Skip to content

fix: use CA certificate for TLS verification instead of InsecureSkipVerify#129

Merged
slauger merged 1 commit intomainfrom
fix/80-ca-tls-verification
Mar 16, 2026
Merged

fix: use CA certificate for TLS verification instead of InsecureSkipVerify#129
slauger merged 1 commit intomainfrom
fix/80-ca-tls-verification

Conversation

@slauger
Copy link
Owner

@slauger slauger commented Mar 16, 2026

Summary

  • Replace InsecureSkipVerify with proper TLS verification using the CA own certificate from the {name}-ca Secret
  • Applies to all three HTTP communication paths: CSR submission, signed certificate fetching, and CRL refresh
  • Each reconciler loads ca_crt.pem from the CA Secret and uses it as the trusted root CA in the HTTP client

Fixes #80

Test plan

  • go build ./... passes
  • go vet ./... passes
  • go test ./internal/controller/... passes
  • Deploy operator and verify CSR submission works with TLS verification
  • Verify CRL refresh works with TLS verification
  • Verify certificate signing flow completes successfully

@slauger
fix: use CA certificate for TLS verification instead of InsecureSkipV…
30c3aab 
…erify

Load the CA public certificate from the {name}-ca Secret and use it as
the trusted root for all operator-to-CA HTTP communication (CSR
submission, certificate fetching, CRL refresh). This replaces
InsecureSkipVerify which allowed any service impersonating the CA to
intercept traffic.

Fixes #80
@slauger slauger merged commit e30c346 into main Mar 16, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: InsecureSkipVerify used for operator→CA communication

1 participant

@slauger