feat: add tlsInsecureSkipVerify to ExternalModel spec

nerdalert · nerdalert · commit 6cb4a6766657 · 2026-03-30T18:34:18.000Z
Adds an optional spec.tlsInsecureSkipVerify field to the ExternalModel CRD. When true, the reconciler generates the DestinationRule with insecureSkipVerify: true, allowing connections to endpoints with self-signed certificates without manual patching that gets overwritten on reconciliation. Default is false. Closes #627 Signed-off-by: Brent Salisbury <bsalisbu@redhat.com>
diff --git a/deployment/base/maas-controller/crd/bases/maas.opendatahub.io_externalmodels.yaml b/deployment/base/maas-controller/crd/bases/maas.opendatahub.io_externalmodels.yaml
@@ -83,6 +83,18 @@ spec:
                   e.g. "openai", "anthropic".
                 maxLength: 63
                 type: string
+              tlsInsecureSkipVerify:
+                description: |-
+                  TLSInsecureSkipVerify disables TLS certificate verification on the
+                  DestinationRule created for this external model. When true, the generated
+                  Istio DestinationRule includes insecureSkipVerify: true under
+                  trafficPolicy.tls, allowing connections to endpoints with self-signed or
+                  untrusted certificates (e.g., simulators, dev environments).
+
+                  WARNING: Do not enable in production. This is intended for testing only.
+
+                  Default: false (certificates are verified).
+                type: boolean
             required:
             - credentialRef
             - endpoint
diff --git a/maas-controller/api/maas/v1alpha1/externalmodel_types.go b/maas-controller/api/maas/v1alpha1/externalmodel_types.go
@@ -41,6 +41,18 @@ type ExternalModelSpec struct {
 	// The Secret must contain a data key "api-key" with the credential value.
 	// +kubebuilder:validation:Required
 	CredentialRef CredentialReference `json:"credentialRef"`
+
+	// TLSInsecureSkipVerify disables TLS certificate verification on the
+	// DestinationRule created for this external model. When true, the generated
+	// Istio DestinationRule includes insecureSkipVerify: true under
+	// trafficPolicy.tls, allowing connections to endpoints with self-signed or
+	// untrusted certificates (e.g., simulators, dev environments).
+	//
+	// WARNING: Do not enable in production. This is intended for testing only.
+	//
+	// Default: false (certificates are verified).
+	// +optional
+	TLSInsecureSkipVerify bool `json:"tlsInsecureSkipVerify,omitempty"`
 }
 
 // ExternalModelStatus defines the observed state of ExternalModel
diff --git a/maas-controller/pkg/reconciler/externalmodel/reconciler.go b/maas-controller/pkg/reconciler/externalmodel/reconciler.go
@@ -277,12 +277,12 @@ func specFromExternalModel(extModel *maasv1alpha1.ExternalModel, model *maasv1al
 	}
 
 	spec := ExternalModelSpec{
-		Provider:   extModel.Spec.Provider,
-		Endpoint:   extModel.Spec.Endpoint,
-		PathPrefix: ann[AnnPathPrefix],
-		TLS:        true,
-		Port:       443,
-		// TLSInsecureSkipVerify: extModel.Spec.TLSInsecureSkipVerify, // requires issue #627 CRD change
+		Provider:              extModel.Spec.Provider,
+		Endpoint:              extModel.Spec.Endpoint,
+		PathPrefix:            ann[AnnPathPrefix],
+		TLS:                   true,
+		Port:                  443,
+		TLSInsecureSkipVerify: extModel.Spec.TLSInsecureSkipVerify,
 	}
 
 	if spec.Provider == "" {
