,
    port: _,
    use_https: _,
    git_providers: _,
--- a/bin/core/src/connection/client.rs
+++ b/bin/core/src/connection/client.rs
@@ -25,6 +25,7 @@ impl PeripheryConnectionArgs<'_> {
  pub async fn spawn_client_connection(
    self,
    id: String,
+    insecure: bool,
    passkey: String,
  ) -> anyhow::Result<Arc<ConnectionChannels>> {
    let Some(address) = self.address else {
@@ -48,7 +49,7 @@ impl PeripheryConnectionArgs<'_> {
        let ws = tokio::select! {
          ws = TungsteniteWebsocket::connect_maybe_tls_insecure(
            &endpoint,
-            endpoint.starts_with("wss"),
+            insecure && endpoint.starts_with("wss"),
          ) => ws,
          _ = connection.cancel.cancelled() => {
            break
--- a/bin/core/src/helpers/builder.rs
+++ b/bin/core/src/helpers/builder.rs
@@ -53,6 +53,7 @@ pub async fn get_builder_periphery(
          &ObjectId::new().to_hex(),
          &config,
        ),
+        config.insecure_tls,
        &config.passkey,
      )
      .await?;
@@ -114,6 +115,7 @@ async fn get_aws_builder(
      &periphery_address,
      &config,
    ),
+    config.insecure_tls,
    "",
  )
  .await?;
--- a/bin/core/src/helpers/mod.rs
+++ b/bin/core/src/helpers/mod.rs
@@ -194,6 +194,7 @@ pub async fn periphery_client(
  }
  PeripheryClient::new(
    PeripheryConnectionArgs::from_server(server),
+    server.config.insecure_tls,
    &server.config.passkey,
  )
  .await
--- a/bin/core/src/periphery/mod.rs
+++ b/bin/core/src/periphery/mod.rs
@@ -34,6 +34,7 @@ pub struct PeripheryClient {
 impl PeripheryClient {
  pub async fn new(
    args: PeripheryConnectionArgs<'_>,
+    insecure_tls: bool,
    // deprecated.
    passkey: &str,
  ) -> anyhow::Result<PeripheryClient> {
@@ -47,7 +48,11 @@ impl PeripheryClient {
        return Err(anyhow!("Server {id} is not connected"));
      }
      let channels = args
-        .spawn_client_connection(id.clone(), passkey.to_string())
+        .spawn_client_connection(
+          id.clone(),
+          insecure_tls,
+          passkey.to_string(),
+        )
        .await?;
      return Ok(PeripheryClient { id, channels });
    };
@@ -77,7 +82,11 @@ impl PeripheryClient {
    } else {
      // Core -> Periphery connection
      let channels = args
-        .spawn_client_connection(id.clone(), passkey.to_string())
+        .spawn_client_connection(
+          id.clone(),
+          insecure_tls,
+          passkey.to_string(),
+        )
        .await?;
      Ok(PeripheryClient { id, channels })
    }
--- a/client/core/rs/src/entities/builder.rs
+++ b/client/core/rs/src/entities/builder.rs
@@ -250,6 +250,9 @@ impl MergePartial for BuilderConfig {
            periphery_public_key: partial
              .periphery_public_key
              .unwrap_or(config.periphery_public_key),
+            insecure_tls: partial
+              .insecure_tls
+              .unwrap_or(config.insecure_tls),
            passkey: partial.passkey.unwrap_or(config.passkey),
          };
          BuilderConfig::Url(config)
@@ -292,6 +295,9 @@ impl MergePartial for BuilderConfig {
            periphery_public_key: partial
              .periphery_public_key
              .unwrap_or(config.periphery_public_key),
+            insecure_tls: partial
+              .insecure_tls
+              .unwrap_or(config.insecure_tls),
            user_data: partial.user_data.unwrap_or(config.user_data),
            git_providers: partial
              .git_providers
@@ -328,6 +334,11 @@ pub struct UrlBuilderConfig {
  #[serde(default)]
  #[builder(default)]
  pub periphery_public_key: String,
+  /// Whether to validate the Periphery tls certificates.
+  #[serde(default = "default_insecure_tls")]
+  #[builder(default = default_insecure_tls())]
+  #[partial(default(default_insecure_tls()))]
+  pub insecure_tls: bool,
  /// Deprecated. Use private / public keys instead.
  /// An optional override passkey to use
  /// to authenticate with periphery agent.
@@ -341,11 +352,16 @@ fn default_address() -> String {
  String::from("https://periphery:8120")
 }

+fn default_insecure_tls() -> bool {
+  true
+}
+
 impl Default for UrlBuilderConfig {
  fn default() -> Self {
    Self {
      address: default_address(),
      periphery_public_key: Default::default(),
+      insecure_tls: default_insecure_tls(),
      passkey: Default::default(),
    }
  }
@@ -461,6 +477,11 @@ pub struct AwsBuilderConfig {
  /// If empty, doesn't validate Periphery public key.
  #[serde(default)]
  pub periphery_public_key: String,
+  /// Whether to validate the Periphery tls certificates.
+  #[serde(default = "default_insecure_tls")]
+  #[builder(default = default_insecure_tls())]
+  #[partial(default(default_insecure_tls()))]
+  pub insecure_tls: bool,

  /// Which git providers are available on the AMI
  #[serde(default)]
@@ -496,6 +517,7 @@ impl Default for AwsBuilderConfig {
      use_public_ip: Default::default(),
      user_data: Default::default(),
      periphery_public_key: Default::default(),
+      insecure_tls: default_insecure_tls(),
      git_providers: Default::default(),
      docker_registries: Default::default(),
      secrets: Default::default(),
--- a/client/core/rs/src/entities/server.rs
+++ b/client/core/rs/src/entities/server.rs
@@ -89,6 +89,15 @@ pub struct ServerConfig {
  #[builder(default)]
  pub address: String,

+  /// Only relevant for Core -> Periphery connections.
+  /// Whether to skip Periphery tls certificate validation.
+  /// This defaults to true because Periphery generates self-signed certificates by default,
+  /// but if you use valid certs you can switch this to false.
+  #[serde(default = "default_insecure_tls")]
+  #[builder(default = "default_insecure_tls()")]
+  #[partial_default(default_insecure_tls())]
+  pub insecure_tls: bool,
+
  /// The address to use with links for containers on the server.
  /// If empty, will use the 'address' for links.
  #[serde(default)]
@@ -228,6 +237,11 @@ impl ServerConfig {
  }
 }

+fn default_insecure_tls() -> bool {
+  // Peripheries use self signed certs by default
+  true
+}
+
 fn default_enabled() -> bool {
  false
 }
@@ -272,6 +286,7 @@ impl Default for ServerConfig {
  fn default() -> Self {
    Self {
      address: Default::default(),
+      insecure_tls: default_insecure_tls(),
      external_address: Default::default(),
      enabled: default_enabled(),
      ignore_mounts: Default::default(),
--- a/client/core/ts/src/types.ts
+++ b/client/core/ts/src/types.ts
@@ -2109,6 +2109,13 @@ export interface ServerConfig {
 	 * If unset, Server expects Periphery -> Core connection.
 	 */
 	address?: string;
+	/**
+	 * Only relevant for Core -> Periphery connections.
+	 * Whether to skip Periphery tls certificate validation.
+	 * This defaults to true because Periphery generates self-signed certificates by default,
+	 * but if you use valid certs you can switch this to false.
+	 */
+	insecure_tls: boolean;
 	/**
 	 * The address to use with links for containers on the server.
 	 * If empty, will use the 'address' for links.
@@ -4297,6 +4304,8 @@ export interface AwsBuilderConfig {
 	 * If empty, doesn't validate Periphery public key.
 	 */
 	periphery_public_key?: string;
+	/** Whether to validate the Periphery tls certificates. */
+	insecure_tls: boolean;
 	/** Which git providers are available on the AMI */
 	git_providers?: GitProvider[];
 	/** Which docker registries are available on the AMI. */
@@ -4307,7 +4316,7 @@ export interface AwsBuilderConfig {

 /**
 * **Admin only.** Backs up the Komodo Core database to compressed jsonl files.
- * Response: [Update]
+ * Response: [Update]. Aliases: `backup-database`, `backup-db`, `backup`.
 * 
 * Mount a folder to `/backups`, and Core will use it to create
 * timestamped database dumps, which can be restored using
@@ -6698,7 +6707,7 @@ export interface GetVersionResponse {
 /**
 * **Admin only.** Trigger a global poll for image updates on Stacks and Deployments
 * with `poll_for_updates` or `auto_update` enabled.
- * Response: [Update]
+ * Response: [Update]. Alias: `auto-update`.
 * 
 * 1. `docker compose pull` any Stacks / Deployments with `poll_for_updates` or `auto_update` enabled. This will pick up any available updates.
 * 2. Redeploy Stacks / Deployments that have updates found and 'auto_update' enabled.
@@ -7811,7 +7820,7 @@ export interface RestartStack {

 /**
 * **Admin only.** Rotates all connected Server keys.
- * Response: [Update]
+ * Response: [Update]. Alias: `rotate-keys`.
 */
 export interface RotateAllServerKeys {
 }
@@ -7993,7 +8002,10 @@ export interface SearchStackLog {
 	timestamps?: boolean;
 }

-/** Send a custom alert message to configured Alerters. Response: [Update] */
+/**
+ * Send a custom alert message to configured Alerters. Response: [Update].
+ * Alias: `alert`
+ */
 export interface SendAlert {
 	/** The alert level. */
 	level?: SeverityLevel;
@@ -8630,6 +8642,8 @@ export interface UrlBuilderConfig {
 	 * If empty, doesn't validate Periphery public key.
 	 */
 	periphery_public_key?: string;
+	/** Whether to validate the Periphery tls certificates. */
+	insecure_tls: boolean;
 	/**
 	 * Deprecated. Use private / public keys instead.
 	 * An optional override passkey to use
--- a/frontend/public/client/types.d.ts
+++ b/frontend/public/client/types.d.ts
@@ -2238,6 +2238,13 @@ export interface ServerConfig {
     * If unset, Server expects Periphery -> Core connection.
     */
    address?: string;
+    /**
+     * Only relevant for Core -> Periphery connections.
+     * Whether to skip Periphery tls certificate validation.
+     * This defaults to true because Periphery generates self-signed certificates by default,
+     * but if you use valid certs you can switch this to false.
+     */
+    insecure_tls: boolean;
    /**
     * The address to use with links for containers on the server.
     * If empty, will use the 'address' for links.
@@ -4199,6 +4206,8 @@ export interface AwsBuilderConfig {
     * If empty, doesn't validate Periphery public key.
     */
    periphery_public_key?: string;
+    /** Whether to validate the Periphery tls certificates. */
+    insecure_tls: boolean;
    /** Which git providers are available on the AMI */
    git_providers?: GitProvider[];
    /** Which docker registries are available on the AMI. */
@@ -4208,7 +4217,7 @@ export interface AwsBuilderConfig {
 }
 /**
 * **Admin only.** Backs up the Komodo Core database to compressed jsonl files.
- * Response: [Update]
+ * Response: [Update]. Aliases: `backup-database`, `backup-db`, `backup`.
 *
 * Mount a folder to `/backups`, and Core will use it to create
 * timestamped database dumps, which can be restored using
@@ -6396,7 +6405,7 @@ export interface GetVersionResponse {
 /**
 * **Admin only.** Trigger a global poll for image updates on Stacks and Deployments
 * with `poll_for_updates` or `auto_update` enabled.
- * Response: [Update]
+ * Response: [Update]. Alias: `auto-update`.
 *
 * 1. `docker compose pull` any Stacks / Deployments with `poll_for_updates` or `auto_update` enabled. This will pick up any available updates.
 * 2. Redeploy Stacks / Deployments that have updates found and 'auto_update' enabled.
@@ -7399,7 +7408,7 @@ export interface RestartStack {
 }
 /**
 * **Admin only.** Rotates all connected Server keys.
- * Response: [Update]
+ * Response: [Update]. Alias: `rotate-keys`.
 */
 export interface RotateAllServerKeys {
 }
@@ -7570,7 +7579,10 @@ export interface SearchStackLog {
    /** Enable `--timestamps` */
    timestamps?: boolean;
 }
-/** Send a custom alert message to configured Alerters. Response: [Update] */
+/**
+ * Send a custom alert message to configured Alerters. Response: [Update].
+ * Alias: `alert`
+ */
 export interface SendAlert {
    /** The alert level. */
    level?: SeverityLevel;
@@ -8155,6 +8167,8 @@ export interface UrlBuilderConfig {
     * If empty, doesn't validate Periphery public key.
     */
    periphery_public_key?: string;
+    /** Whether to validate the Periphery tls certificates. */
+    insecure_tls: boolean;
    /**
     * Deprecated. Use private / public keys instead.
     * An optional override passkey to use
--- a/frontend/src/components/config/index.tsx
+++ b/frontend/src/components/config/index.tsx
@@ -90,6 +90,7 @@ export const ConfigLayout = <
 };

 export type PrimitiveConfigArgs = {
+  hidden?: boolean;
  placeholder?: string;
  label?: string;
  boldLabel?: boolean;
@@ -376,6 +377,7 @@ export const ConfigAgain = <
            typeof component === "object"
              ? (component as PrimitiveConfigArgs)
              : undefined;
+          if (args?.hidden) return null;
          switch (typeof value) {
            case "string":
              return (
--- a/frontend/src/components/resources/builder/config.tsx
+++ b/frontend/src/components/resources/builder/config.tsx
@@ -141,6 +141,9 @@ const AwsBuilderConfig = ({ id }: { id: string }) => {
                  "If provided, the associated private key must be set as Periphery 'private_key'. For Periphery -> Core connection, either this or using 'periphery_public_key' in Core config is required for Periphery to be able to connect.",
                placeholder: "custom-public-key",
              },
+              insecure_tls: {
+                description: "Skip Periphery TLS certificate validation.",
+              },
            },
          },
          {
@@ -313,19 +316,24 @@ const ServerBuilderConfig = ({ id }: { id: string }) => {
 const UrlBuilderConfig = ({ id }: { id: string }) => {
  const { canWrite } = usePermissions({ type: "Builder", id });
  const config = useRead("GetBuilder", { builder: id }).data?.config;
+
  const [update, set] = useLocalStorage<Partial<Types.UrlBuilderConfig>>(
    `url-builder-${id}-update-v1`,
    {}
  );
  const { mutateAsync } = useWrite("UpdateBuilder");
+
  if (!config) return null;

  const disabled = !canWrite;
+  const params = config.params as Types.UrlBuilderConfig;
+  const address = update.address ?? params.address;
+  const tls_address = !!address && !address.startsWith("ws://");

  return (
    <Config
      disabled={disabled}
-      original={config.params as Types.UrlBuilderConfig}
+      original={params}
      update={update}
      set={set}
      onSave={async () => {
@@ -353,6 +361,10 @@ const UrlBuilderConfig = ({ id }: { id: string }) => {
                  "If provided, the associated private key must be set as Periphery 'private_key'. For Periphery -> Core connection, either this or using 'periphery_public_key' in Core config is required for Periphery to be able to connect.",
                placeholder: "custom-public-key",
              },
+              insecure_tls: {
+                hidden: !tls_address,
+                description: "Skip Periphery TLS certificate validation.",
+              },
            },
          },
        ],
--- a/frontend/src/components/resources/server/config.tsx
+++ b/frontend/src/components/resources/server/config.tsx
@@ -40,6 +40,8 @@ export const ServerConfig = ({
  if (!config) return null;

  const disabled = global_disabled || !canWrite;
+  const address = update.address ?? config.address;
+  const tls_address = !!address && !address.startsWith("ws://");

  return (
    <Config
@@ -112,6 +114,10 @@ export const ServerConfig = ({
                  "For Core -> Periphery connnection mode, specify address of periphery in your network.",
                placeholder: "12.34.56.78:8120",
              },
+              insecure_tls: {
+                hidden: !tls_address,
+                description: "Skip Periphery TLS certificate validation.",
+              },
              external_address: {
                description:
                  "Optional. The address of the server used in container links, if different than the Address.",