gRPC probes client - insecure AND ignore certificates

[Sergey Kanzhelev]

Hi,

Is there a way to create a grpc client in go so it will do both at the same time:

- ignore TLS cert errors

- allow insecure channel

The question is coming from this k8s PR: https://github.com/kubernetes/kubernetes/pull/124522

I am trying to allow grpc prober to do insecure as well as ignoring server certificates errors like http prober does. But I cannot figure out if I can do both at the same time.

- WithInsecure allow non-TLS

- WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}))  ignores errors

Implementing it as two calls with the fallback from one to another will require some advanced timout management. Adding a configuration option for this seems like an overkill.

Any advice is appreciated! And sorry if it is obvious - I didn't spent too much time researching, but enough to get stuck :-).

/Sergey

[Easwar Swaminathan]

The `credentials` package allows users to supply their own custom credentials to be used with gRPC clients and servers. This package defines a `TransportCredentials` interface (see https://pkg.go.dev/google.golang.org/gr...@v1.63.2/credentials#TransportCredentials) that you could possibly implement to suit your needs.

Ignoring TLS certificate errors with `InsecureSkipVerify` is something that needs to be done cautiously. We do have a custom credentials implementation here (https://github.com/grpc/grpc-go/blob/master/credentials/xds/xds.go), that receives credentials configuration from an external control plane. You can browse through this code to get an idea of how you could possibly implement your own custom credentials.