From 92c2fc0d52303b4d42c905da31d75d45943816d6 Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Thu, 26 Mar 2026 11:42:47 -0700
Subject: [PATCH] Add insecure_skip_verify option for HTTPS client in
 security.toml (#8781)

* Add -insecureSkipVerify flag and config option for filer.sync HTTPS connections

When using filer.sync between clusters with different CAs (e.g., separate
OpenShift clusters), TLS certificate verification fails with "x509:
certificate signed by unknown authority". This adds two ways to skip TLS
certificate verification:

1. CLI flag: `weed filer.sync -insecureSkipVerify ...`
2. Config option: `insecure_skip_verify = true` under [https.client] in
   security.toml

Closes #8778

* Add insecure_skip_verify option for HTTPS client in security.toml

When using filer.sync between clusters with different CAs (e.g., separate
OpenShift clusters), TLS certificate verification fails. Adding
insecure_skip_verify = true under [https.client] in security.toml allows
skipping TLS certificate verification.

The option is read during global HTTP client initialization so it applies
to all HTTPS connections including filer.sync proxy reads and writes.

Closes #8778

---------

Co-authored-by: Copilot <copilot@github.com>
---
 weed/command/scaffold/security.toml  | 1 +
 weed/util/http/client/http_client.go | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/weed/command/scaffold/security.toml b/weed/command/scaffold/security.toml
index e70ce31bf..6c8aaa475 100644
--- a/weed/command/scaffold/security.toml
+++ b/weed/command/scaffold/security.toml
@@ -135,6 +135,7 @@ enabled = false  # Set to true to enable HTTPS for all outgoing HTTP client conn
 cert = ""        # Client certificate for mTLS (optional if server doesn't require client cert)
 key = ""         # Client key for mTLS (optional if server doesn't require client cert)
 ca = ""          # CA certificate to verify server certificates (required when enabled=true)
+insecure_skip_verify = false  # Skip TLS certificate verification (NOT recommended for production)
 
 # Volume server HTTPS options (server-side)
 # Enables HTTPS for incoming HTTP connections to volume server
diff --git a/weed/util/http/client/http_client.go b/weed/util/http/client/http_client.go
index 661df582e..ca908763f 100644
--- a/weed/util/http/client/http_client.go
+++ b/weed/util/http/client/http_client.go
@@ -126,6 +126,13 @@ func NewHttpClient(clientName ClientName, opts ...HttpClientOpt) (*HTTPClient, e
 				tlsConfig.Certificates = append(tlsConfig.Certificates, *clientCertPair)
 			}
 		}
+
+		if getBoolOptionFromSecurityConfiguration(clientName, "insecure_skip_verify") {
+			if tlsConfig == nil {
+				tlsConfig = &tls.Config{}
+			}
+			tlsConfig.InsecureSkipVerify = true
+		}
 	}
 
 	httpClient.Transport = &http.Transport{