Support insecureSkipTLSVerify in Identity CRD for API proxy scenarios

[rajsinghtech]

Problem

When using Liqo with networking.enabled=false and accessing remote clusters through an API proxy (e.g., Tailscale Kubernetes API proxy), virtual kubelets fail with TLS errors:

x509: certificate signed by unknown authority

The proxy terminates TLS using its own certificates, but Liqo's Identity controller embeds the cluster's CA in kubeconfig secrets (kubeconfig-resourceslice-*, kubeconfig-controlplane-*), causing certificate validation to fail.

Current Behavior

1. Identity CRD stores certificateAuthorityData in spec.authParams
2. Controller-manager generates kubeconfig secrets with certificate-authority-data
3. Even if manually patched with insecure-skip-tls-verify: true, the controller immediately reconciles and reverts the change

Proposed Solution

Add an optional insecureSkipTLSVerify field to the Identity CRD's authParams:

spec:
  authParams:
    apiServerURL: https://proxy.example.com
    insecureSkipTLSVerify: true  # New field

When set, the controller should:

1. Generate kubeconfig with insecure-skip-tls-verify: true
2. Omit certificate-authority-data from the kubeconfig

Use Case

Multi-cluster setups using Tailscale, Cloudflare Tunnel, or similar API proxies where:

• Networking is handled externally (Liqo networking disabled)
• API servers are accessed via proxy hostnames
• Proxy uses its own TLS certificates (not the cluster CA)

Environment

• Liqo version: 1.0.1
• Kubernetes: Talos Linux clusters
• Network: Tailscale with API server proxy enabled

[cheina97]

Hi @rajsinghtech, thanks for your issue. It makes sense, and I think it should be a good improvement for Liqo. Feel free to open. a PR if you want to implement it.

Another solution should be using these values

liqo/deployments/liqo/values.yaml

Lines 28 to 34 in fd1d6f8

	apiServer:
	# -- The address that must be used to contact your API server, it needs to be reachable from the clusters that you will peer with (defaults to your master IP).
	address: ""
	# -- The CA certificate used to issue x509 user certificates for the API server (base64). Leave it empty to use the default CA.
	ca: ""
	# -- Indicates that the API Server is exposing a certificate issued by a trusted Certification Authority.
	trustedCA: false

I'm curious about how you want to manage the multicluster network without Liqo networking. I'm saying this because a possible solution should be to implement a new GatewayTemplate that supports Tailscale instead of vanilla WireGuard. In that case would be possible to use Tailscale for both dataplane and controlplane (you can use in-band peering to forward API server traffic inside the tailscale tunnel). What do you think about it? Would you consider it something useful?