Add --ca-file flag for custom TLS trust#1370
Merged
Merged
Conversation
ervcz
force-pushed
the
ervin/ca-file-flag
branch
from
f5842c5 to
44eab10
Compare
Collaborator
Author
|
Makes #1239 deprecated. |
ervcz
force-pushed
the
ervin/ca-file-flag
branch
from
44eab10 to
0f5ffb4
Compare
ervcz
changed the title
--oidc-ca-file flag for custom OIDC provider TLS trust
ervcz
force-pushed
the
ervin/ca-file-flag
branch
from
d9389e8 to
e234d2f
Compare
- Add `--oidc-ca-file` flag to trust custom CA certificates for OIDC provider TLS - Implement TLS client configuration with additive certificate pool - Expose `config.auth.oidc.caFile` in Helm chart values and deployment Signed-off-by: Ervin Rácz <ervin.racz@protonmail.com>
ervcz
force-pushed
the
ervin/ca-file-flag
branch
from
e234d2f to
d94dcc9
Compare
Collaborator
Author
|
To be documented on the website by: flatcar/flatcar-website#562 |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
John15321
reviewed
Apr 21, 2026
ervcz
changed the title
--oidc-ca-file flag for custom OIDC provider TLS trust--ca-file flag for custom TLS trust
…pport - Rename flag and config from `--oidc-ca-file` to `--ca-file` for broader TLS use - Extend custom CA certificate support to the syncer component - Build CA pool once at startup and share via config struct - Fix syncer's downloadPackage to use the struct's HTTP client Signed-off-by: Ervin Rácz <ervin.racz@protonmail.com>
ervcz
force-pushed
the
ervin/ca-file-flag
branch
from
d94dcc9 to
6bc56fe
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Nebraska only trusts system CAs. If your OIDC provider or update server uses a certificate from an internal or non-public CA, Nebraska refuses to connect. The only workaround today is modifying the container's system trust store, which is inconvenient.
This PR adds a
--ca-fileflag that points to a PEM file with one or more CA certificates. These CAs are added to the system trust store — nothing is replaced. The custom trust applies to both the OIDC client and the syncer. When the flag is omitted, behaviour is identical to before.If the file is missing, unreadable, or contains no valid PEM data, Nebraska fails at startup with a clear error message.
The flag is also exposed in the Helm chart as
config.caFile, and documented in the OIDC migration guide.