client: rustls is incompatible the env-based in-cluster config

[olix0r]

As described in #1000, in-cluster Kubernetes clients must honor the KUBERNETES_SERVICE_HOST environment variable and cannot rely on this being identical to kubernetes.default.svc. Unfortunately, this value is usually an IP address, and webpki doesn't support IP address validation by IP (briansmith/webpki#54 rustls/webpki#4). Therefore, rustls cannot reliably be used with the default in-cluster configuration.

Once these upstream issues are addressed, the client Config documentation should be updated to remove caveats about rustls compatibility and CI changes (in #1001) should be reverted to test rustls in CI.

[MikailBag]

This may be related to #991. I think that once that issue is done, kube-rs users may explicitly apply override tls-server-name = kubernetes.default.svc to the connection config, and verification will work in both in-cluster and external (because now server certificate will be validated against DNS name).

[clux]

As per 0.77.0, we now use @MikailBag 's idea of passing tls-server-name = kubernetes.default.svc by default for rustls and this should at least provide a better workaround for rustls.