phoenix-oss/llama-stack-mirror
0
0
Fork 1
mirror of https://github.com/meta-llama/llama-stack.git synced 2025-12-12 12:06:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: disable TLS verification explicitly

Browse source 
If verify_tls is False we disable the cert verification in the ssl
context.

Signed-off-by: Sébastien Han <seb@redhat.com>
This commit is contained in:
Sébastien Han 2025-10-10 14:46:06 +02:00
parent f379c787ad
commit a1c98ca87b
No known key found for this signature in database
2 changed files with 11 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.github/workflows/integration-auth-tests.yml vendored
View file

@ -81,7 +81,6 @@ jobs:
yq eval '.server.auth.provider_config.issuer = "${{ env.KUBERNETES_ISSUER }}"' -i $run_dir/run.yaml yq eval '.server.auth.provider_config.issuer = "${{ env.KUBERNETES_ISSUER }}"' -i $run_dir/run.yaml
yq eval '.server.auth.provider_config.audience = "${{ env.KUBERNETES_AUDIENCE }}"' -i $run_dir/run.yaml yq eval '.server.auth.provider_config.audience = "${{ env.KUBERNETES_AUDIENCE }}"' -i $run_dir/run.yaml
yq eval '.server.auth.provider_config.jwks.uri = "${{ env.KUBERNETES_API_SERVER_URL }}"' -i $run_dir/run.yaml yq eval '.server.auth.provider_config.jwks.uri = "${{ env.KUBERNETES_API_SERVER_URL }}"' -i $run_dir/run.yaml
yq eval '.server.auth.provider_config.jwks.token = "${{ env.TOKEN }}"' -i $run_dir/run.yaml
cat $run_dir/run.yaml cat $run_dir/run.yaml
# avoid line breaks in the server log, especially because we grep it below. # avoid line breaks in the server log, especially because we grep it below.

13
llama_stack/core/server/auth_providers.py
View file

@ -112,8 +112,17 @@ class OAuth2TokenAuthProvider(AuthProvider):
try: try:
if self._jwks_client is None: if self._jwks_client is None:
ssl_context = None ssl_context = None
if self.config.tls_cafile: if not self.config.verify_tls:
ssl_context = ssl.create_default_context(cafile=self.config.tls_cafile.as_posix()) # Disable SSL verification if verify_tls is False
ssl_context = ssl.create_default_context()
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
elif self.config.tls_cafile:
# Use custom CA file if provided
ssl_context = ssl.create_default_context(
cafile=self.config.tls_cafile.as_posix(),
)
# If verify_tls is True and no tls_cafile, ssl_context remains None (use system defaults)
self._jwks_client = jwt.PyJWKClient( self._jwks_client = jwt.PyJWKClient(
self.config.jwks.uri, self.config.jwks.uri,