fix: disable TLS verification explicitly

If verify_tls is False we disable the cert verification in the ssl
context.

Signed-off-by: Sébastien Han <seb@redhat.com>

.github/workflows/integration-auth-tests.yml

@@ -81,7 +81,6 @@ jobs:
           yq eval '.server.auth.provider_config.issuer = "${{ env.KUBERNETES_ISSUER }}"' -i $run_dir/run.yaml
           yq eval '.server.auth.provider_config.audience = "${{ env.KUBERNETES_AUDIENCE }}"' -i $run_dir/run.yaml
           yq eval '.server.auth.provider_config.jwks.uri = "${{ env.KUBERNETES_API_SERVER_URL }}"' -i $run_dir/run.yaml
-          yq eval '.server.auth.provider_config.jwks.token = "${{ env.TOKEN }}"' -i $run_dir/run.yaml
           cat $run_dir/run.yaml
 
           # avoid line breaks in the server log, especially because we grep it below.

llama_stack/core/server/auth_providers.py

@@ -112,8 +112,17 @@ class OAuth2TokenAuthProvider(AuthProvider):
         try:
             if self._jwks_client is None:
                 ssl_context = None
-                if self.config.tls_cafile:
-                    ssl_context = ssl.create_default_context(cafile=self.config.tls_cafile.as_posix())
+                if not self.config.verify_tls:
+                    # Disable SSL verification if verify_tls is False
+                    ssl_context = ssl.create_default_context()
+                    ssl_context.check_hostname = False
+                    ssl_context.verify_mode = ssl.CERT_NONE
+                elif self.config.tls_cafile:
+                    # Use custom CA file if provided
+                    ssl_context = ssl.create_default_context(
+                        cafile=self.config.tls_cafile.as_posix(),
+                    )
+                # If verify_tls is True and no tls_cafile, ssl_context remains None (use system defaults)
 
                 self._jwks_client = jwt.PyJWKClient(
                     self.config.jwks.uri,