[BUG] - Authenticators should validate TLS certificate

[krassowski]

Describe the bug

Currently the TLS validation is turned off. This is handy when deploying locally/without certificate (/with self-signed certificate). However, this reduces security in deployments which do use proper certificates.

Problematic places are the conda-store Authenticator:

nebari/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/conda-store/config/conda_store_config.py

Line 84 in 366d1cd

c.GenericOAuthAuthentication.tls_verify = False

JupyterHub Authenticator:

nebari/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf

Line 164 in 366d1cd

tls_verify = false

Of note, ithe dask Authenticator does not disable TLS verification, which suggests that it should not work on local deployments (I had not tested it)

nebari/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/dask-gateway/files/gateway_config.py

Line 63 in 5319447

class NebariAuthentication(JupyterHubAuthenticator):

Expected behavior

TLS validation is on/off conditionally on whether a certificate is set up.

All authenticators set the TLS verification based on a configuration variable which has a default based on certificate presence.

OS and architecture in which you are running Nebari

2024.3.2

How to Reproduce the problem?

Command output

No response

Versions and dependencies used.

No response

Compute environment

None

Integrations

No response

Anything else?

No response

[krassowski]

There is appropriate logic in Keycloak setup itself:

nebari/src/_nebari/keycloak.py

Line 94 in 2f85ece

should_verify_tls = config.certificate.type != CertificateEnum.selfsigned