Skip to content

fix: enable TLS verification for Rancher API auth calls#253

Draft
andypitcher wants to merge 1 commit into
rancher:mainfrom
andypitcher:fix/auth-tls-verification
Draft

fix: enable TLS verification for Rancher API auth calls#253
andypitcher wants to merge 1 commit into
rancher:mainfrom
andypitcher:fix/auth-tls-verification

Conversation

@andypitcher

Copy link
Copy Markdown
Collaborator

Improve auth.py

  • Replace hardcoded verify=False with _build_ssl_context() that uses system CAs supplemented by the in-cluster SA ca.crt. Respects INSECURE_SKIP_TLS and SSL_CERT_FILE env vars.

  • Add unit tests and test infrastructure

    • Dockerfile.test
    • Makefile target

@andypitcher andypitcher force-pushed the fix/auth-tls-verification branch from 245509e to c86c99d Compare June 18, 2026 11:16
  Replace hardcoded verify=False with _build_ssl_context() that uses
  system CAs supplemented by the in-cluster SA ca.crt.

  Security hardening:
  - Fail-closed: TLS verification ON by default
  - Strict INSECURE_SKIP_TLS parsing (true/false only, ValueError on invalid)
  - SSL_CERT_FILE raises FileNotFoundError if set but missing
  - Warning logged when TLS verification is disabled
  - RANCHER_URL scheme normalization preserved for schemeless inputs

  Test and build infrastructure:
  - Add unit tests for auth module (tests/unit/services/test_auth.py)
  - Add Dockerfile.test and Makefile test target

Signed-off-by: Andy Pitcher <andy.pitcher@suse.com>
@andypitcher andypitcher force-pushed the fix/auth-tls-verification branch from c86c99d to 56b5023 Compare June 18, 2026 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant