diff --git a/agent/config/runtime.go b/agent/config/runtime.go index 696153ef60..0aaf79dab1 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -1223,7 +1223,7 @@ func (c *RuntimeConfig) apiAddresses(maxPerType int) (unixAddrs, httpAddrs, http func (c *RuntimeConfig) APIConfig(includeClientCerts bool) (*api.Config, error) { cfg := &api.Config{ Datacenter: c.Datacenter, - TLSConfig: api.TLSConfig{InsecureSkipVerify: true}, + TLSConfig: api.TLSConfig{InsecureSkipVerify: !c.VerifyOutgoing}, } unixAddrs, httpAddrs, httpsAddrs := c.apiAddresses(1) diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 1c117511dd..4df0bd5a09 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -4537,11 +4537,12 @@ func TestRuntime_APIConfigHTTPS(t *testing.T) { HTTPSAddrs: []net.Addr{ &net.TCPAddr{IP: net.ParseIP("198.18.0.2"), Port: 5678}, }, - Datacenter: "dc-test", - CAFile: "/etc/consul/ca.crt", - CAPath: "/etc/consul/ca.dir", - CertFile: "/etc/consul/server.crt", - KeyFile: "/etc/consul/ssl/server.key", + Datacenter: "dc-test", + CAFile: "/etc/consul/ca.crt", + CAPath: "/etc/consul/ca.dir", + CertFile: "/etc/consul/server.crt", + KeyFile: "/etc/consul/ssl/server.key", + VerifyOutgoing: false, } cfg, err := rt.APIConfig(false) @@ -4553,7 +4554,9 @@ func TestRuntime_APIConfigHTTPS(t *testing.T) { require.Equal(t, "", cfg.TLSConfig.CertFile) require.Equal(t, "", cfg.TLSConfig.KeyFile) require.Equal(t, rt.Datacenter, cfg.Datacenter) + require.Equal(t, true, cfg.TLSConfig.InsecureSkipVerify) + rt.VerifyOutgoing = true cfg, err = rt.APIConfig(true) require.NoError(t, err) require.Equal(t, "198.18.0.2:5678", cfg.Address) @@ -4563,6 +4566,7 @@ func TestRuntime_APIConfigHTTPS(t *testing.T) { require.Equal(t, rt.CertFile, cfg.TLSConfig.CertFile) require.Equal(t, rt.KeyFile, cfg.TLSConfig.KeyFile) require.Equal(t, rt.Datacenter, cfg.Datacenter) + require.Equal(t, false, cfg.TLSConfig.InsecureSkipVerify) } func TestRuntime_APIConfigHTTP(t *testing.T) {