[bitnami/apisix] TLS must be fully configured and enabled to configure a trusted TLS CA for the data plane

[james-mchugh]

Name and Version

bitnami/apisix:3.3.11

What architecture are you using?

amd64

What steps will reproduce the bug?

1. Attempt to provide a trusted certificate to Apisix (via --set dataPlane.tls.ca).
2. exec into container and inspect cert at /bitnami/certs/ca.crt. Observe that it is not the provided cert (it was autogenerated).
3. Disable autogeneration of TLS secret (via --set dataPlane.tls.autoGenerated). Observe that deployment of the chart will fail without the tls cert and key specified.

Are you using any custom parameters or values?

dataPlane:
    tls:
      enabled: true
      ca: |-
        # <insert-ca-here>
      autoGenerated: false

What is the expected behavior?

A ssl_trusted_certificate can be passed to Apisix without enabling TLS or providing a server cert and key.

What do you see instead?

The ssl_trusted_certificate cannot be passed to Apisix unless TLS is fully configured and enabled.

Additional information

Several Apisix plugins such as openid-connect and authz-keycloak reach out to external servers. These servers often utilize HTTPs to secure communications. Without being able to specify an ssl_trusted_certificate to Apisix, Apisix cannot validate the authenticity of certificates presented by these external servers, resulting in a security risk. This results in needing to set ssl_verify to false in these plugins to skip verification of the server's cert.

The only way to provide a CA or ssl_trusted_certificate to Apisix currently requires TLS to be fully configured and enabled, meaning that a TLS certificate and key have to be provided to Apisix. This is often unnecessary, as many users deploying Apisix may be using terminating TLS at the ingress.