kubernetes-client
Support tls-server-name field from kubeconfig for SNI
The client fails TLS verification when kubeconfig specifies a tls-server-name different from the server URL hostname. This is common with Teleport-generated configs where the certificate CN/SAN doesn't match the proxy IP.
Changes
-
KubeConfig: Added
getTlsServerName()to readtls-server-namefrom cluster config -
ApiClient: Added
tlsServerNamefield and customHostnameVerifierthat delegates toOkHostnameVerifier.INSTANCE.verify(tlsServerName, session)instead of verifying against URL hostname -
ClientBuilder: Wired
tls-server-namefrom KubeConfig through to ApiClient
Example
clusters:
- cluster:
server: https://192.168.1.1:6443
tls-server-name: my-cluster.example.com # Certificate has this CN/SAN
certificate-authority-data: ...
The client now verifies the certificate against my-cluster.example.com instead of 192.168.1.1, allowing successful TLS handshake with mismatched hostnames.
Resolves issue where workaround required insecure-skip-tls-verify: true.
Original prompt
This section details on the original issue you should resolve
<issue_title>TLSServerName is not taken into account</issue_title> <issue_description>Describe the bug
When using a kubeconfig which defines a
tls-server-namefield different from theserverfield, the client fails to validate the cluster certificate.As a workaround, setting
insecure-skip-tls-verify: trueand removingcertificate-authority-datafrom the kubeconfig file works.Client Version
20
Kubernetes Version
1.28.6
Java Version
17
To Reproduce
Get a kubeconfig with a
tls-server-namefield different from theserverfield. This is the case with the kubeconfig files generated by Teleport. Run theKubeConfigFileClientExample.java:cd examples/examples-release-20 mvn -X clean install exec:java -Dexec.mainClass="io.kubernetes.client.examples.KubeConfigFileClientExample"Expected behavior
The client respects the
tls-server-namefield and uses this hostname to verify the TLS certificate.KubeConfig
apiVersion: v1 clusters: - cluster: certificate-authority-data: REDACTED server: REDACTED tls-server-name: REDACTED name: REDACTED contexts: - context: cluster: REDACTED extensions: - extension: sandbox name: teleport.kube.name user: REDACTED name: REDACTED current-context: REDACTED kind: Config preferences: {} users: - name: REDACTED user: exec: apiVersion: client.authentication.k8s.io/v1beta1 args: - kube - credentials - --kube-cluster=sandbox - --teleport-cluster=REDACTED - --proxy=REDACTED command: tsh env: null provideClusterInfo: falseServer (please complete the following information):
- OS: Linux
- Environment: system
- Cloud: Azure/Teleport
Additional context </issue_description>
Comments on the Issue (you are @copilot in this section)
@brendandburns Yeah, that's not currently supported in our TLS. We'd be happy to take a PR to add support.
- Fixes kubernetes-client/java#3241
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Copilot Once this PR has been reviewed and has the lgtm label, please ask for approval from brendandburns. For more information see the Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Copilot Once this PR has been reviewed and has the lgtm label, please ask for approval from brendandburns. For more information see the Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment