catalog propertie skipTlsVerify true has no effect on java api call when requesting helm repository : certificate is always checked

[StudioEtrange]

For storing our helm we use a chartmuseum instance on kube.
We use our own certificates.

Certificates are use for two different thing in onyxia-api.

For helm commands and for JVM with java keystore

We have a secret tls like this one
kubectl create secret tls onyxia-tls -n $namespace --key $DOMAIN_KEY_FILE --cert $DOMAIN_CERT_FILE

And we use these values for helm

catalogs: 
    [
      {
        "id": "chartmuseum",
        "name": "Environnements de développement",
        "description": "ChartMuseum personnel hébergeant les charts",
        "location": "$CHARTMUSEUM_URI",
        "status": "PROD",
        "type": "helm",
        "skipTlsVerify": false,
        "caFile": "onyxia-tls.cer",
        "catalogVisibility": { "show": true },
        "visible": {
          "user": true,
          "project": true
        }
      }
    ]
 env: 
    JAVA_TOOL_OPTIONS: "-Dlogging.level.fr.insee.onyxia=DEBUG"
    CATALOGS_FILE_PATH: "/app/resources/catalogs.json"
    DISABLE_DEFAULT_CATALOGS: "true"
    CACERTS_DIR: "/etc/ssl/certs/extra"
extraVolumes:
    - name: onyxia-tls
      secret:
        secretName: onyxia-tls
        items:
          - key: tls.crt
            path: onyxia-tls.cer
  extraVolumeMounts:
    - name: onyxia-tls
      mountPath: "/etc/ssl/certs/extra"
      readOnly: true

1/BEHAVIOR FOR HELM COMMANDS

everything is ok

• when skipTlsVerify is false the file /etc/ssl/certs/extra/onyxia-tls.cer is used with helm commands, and it os ok
  /usr/local/bin/helm repo add --ca-file /etc/ssl/certs/extra/onyxia-tls.cer
• when skipTlsVerify is true helm commands skip certificate verification, and it is ok
  /usr/local/bin/helm repo add --insecure-skip-tls-verify

2/BEHAVIOR FOR JAVA CODE

There is a problem because if skipTlsVerify false or true, the java code always wants to check the certificate.

• when skipTlsVerify is false the file /etc/ssl/certs/extra/onyxia-tls.cer is registered at pod launch with the entrypoint which use keytool and it os ok
• when skipTlsVerify is true if we do not register certificate at pod launch we have an error because java httpClient always want to check certificate.

Could you use an httpClient with tls verify deactivated when skipTlsVerify is true ?

[olevitt]

Thanks for this report.
Confirmed, this code does not honor the skipTlsVerify attribute :

onyxia-api/onyxia-api/src/main/java/fr/insee/onyxia/api/dao/universe/CatalogLoader.java

Line 70 in 44d0b86

try (InputStream stream =