Add skipTLSVerify field to ACME issuer spec

2018-02-10 01:25:41 +00:00 · 2018-02-10 01:25:41 +00:00 · 23f694cf0d
commit 23f694cf0d
parent 39324ce4d7
2 changed files with 10 additions and 0 deletions
--- a/pkg/apis/certmanager/v1alpha1/types.go
+++ b/pkg/apis/certmanager/v1alpha1/types.go
@ -90,6 +90,8 @@ type ACMEIssuer struct {
 	Email string `json:"email"`
 	// Server is the ACME server URL
 	Server string `json:"server"`
+	// If true, skip verifying the ACME server TLS certificate
+	SkipTLSVerify bool `json:"skipTLSVerify,omitempty"`
 	// PrivateKey is the name of a secret containing the private key for this
 	// user account.
 	PrivateKey SecretKeySelector `json:"privateKeySecretRef"`
--- a/pkg/issuer/acme/acme.go
+++ b/pkg/issuer/acme/acme.go
@ -2,7 +2,9 @@ package acme

 import (
 	"context"
+	"crypto/tls"
 	"fmt"
+	nethttp "net/http"

 	"github.com/golang/glog"
 	corev1 "k8s.io/api/core/v1"
@ -93,7 +95,13 @@ func (a *Acme) acmeClient() (*acme.Client, error) {
 		return nil, err
 	}

+	tr := &nethttp.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: a.issuer.GetSpec().ACME.SkipTLSVerify},
+	}
+	client := &nethttp.Client{Transport: tr}
+
 	cl := &acme.Client{
+		HTTPClient:   client,
 		Key:          accountPrivKey,
 		DirectoryURL: a.issuer.GetSpec().ACME.Server,
 	}