kube-janitor icon indicating copy to clipboard operation
kube-janitor copied to clipboard

Published 20 hours ago verified publisher icon hjacobs

How to disable tls verification(self signed certs)

Open svyatoslavmo opened this issue 5 years ago • 5 comments

Trying to run janitor on cluster with self signed certs. I'm getting this error urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /api/v1/namespaces (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1056)'))) Is there a way to ignore invalid certs?

svyatoslavmo avatar Aug 13 '19 15:08 svyatoslavmo

@SHarrySeldon it should work automatically when running in a cluster as Pykube loads the ca.crt of the service account. What kind of cluster setup do you have exactly? Can you show what env vars are set within the pod and whether ca.crt exists? Relevant code: https://github.com/hjacobs/pykube/blob/master/pykube/config.py#L21

See also https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens --- AFAIK the ca.crt should always exist for service accounts (?).

hjacobs avatar Aug 13 '19 15:08 hjacobs

I see the code and yes, it should work automatically, but it doesn't. ca.crt exist as mounted secret within pod. Not sure if that is valid ca.crt, because it's baremetal cluster and I couldn't check certs on endpoint.

svyatoslavmo avatar Aug 14 '19 06:08 svyatoslavmo

I have the same issue on a cluster with self signed certificates. The ca.crt does exist within the pod, but its in no way valid as its just a development cluster with odd issuer/subject values.

Adding an option to ignore invalid certificates would be extremely useful!

tkimball83 avatar Aug 31 '20 22:08 tkimball83

I think this should be a feature request for pykube-ng: https://github.com/hjacobs/pykube

hjacobs avatar Sep 01 '20 07:09 hjacobs

See https://github.com/hjacobs/pykube/issues/76.

I also tried adding the following environment variables to the container, but had no luck.

env:
- name: REQUESTS_CA_BUNDLE
  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: CURL_CA_BUNDLE
  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: SSL_CERT_FILE
  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

Note that running a manual curl with --cacert pointing to the path above works without issue.

tkimball83 avatar Sep 02 '20 22:09 tkimball83