in client/internal/bootstrap/grpc.go [54:70]
func getTLSConfig(caPEM []byte, nextProto string, insecureSkipVerify bool) (*tls.Config, error) {
roots := x509.NewCertPool()
if ok := roots.AppendCertsFromPEM(caPEM); !ok {
return nil, fmt.Errorf("unable to construct new cert pool using cluster CA data")
}
//nolint: gosec // let server dictate min TLS version
tlsConfig := &tls.Config{
RootCAs: roots,
InsecureSkipVerify: insecureSkipVerify,
}
if nextProto != "" {
tlsConfig.NextProtos = []string{nextProto, "h2"}
}
return tlsConfig, nil
}