podman-desktop icon indicating copy to clipboard operation
podman-desktop copied to clipboard

Published 20 hours ago verified publisher icon containers

Connecting to a kubernetes cluster with self-signed (user?) certificate

Open feloy opened this issue 1 year ago • 10 comments

Bug description

When connecting to an OpenShift cluster with a self-signed certificate in the certificate chain, the user needs to add the insecure-skip-tls-verify: true flag in the cluster section of the kubeconfig file for the informers to be able to connect from podman desktop.

This flag is not necessary when accessing the cluster with kubectl or with this code: https://github.com/benoitf/k8s-informer-error

Operating system

Linux Fedora

Installation Method

Installer from website/GitHub releases

Version

1.8.0

Steps to reproduce

No response

Relevant log output

No response

Additional context

No response

feloy avatar Apr 05 '24 14:04 feloy

This issue has been automatically marked as stale because it has not had activity in the last 6 months. It will be closed in 30 days if no further activity occurs. Please feel free to leave a comment if you believe the issue is still relevant. Thank you for your contributions!

github-actions[bot] avatar Oct 22 '24 00:10 github-actions[bot]

This issue has been automatically closed because it has not had any further activity in the last 30 days. Thank you for your contributions!

github-actions[bot] avatar Nov 21 '24 01:11 github-actions[bot]

reopen

feloy avatar Nov 21 '24 05:11 feloy

I see this issue reported several places which ponts to this issue list, but all of them share the same issue: No change, no planned change since early spring of 2024? Has this issue been corrected? I don't see an evince that it's been?

bit4man avatar Jan 17 '25 15:01 bit4man

@feloy could you take a look

rujutashinde avatar May 06 '25 15:05 rujutashinde

@feloy is this still valid as I cannot reproduce ?

jeffmaury avatar Jun 18 '25 15:06 jeffmaury

It seems to me that the root cause is https://github.com/podman-desktop/podman-desktop/issues/10297

@bit4man In https://github.com/podman-desktop/podman-desktop/issues/7139, in Create api and wildcard certs, add the CA to the ca-trust, and apply certs to the openshift-api and the ocp wildcard end point., does this involve to have certificates in files different from /etc/ssl/certs/ca-certificates.crt and /etc/ssl/certs/ca-bundle.crt ?

feloy avatar Jun 18 '25 15:06 feloy

Tested with a cluster having a certificate signed by an unknown authority and then logged in through oc .... Both oc, kubectl and Podman Desktop can communicate with the cluster Removed the insecure-skip-tls-verify flag and none can communicate with the cluster Tested on Windows now trying on Fedora

jeffmaury avatar Jun 19 '25 09:06 jeffmaury

Have you done this step (from #7139)? add the CA to the ca-trust

By adding it, the flag should not be necessary (at least for oc/kubectl)

feloy avatar Jun 19 '25 09:06 feloy

Have you done this step (from #7139)? add the CA to the ca-trust

By adding it, the flag should not be necessary (at least for oc/kubectl)

In my use case (cluster-bot), I don't have access to the CA certificate and adding the cluster certificate is useless

jeffmaury avatar Jun 19 '25 15:06 jeffmaury

@jeffmaury would you still consider to keep this for 1.21.0 ?

rujutashinde avatar Jul 07 '25 20:07 rujutashinde