Add insecure_tls_config flag

(cherry picked from commit 230516d)

Author: mangelajo

packages/jumpstarter-cli-admin/jumpstarter_cli_admin/create.py

@@ -6,7 +6,9 @@
 from jumpstarter_cli_common.opt import (
     OutputMode,
     OutputType,
+    confirm_insecure_tls,
     opt_context,
+    opt_insecure_tls_config,
     opt_kubeconfig,
     opt_labels,
     opt_log_level,
@@ -75,13 +77,15 @@ def print_created_client(client: V1Alpha1Client, output: OutputType):
 @opt_labels
 @opt_kubeconfig
 @opt_context
+@opt_insecure_tls_config
 @opt_oidc_username
 @opt_nointeractive
 @opt_output_all
 async def create_client(
     name: Optional[str],
     kubeconfig: Optional[str],
     context: Optional[str],
+    insecure_tls_config: bool,
     namespace: str,
     labels: list[(str, str)],
     save: bool,
@@ -94,6 +98,7 @@ async def create_client(
 ):
     """Create a client object in the Kubernetes cluster"""
     try:
+        confirm_insecure_tls(insecure_tls_config, nointeractive)
         async with ClientsV1Alpha1Api(namespace, kubeconfig, context) as api:
             if output is None:
                 # Only print status if  is not JSON/YAML
@@ -113,6 +118,7 @@ async def create_client(
                 allow_drivers = allow.split(",") if allow is not None and len(allow) > 0 else []
                 client_config.drivers.unsafe = unsafe
                 client_config.drivers.allow = allow_drivers
+                client_config.tls.insecure = insecure_tls_config
                 ClientConfigV1Alpha1.save(client_config, out)
                 # If this is the only client config, set it as default
                 if out is None and len(ClientConfigV1Alpha1.list()) == 1:
@@ -156,13 +162,15 @@ def print_created_exporter(exporter: V1Alpha1Exporter, output: OutputType):
 @opt_labels
 @opt_kubeconfig
 @opt_context
+@opt_insecure_tls_config
 @opt_oidc_username
 @opt_nointeractive
 @opt_output_all
 async def create_exporter(
     name: Optional[str],
     kubeconfig: Optional[str],
     context: Optional[str],
+    insecure_tls_config: bool,
     namespace: str,
     labels: list[(str, str)],
     save: bool,
@@ -173,6 +181,7 @@ async def create_exporter(
 ):
     """Create an exporter object in the Kubernetes cluster"""
     try:
+        confirm_insecure_tls(insecure_tls_config, nointeractive)
         async with ExportersV1Alpha1Api(namespace, kubeconfig, context) as api:
             if output is None:
                 click.echo(f"Creating exporter '{name}' in namespace '{namespace}'")
@@ -182,6 +191,7 @@ async def create_exporter(
                 if output is None:
                     click.echo("Fetching exporter credentials from cluster")
                 exporter_config = await api.get_exporter_config(name)
+                exporter_config.tls.insecure = insecure_tls_config
                 ExporterConfigV1Alpha1.save(exporter_config, out)
                 if output is None:
                     click.echo(f"Exporter configuration successfully saved to {exporter_config.path}")

packages/jumpstarter-cli-admin/jumpstarter_cli_admin/import_res.py

@@ -3,7 +3,9 @@
 import asyncclick as click
 from jumpstarter_cli_common.opt import (
     PathOutputType,
+    confirm_insecure_tls,
     opt_context,
+    opt_insecure_tls_config,
     opt_kubeconfig,
     opt_namespace,
     opt_nointeractive,
@@ -45,13 +47,15 @@ def import_res():
 @opt_namespace
 @opt_kubeconfig
 @opt_context
+@opt_insecure_tls_config
 @opt_output_path_only
 @opt_nointeractive
 async def import_client(
     name: str,
     namespace: str,
     kubeconfig: Optional[str],
     context: Optional[str],
+    insecure_tls_config: bool,
     allow: Optional[str],
     unsafe: bool,
     out: Optional[str],
@@ -63,6 +67,7 @@ async def import_client(
     if out is None and ClientConfigV1Alpha1.exists(name):
         raise click.ClickException(f"A client with the name '{name}' already exists")
     try:
+        confirm_insecure_tls(insecure_tls_config, nointeractive)
         async with ClientsV1Alpha1Api(namespace, kubeconfig, context) as api:
             if unsafe is False and allow is None and nointeractive is False:
                 unsafe = click.confirm("Allow unsafe driver client imports?")
@@ -74,6 +79,7 @@ async def import_client(
                 click.echo("Fetching client credentials from cluster")
             allow_drivers = allow.split(",") if allow is not None and len(allow) > 0 else []
             client_config = await api.get_client_config(name, allow=allow_drivers, unsafe=unsafe)
+            client_config.tls.insecure = insecure_tls_config
             config_path = ClientConfigV1Alpha1.save(client_config, out)
             # If this is the only client config, set it as default
             if out is None and len(ClientConfigV1Alpha1.list()) == 1:
@@ -100,6 +106,7 @@ async def import_client(
 @opt_namespace
 @opt_kubeconfig
 @opt_context
+@opt_insecure_tls_config
 @opt_output_path_only
 @opt_nointeractive
 async def import_exporter(
@@ -108,6 +115,7 @@ async def import_exporter(
     out: Optional[str],
     kubeconfig: Optional[str],
     context: Optional[str],
+    insecure_tls_config: bool,
     output: PathOutputType,
     nointeractive: bool,
 ):
@@ -119,10 +127,12 @@ async def import_exporter(
     else:
         raise click.ClickException(f'An exporter with the name "{name}" already exists')
     try:
+        confirm_insecure_tls(insecure_tls_config, nointeractive)
         async with ExportersV1Alpha1Api(namespace, kubeconfig, context) as api:
             if output is None:
                 click.echo("Fetching exporter credentials from cluster")
             exporter_config = await api.get_exporter_config(name)
+            exporter_config.tls.insecure = insecure_tls_config
             config_path = ExporterConfigV1Alpha1.save(exporter_config, out)
             if output is None:
                 click.echo(f"Exporter configuration successfully saved to {config_path}")

packages/jumpstarter-cli-common/jumpstarter_cli_common/opt.py

@@ -19,6 +19,23 @@
 
 opt_labels = click.option("-l", "--label", "labels", type=(str, str), multiple=True, help="Labels")
 
+opt_insecure_tls_config = click.option("--insecure-tls-config", "insecure_tls_config", is_flag=True, default=False,
+            help="Disable endpoint TLS verification. This is insecure and should only be used for testing purposes")
+
+def confirm_insecure_tls(insecure_tls_config:bool, nointeractive: bool):
+    """Confirm if insecure TLS config is enabled and user wants to continue.
+
+    Args:
+        insecure_tls_config (bool): Insecure TLS config flag requested by the user.
+        nointeractive (bool): This flag is set to True if the command is run in non-interactive mode.
+
+    Raises:
+        click.Abort: Abort the command if user does not want to continue.
+    """
+    if nointeractive is False and insecure_tls_config:
+        if not click.confirm("Insecure TLS config is enabled. Are you sure you want to continue?"):
+            click.echo("Aborting.")
+            raise click.Abort()
 
 class OutputMode(str):
     JSON = "json"

packages/jumpstarter-cli/jumpstarter_cli/login.py

@@ -1,6 +1,7 @@
 import asyncclick as click
 from jumpstarter_cli_common.config import opt_config
 from jumpstarter_cli_common.oidc import Config, decode_jwt_issuer, opt_oidc
+from jumpstarter_cli_common.opt import confirm_insecure_tls, opt_insecure_tls_config, opt_nointeractive
 
 from jumpstarter.config.client import ClientConfigV1Alpha1, ClientConfigV1Alpha1Drivers
 from jumpstarter.config.common import ObjectMeta
@@ -24,6 +25,8 @@
     "--unsafe", is_flag=True, help="Should all driver client packages be allowed to load (UNSAFE!).", default=None
 )
 # end client specific
+@opt_insecure_tls_config
+@opt_nointeractive
 @opt_config(allow_missing=True)
 async def login(  # noqa: C901
     config,
@@ -37,27 +40,39 @@ async def login(  # noqa: C901
     client_id: str,
     connector_id: str,
     unsafe,
+    insecure_tls_config: bool,
+    nointeractive: bool,
     allow,
 ):
     """Login into a jumpstarter instance"""
 
+    confirm_insecure_tls(insecure_tls_config, nointeractive)
+
     match config:
         case ClientConfigV1Alpha1():
             issuer = decode_jwt_issuer(config.token)
         case ExporterConfigV1Alpha1():
             issuer = decode_jwt_issuer(config.token)
         case (kind, value):
             if namespace is None:
+                if nointeractive:
+                    raise click.UsageError("Namespace is required in non-interactive mode.")
                 namespace = click.prompt("Enter the Jumpstarter exporter namespace")
             if name is None:
+                if nointeractive:
+                    raise click.UsageError("Name is required in non-interactive mode.")
                 name = click.prompt("Enter the Jumpstarter exporter name")
             if endpoint is None:
+                if nointeractive:
+                    raise click.UsageError("Endpoint is required in non-interactive mode.")
                 endpoint = click.prompt("Enter the Jumpstarter service endpoint")
 
             if kind.startswith("client"):
                 if unsafe is None:
                     unsafe = click.confirm("Allow unsafe driver client imports?")
                     if unsafe is False and allow == "":
+                        if nointeractive:
+                            raise click.UsageError("Allowed driver packages are required in non-interactive mode.")
                         allow = click.prompt(
                             "Enter a comma-separated list of allowed driver packages (optional)", default="", type=str
                         )
@@ -80,6 +95,8 @@ async def login(  # noqa: C901
                 )
 
     if issuer is None:
+        if nointeractive:
+            raise click.UsageError("Issuer is required in non-interactive mode.")
         issuer = click.prompt("Enter the OIDC issuer")
 
     oidc = Config(issuer=issuer, client_id=client_id)
@@ -93,6 +110,7 @@ async def login(  # noqa: C901
         tokens = await oidc.authorization_code_grant()
 
     config.token = tokens["access_token"]
+    config.tls.insecure = insecure_tls_config
 
     match kind:
         case "client":