Adds support for --tls_enable_host_verification as global option for TCTL (#873)

mastermanu · web-flow · commit cf3a5f78d2bf · 2020-10-16T19:40:57.000-07:00
By default, tctl does not perform host verification on the temporal cluster it is talking to (if using TLS). The underlying code checks a flag, but the flag is not exposed as a Global option. This PR exposes the flag as a global option.

Validated this fix by running against a private environment with a mismatched server-name for the TLS cert. With the flag enabled, tctl gives the appropriate error message when communicating with the private environment
diff --git a/tools/cli/app.go b/tools/cli/app.go
@@ -83,6 +83,11 @@ func NewCliApp() *cli.App {
 			Usage:  "path to server CA certificate",
 			EnvVar: "TEMPORAL_CLI_TLS_CA",
 		},
+		cli.BoolFlag{
+			Name:   FlagTLSEnableHostVerification,
+			Usage:  "validates hostname of temporal cluster against server certificate",
+			EnvVar: "TEMPORAL_CLI_TLS_ENABLE_HOST_VERIFICATION",
+		},
 	}
 	app.Commands = []cli.Command{
 		{

Original file line number	Diff line number	Diff line change
`@@ -83,6 +83,11 @@ func NewCliApp() *cli.App {`
`83`	`83`	`Usage: "path to server CA certificate",`
`84`	`84`	`EnvVar: "TEMPORAL_CLI_TLS_CA",`
`85`	`85`	`},`
	`86`	`+ cli.BoolFlag{`
	`87`	`+ Name: FlagTLSEnableHostVerification,`
	`88`	`+ Usage: "validates hostname of temporal cluster against server certificate",`
	`89`	`+ EnvVar: "TEMPORAL_CLI_TLS_ENABLE_HOST_VERIFICATION",`
	`90`	`+ },`
`86`	`91`	`}`
`87`	`92`	`app.Commands = []cli.Command{`
`88`	`93`	`{`