feat(dev): control internal TLS skip via env and Helm flag (#329)

## 📝 Description
This change enables internal services to skip TLS verification in local
clusters where a self-signed certificate is used. It ensures reliable
bootstrapping and authentication flow during development without
requiring custom trust chains.

## ✅ Checklist
- [x] I have tested this change
- [ ] This change requires documentation update

Author: radwo

bootstrapper/cmd/init_org.go

@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"crypto/tls"
 	"net/http"
 	"os"
 	"time"
@@ -87,8 +88,20 @@ var initOrgCmd = &cobra.Command{
 func waitForIngress(domain string) {
 	url := "https://id." + domain + "/realms/semaphore/.well-known/openid-configuration"
 
+	insecure := os.Getenv("TLS_SKIP_VERIFY_INTERNAL") == "true"
+
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
+	if insecure {
+		tlsConfig.InsecureSkipVerify = true // #nosec G402
+	}
+
 	client := &http.Client{
 		Timeout: 10 * time.Second,
+		Transport: &http.Transport{
+			TLSClientConfig: tlsConfig,
+		},
 	}
 
 	req, _ := http.NewRequest("GET", url, nil)

bootstrapper/helm/templates/init-org-job.yml

@@ -59,6 +59,10 @@ spec:
                 name: {{ .Values.global.gitlabApp.secretName }}
 {{- end }}
           env:
+{{- if .Values.global.development.skipTlsVerifyInternal }}
+            - name: TLS_SKIP_VERIFY_INTERNAL
+              value: "true"
+{{- end }}
 {{- if .Values.global.organization.defaultAgentType.enabled }}
             - name: DEFAULT_AGENT_TYPE_ENABLED
               value: "true"

guard/config/runtime.exs

@@ -183,3 +183,7 @@ if System.get_env("AMQP_URL") != nil do
       instance_config: [connection: :amqp]
     ]
 end
+
+if System.get_env("TLS_SKIP_VERIFY_INTERNAL") == "true" do
+  config :openid_connect, finch_transport_opts: [verify: :verify_none]
+end

guard/helm/templates/dpl-api.yaml

@@ -97,6 +97,10 @@ spec:
               value: "$(KC_ROOT_URL)/realms/$(KC_REALM)/.well-known/openid-configuration"
             - name: OIDC_MANAGE_URL
               value: "$(KC_LOCAL_URL)/admin/realms/$(KC_REALM)"
+{{- if .Values.global.development.skipTlsVerifyInternal }}
+            - name: TLS_SKIP_VERIFY_INTERNAL
+              value: "true"
+{{- end }}
             - name: BASE_DOMAIN
               valueFrom:
                 configMapKeyRef:

guard/helm/templates/dpl-authentication-api.yaml

@@ -106,6 +106,10 @@ spec:
               value: "$(KC_ROOT_URL)/realms/$(KC_REALM)/.well-known/openid-configuration"
             - name: OIDC_MANAGE_URL
               value: "$(KC_LOCAL_URL)/admin/realms/$(KC_REALM)"
+{{- if .Values.global.development.skipTlsVerifyInternal }}
+            - name: TLS_SKIP_VERIFY_INTERNAL
+              value: "true"
+{{- end }}
             - name: LOG_LEVEL
               value: {{ .Values.authenticationApi.logging.level | quote }}
             - name: ENCRYPTOR_URL

guard/helm/templates/dpl-id-api.yaml

@@ -97,6 +97,10 @@ spec:
               value: "$(KC_ROOT_URL)/realms/$(KC_REALM)/.well-known/openid-configuration"
             - name: OIDC_MANAGE_URL
               value: "$(KC_LOCAL_URL)/admin/realms/$(KC_REALM)"
+{{- if .Values.global.development.skipTlsVerifyInternal }}
+            - name: TLS_SKIP_VERIFY_INTERNAL
+              value: "true"
+{{- end }}
             - name: BASE_DOMAIN
               valueFrom:
                 configMapKeyRef:

guard/helm/templates/dpl-worker.yaml

@@ -90,6 +90,10 @@ spec:
               value: "$(KC_ROOT_URL)/realms/$(KC_REALM)/.well-known/openid-configuration"
             - name: OIDC_MANAGE_URL
               value: "$(KC_LOCAL_URL)/admin/realms/$(KC_REALM)"
+{{- if .Values.global.development.skipTlsVerifyInternal }}
+            - name: TLS_SKIP_VERIFY_INTERNAL
+              value: "true"
+{{- end }}
             - name: POSTGRES_DB_SSL
               value: {{ .Values.global.database.ssl | quote }}
             - name: POSTGRES_DB_NAME

guard/helm/templates/instance-config.yaml

@@ -103,6 +103,10 @@ spec:
               value: "$(KC_ROOT_URL)/realms/$(KC_REALM)/.well-known/openid-configuration"
             - name: OIDC_MANAGE_URL
               value: "$(KC_LOCAL_URL)/admin/realms/$(KC_REALM)"
+{{- if .Values.global.development.skipTlsVerifyInternal }}
+            - name: TLS_SKIP_VERIFY_INTERNAL
+              value: "true"
+{{- end }}
             - name: BASE_DOMAIN
               valueFrom:
                 configMapKeyRef:

guard/helm/templates/user-api-dpl.yaml

@@ -96,6 +96,10 @@ spec:
               value: "$(KC_ROOT_URL)/realms/$(KC_REALM)/.well-known/openid-configuration"
             - name: OIDC_MANAGE_URL
               value: "$(KC_LOCAL_URL)/admin/realms/$(KC_REALM)"
+{{- if .Values.global.development.skipTlsVerifyInternal }}
+            - name: TLS_SKIP_VERIFY_INTERNAL
+              value: "true"
+{{- end }}
             - name: INCLUDE_INSTANCE_CONFIG
               value: "true"
 

helm-chart/values.yaml.in

@@ -9,6 +9,12 @@ global:
     #
     writableRootFilesystem: false
 
+    #
+    # When true, disables TLS verification for internal service-to-service calls.
+    # Use only in development environments with self-signed certificates.
+    #
+    skipTlsVerifyInternal: false
+
   domain:
     ip: ""
     name: ""