identity: Document use of InsecureSkipVerify (linkerd#7835)

The CLI's diagnostic command that dumps a proxy's certificate information does not (and should not) verify the proxy's certificate. This change documents why verification is disabled. Signed-off-by: Oliver Gould <[email protected]>
abhijeetgauravm · Feb 8, 2022 · 863a51c · 863a51c
1 parent ec7ed1c
commit 863a51c
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/cli/cmd/identity.go b/cli/cmd/identity.go
@@ -197,6 +197,10 @@ func getCertResponse(url string, pod corev1.Pod) ([]*x509.Certificate, error) {
 	}
 	connURL := strings.Trim(url, "http://")
 	conn, err := tls.Dial("tcp", connURL, &tls.Config{
+		// We want to connect directly to a proxy port to dump its certificate. We don't necessarily
+		// want to verify the server's certificate, since this is purely for diagnostics and may be
+		// used when a proxy's issuer doesn't match the control plane's trust root.
+		//nolint:gosec
 		InsecureSkipVerify: true,
 		ServerName:         serverName,
 	})