Skip to content

bin: Expand curl -k to --insecure for visibility #2737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 18, 2025
Merged

bin: Expand curl -k to --insecure for visibility #2737

merged 1 commit into from
Sep 18, 2025

Conversation

Zash
Copy link
Contributor

@Zash Zash commented Sep 18, 2025

  • Should be okay from inside the cluster (harbor and opensearch scripts)
  • Should be okay from tests (tests/ and pipeline/)
  • No migrations changed

Warning

This is a public repository, ensure not to disclose:

  • personal data beyond what is necessary for interacting with this pull request, nor
  • business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

  • kind/feature
  • kind/improvement
  • kind/deprecation
  • kind/documentation
  • kind/clean-up
  • kind/bug
  • kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

  • kind/admin-change
  • kind/dev-change
  • kind/security
  • [kind/adr](set-me)

What does this PR do / why do we need this PR?

The curl flag -k or --insecure disables certificate validation and such security checks.
The short form especially might be easy to miss during review, so preferrincg the long version is better.

This replaces the short form curl -k with --insecure in order to make it more visible where this is used and obvious what it does.

Information to reviewers

Double check whether the use of --insecure is really warranted in these places.

Checklist

  • Proper commit message prefix on all commits
  • Change checks:
    • The change is transparent
    • The change is disruptive
    • The change requires no migration steps
    • The change requires migration steps
    • The change updates CRDs
    • The change updates the config and the schema
  • Documentation checks:
  • Metrics checks:
    • The metrics are still exposed and present in Grafana after the change
    • The metrics names didn't change (Grafana dashboards and Prometheus alerts required no updates)
    • The metrics names did change (Grafana dashboards and Prometheus alerts required an update)
  • Logs checks:
    • The logs do not show any errors after the change
  • PodSecurityPolicy checks:
    • Any changed Pod is covered by Kubernetes Pod Security Standards
    • Any changed Pod is covered by Gatekeeper Pod Security Policies
    • The change does not cause any Pods to be blocked by Pod Security Standards or Policies
  • NetworkPolicy checks:
    • Any changed Pod is covered by Network Policies
    • The change does not cause any dropped packets in the NetworkPolicy Dashboard
  • Audit checks:
    • The change does not cause any unnecessary Kubernetes audit events
    • The change requires changes to Kubernetes audit policy
  • Falco checks:
    • The change does not cause any alerts to be generated by Falco
  • Bug checks:
    • The bug fix is covered by regression tests

@Zash
bin: Expand curl -k to --insecure for visibility
8385ef4 
- Should be okay from inside the cluster (harbor and opensearch scripts)
- Should be okay from tests (tests/ and pipeline/)
- No migrations changed
@Zash Zash requested review from a team as code owners September 18, 2025 08:58
@Zash Zash self-assigned this Sep 18, 2025
lunkan93
lunkan93 approved these changes Sep 18, 2025
View reviewed changes
Copy link
Contributor

@lunkan93 lunkan93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍 We should probably review which of these actually need the --insecure flag at some point..

rarescosma
rarescosma approved these changes Sep 18, 2025
View reviewed changes
Copy link
Contributor

@rarescosma rarescosma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love it, wish we had a way to disseminate this as a guideline for all future script work: use expanded options in scripts as much as possible.

@Zash Zash merged commit 8bf80b1 into main Sep 18, 2025
12 checks passed
@Zash Zash deleted the k/goto/insecurecurl branch September 18, 2025 11:21
@Zash
Copy link
Contributor Author

Zash commented Sep 18, 2025

Also see some more (but less security-related than this) in #2738

wish we had a way to disseminate this as a guideline for all future script work: use expanded options in scripts as much as possible.

This would indeed be nice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rarescosma rarescosma rarescosma approved these changes

@lunkan93 lunkan93 lunkan93 approved these changes

@anders-elastisys anders-elastisys Awaiting requested review from anders-elastisys

Assignees

@Zash Zash

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Zash @rarescosma @lunkan93