Skip to content

fix: respect NODE_TLS_REJECT_UNAUTHORIZED environment variable #2602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: respect NODE_TLS_REJECT_UNAUTHORIZED environment variable #2602

wants to merge 2 commits into from
+124 −3

Conversation

0x5457
Copy link
Contributor

@0x5457 0x5457 commented Aug 17, 2025

fix: #2601

After testing, I found that the fetch behavior is as follows:

  • Fetch only uses the NODE_TLS_REJECT_UNAUTHORIZED environment variable when the rejectUnauthorized property is completely absent from agent options
  • If rejectUnauthorized is explicitly set to any value (including undefined), the environment variable is ignored

Also should I can create test certificates in the test-data directory to avoid introducing the selfsigned library

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 17, 2025
brendandburns
brendandburns reviewed Aug 18, 2025
View reviewed changes
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 20, 2025
@brendandburns
Copy link
Contributor

/lgtm
/approve

Thanks for updating the test.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 24, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 0x5457, brendandburns

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 24, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 24, 2025
View reviewed changes
@brendandburns
Copy link
Contributor

Tests are failing with some error related to generating the certificate.

cjihrig
cjihrig reviewed Aug 27, 2025
View reviewed changes
package.json
@@ -83,6 +83,7 @@
"nock": "^14.0.5",
"prettier": "^3.0.0",
"pretty-quick": "^4.0.0",
"selfsigned": "^3.0.1",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, selfsigned looks to be about 1.7MB, and it is only used in one test. It might be simpler to use a fixture certificate.

src/config.ts
@@ -202,7 +202,9 @@ export class KubeConfig implements SecurityAuthentication {
agentOptions.key = opts.key;
agentOptions.pfx = opts.pfx;
agentOptions.passphrase = opts.passphrase;
agentOptions.rejectUnauthorized = opts.rejectUnauthorized;
if (opts.rejectUnauthorized !== undefined) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes in this file are very likely to be refactored in the future by someone missing the context of this PR.

Can you either add comments to the two code blocks in this file, or rewrite as something along the lines of agentOptions.rejectUnauthorized = opts.rejectUnauthorized ?? process.env.NODE_TLS_REJECT_UNAUTHORIZED !== '0';. If you go with the second option, it probably makes sense to put the logic in a function, similar to what Node core does.

src/config_test.ts
strictEqual(res2.status, 200);
strictEqual(await res2.text(), 'ok');

delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this line necessary since the after() hook is assigning a value to process.env.NODE_TLS_REJECT_UNAUTHORIZED?

src/config_test.ts
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
after(() => {
server.close();
process.env.NODE_TLS_REJECT_UNAUTHORIZED = originalValue;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would reverse the order of these two lines in case server.close() throws for some reason.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cjihrig cjihrig cjihrig left review comments

@brendandburns brendandburns brendandburns left review comments

@davidgamero davidgamero Awaiting requested review from davidgamero

Assignees

@brendandburns brendandburns

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NODE_TLS_REJECT_UNAUTHORIZED environment variable not respected in applyToFetchOptions
4 participants
@0x5457 @brendandburns @k8s-ci-robot @cjihrig