Skip to content

feat(server): separate HTTPS from mTLS authentication#1351

Open
sjenning wants to merge 1 commit into
NVIDIA:mainfrom
sjenning:feat/separate-https-from-mtls
Open

feat(server): separate HTTPS from mTLS authentication#1351
sjenning wants to merge 1 commit into
NVIDIA:mainfrom
sjenning:feat/separate-https-from-mtls

Conversation

@sjenning
Copy link
Copy Markdown
Contributor

@sjenning sjenning commented May 13, 2026

Summary

  • Make --tls-client-ca optional when TLS is enabled, decoupling HTTPS encryption from mTLS client certificate authentication
  • Enable HTTPS + OIDC-only deployments where the gateway serves encrypted traffic without requiring client certificates
  • Add startup warning when neither mTLS nor OIDC is configured (no auth mechanism)

Related Issue

N/A

Changes

  • openshell-core/config.rs: Change TlsConfig.client_ca_path from PathBuf to Option<PathBuf>
  • openshell-server/tls.rs: Branch TlsAcceptor::from_filesSome(ca) builds mTLS verifier, None uses with_no_client_auth()
  • openshell-server/cli.rs: Remove runtime error requiring --tls-client-ca; add HTTPS-only log message and no-auth warning
  • openshell-server/lib.rs: Pass client_ca_path.as_deref() to from_files
  • openshell-server/compute/vm.rs: Wrap test client_ca_path values in Some()
  • Helm statefulset.yaml: Conditionally include client-ca env var, volume mount, and volume
  • Helm values.yaml: Document that clientCaSecretName is optional

Testing

  • mise run pre-commit passes
  • All 7 edge_tunnel_auth integration tests pass (including new https_only_no_client_cert_required)
  • All 4 multiplex_tls_integration tests pass
  • Manual: start gateway with --tls-cert and --tls-key only, verify HTTPS-only mode works with OIDC

Checklist

  • Conventional commit format
  • No secrets committed
  • Backward compatible (existing deployments with --tls-client-ca work identically)
  • Tests added for new behavior

@sjenning
feat(server): separate HTTPS from mTLS authentication
17b1e9c 
Make --tls-client-ca optional so the gateway can run with HTTPS
encryption without requiring mTLS client certificates. This enables
OIDC-only authentication over encrypted connections.

Three TLS modes are now supported:
- mTLS (--tls-client-ca provided): client certs required (default)
- HTTPS-only (--tls-client-ca omitted): server TLS only, no client certs
- Plaintext (--disable-tls): no TLS at all

The Helm chart conditionally includes the client-ca volume and env var
based on whether clientCaSecretName is configured. A startup warning
is emitted when neither mTLS nor OIDC is configured.
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 13, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sjenning