kubernetes-client
ERR_TLS_CERT_ALTNAME_INVALID error for proxy-url feature
Describe the bug
I metioned that in the client-node sdk main branch, it implemented proxy-url feature, it would be very useful for local development. But when I use the client-node sdk, and the kubeconfig file contains proxy-url field, it will output the following error:
Client Version
e.g. 0.12.0
not a stable release version, just in the main branch.
Server Version
e.g. 1.19.1
v1.28.3
To Reproduce
Steps to reproduce the behavior:
prepare a kubeconfig file with proxy-url, and use the loadFromFile method to init the client-node sdk.
Expected behavior A clear and concise description of what you expected to happen. I expected the sdk can work with the proxy-url, and visit the kubernetes apiserver.
Example Code Code snippet for what you are doing
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromFile('path/to/local/kubeconfig')
const k8sApi = kc.makeApiClient(k8s.CoreV1Api);
k8sApi.listNamespacedPod({ namespace: "default" }).then((res) => {
console.log(res);
});
Environment (please complete the following information):
- OS: [e.g. Windows, Linux] macos
- Node.js version [eg. 20] v20.12.1
- Cloud runtime [e.g. Azure Functions, Lambda] local devel
Additional context Add any other context about the problem here. I try to solve the problem by diving into the source code. Here is some analysis for the problem: https://github.com/TooTallNate/proxy-agents/issues/365, maybe it will help the community team to solve the problem~
It appears that you are connecting to 'localhost' as the API server, but that is not in the subject names that are in the certificate (as expected).
What is the server set to in your kubeconfig?
yes, the problem is setting wrong host, which caused by socks-proxy-agent package, it will omit the host when create tls connection.
and the server in my kubeconfig is that:
BTW I have tested the same kubeconfig with client-go sdk, it works~.
It seems not the problem of invoking, when send request to apiserver, the request lib(aka node-fetch) will set host according to server field in the kubeconfig:
the opts param passed in the connect method in socks-proxy-agent is still right:
here the invoke to apiserver is tls request, so it will create the tls socket based on socks5 socket, but it will ignore host which generated by node-fetch lib:
so the duo tls verify will be failed.
It seems like this is a bug in the
socks-proxy-agentlibrary?
Yes, i'm trying to prepare more snippet to prove that. BTW, is anyone tested the proxy-url feature? I want to make sure that is it a common problem ?
@brendandburns already confirm the problem, it seems that socks-proxy-agent doesn't take bilateral tls verification into consideraion(because I've tested the http/https version, it doesn't works for scenario of bilateral tls verification)
it seems that the upstream of socks-proxy-agent no reply recently, should we maintain another copy of socks-proxy-agent in the kubernetes-client/javascript source code, it doesn't cost much, and will be easy to maintain, just inherit the base class and use the socket javascript lib directly. @brendandburns
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
the issuse is pending due to no response from upstream. It seems that the socks-proxy-agent library is not under maintain any more ?
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
