nebraska icon indicating copy to clipboard operation
nebraska copied to clipboard
verified publisher icon flatcar

WIP: Support skipping certs verifications

Open moadqassem opened this issue 1 month ago • 3 comments

[Title: describe the change in one sentence]

Using OIDC provider with an insecure certificates(self-signed certs) for development purposes. [ describe the change in 1 - 3 paragraphs ]

How to use

Set the oidc-skip-tls-verify flag to true or set the field skipTlsVerify in the helm chart [ describe what reviewers need to do in order to validate this PR ]

Testing done

Just deployed the chart and I got the error:

error setting up oidc provider: failed to create OIDC provider: server signed with unknow certificate authority

After deploying my change the error is gone. [Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]

  • [ ] Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • [ ] Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

moadqassem avatar Oct 31 '25 15:10 moadqassem

Thanks @moadqassem for your PR! Early next week I will try to find time to review your changes.

ervcz avatar Oct 31 '25 15:10 ervcz

Hi @moadqassem,

Thank you for the PR and for identifying this real issue with self-signed certificates! However, after thinking for a while if this option would be necessary, I don't think we should merge --oidc-skip-tls-verify because I think it is fundamentally contradictory: if you're using HTTPS but disabling all certificate verification, you're not actually testing HTTPS properly - you're only getting encryption without authentication.

Better alternatives:

  1. For dev/testing without encryption: Use http:// in your --oidc-issuer-url - this is honest about what's happening and works fine
  2. For dev/testing WITH secure HTTPS: Add your CA certificate to the system trust store:
# something like:
COPY my-ca.pem /etc/ssl/certs
RUN update-ca-certificates

This maintains real TLS security (hostname verification, expiry checking, chain validation) while trusting your self-signed cert.

  1. For advanced use cases: We could implement --oidc-ca-file to specify custom CA certificates that get added to (not replacing) the system trust store. This option is not currently implemented in Nebraska.

Could you share your specific deployment scenario? Understanding why option 2 doesn't work for you would help us decide if option 3 is worth implementing. E.g. I can imagine situations like, where you want one application (Nebraska) to trust certain certificates while the others not.

Thanks!

ervcz avatar Nov 05 '25 08:11 ervcz

Hi @moadqassem,

Thank you for the PR and for identifying this real issue with self-signed certificates! However, after thinking for a while if this option would be necessary, I don't think we should merge --oidc-skip-tls-verify because I think it is fundamentally contradictory: if you're using HTTPS but disabling all certificate verification, you're not actually testing HTTPS properly - you're only getting encryption without authentication.

Better alternatives:

  1. For dev/testing without encryption: Use http:// in your --oidc-issuer-url - this is honest about what's happening and works fine
  2. For dev/testing WITH secure HTTPS: Add your CA certificate to the system trust store:
# something like:
COPY my-ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

This maintains real TLS security (hostname verification, expiry checking, chain validation) while trusting your self-signed cert.

  1. For advanced use cases: We could implement --oidc-ca-file to specify custom CA certificates that get added to (not replacing) the system trust store. This option is not currently implemented in Nebraska.

Could you share your specific deployment scenario? Understanding why option 2 doesn't work for you would help us decide if option 3 is worth implementing. E.g. I can imagine situations like, where you want one application (Nebraska) to trust certain certificates while the others not.

Thanks!

Hey @ervcz,

Thanks a lot for taking a look at this. I completely agree with you regarding the points that you brought up, having skip tls and using https is kinda contradictory. tbh, I already wanted to do the 3rd option, where you can integrate Nebraska with cert-manager and you will generate, mount and run those custom CA automatically when the ingress is created, but I slacked a bit as disabling tls verify in the OIDC provider did the trick :D.

Anyway, I will mark this PR as a WIP and add BYOC(bring your own certs) option and update the PR accordingly.

Cheers

moadqassem avatar Nov 05 '25 11:11 moadqassem