nebari
nebari copied to clipboard
[BUG] - Authenticators should validate TLS certificate
Describe the bug
Currently the TLS validation is turned off. This is handy when deploying locally/without certificate (/with self-signed certificate). However, this reduces security in deployments which do use proper certificates.
Problematic places are the conda-store Authenticator:
https://github.com/nebari-dev/nebari/blob/366d1cd064d132477cd0e9c199fe655e40fa9d24/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/conda-store/config/conda_store_config.py#L84
JupyterHub Authenticator:
https://github.com/nebari-dev/nebari/blob/366d1cd064d132477cd0e9c199fe655e40fa9d24/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf#L164
Of note, ithe dask Authenticator does not disable TLS verification, which suggests that it should not work on local deployments (I had not tested it)
https://github.com/nebari-dev/nebari/blob/53194474dfbc8ac1ded81737edc777c17c6bbe97/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/dask-gateway/files/gateway_config.py#L63
Expected behavior
TLS validation is on/off conditionally on whether a certificate is set up.
All authenticators set the TLS verification based on a configuration variable which has a default based on certificate presence.
OS and architecture in which you are running Nebari
2024.3.2
How to Reproduce the problem?
Command output
No response
Versions and dependencies used.
No response
Compute environment
None
Integrations
No response
Anything else?
No response