python icon indicating copy to clipboard operation
python copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-client

Certifi overrides system CA config on RHEL/CentOS

Open vinzent opened this issue 5 years ago • 13 comments

For RHEL/CentOS users using certifi like here https://github.com/kubernetes-client/python/blob/master/kubernetes/client/rest.py#L77 will forcefully override system provided CA configuration and reset it to the Mozilla CA pem. Missing any internal CA certs and thus failing with CERTIFICATE_VERIFY_FAILED errors.

See also: https://github.com/openshift/openshift-restclient-python/issues/198

vinzent avatar Jun 27 '19 07:06 vinzent

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot avatar Sep 25 '19 08:09 fejta-bot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

fejta-bot avatar Oct 25 '19 08:10 fejta-bot

/remove-lifecycle rotten

sector2000 avatar Nov 13 '19 13:11 sector2000

This issue is still unresolved in latest version 10.0.1

sector2000 avatar Nov 13 '19 15:11 sector2000

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot avatar Feb 11 '20 15:02 fejta-bot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

fejta-bot avatar Mar 12 '20 16:03 fejta-bot

/remove-lifecycle rotten

palnabarun avatar Mar 25 '20 22:03 palnabarun

/lifecycle frozen

palnabarun avatar Mar 25 '20 22:03 palnabarun

/assign

palnabarun avatar Mar 25 '20 22:03 palnabarun

Related: https://github.com/kubernetes-client/python/issues/1131

palnabarun avatar Apr 12 '20 19:04 palnabarun

Hi, we just hit this issue today and i was very surprised when i read the code. Basically, if the CA isn't explicitly set in kubeconfig, it will use an internal bundle of certificates.

That's a very surprising behaviour to me, and it seems contrary to what the openshift oc client is doing. Would it be possible to at least introduce an environment variable to override this feature and default on the OS' CA ?

(not necessarily like #1131, rather, something that leaves the CA configuration unset so that it defaults on the OS')

EDIT: i just saw on #1276 that this file is automatically generated… would you consider a patch ?

0xf10413 avatar Sep 07 '21 19:09 0xf10413

Hi again, after digging a bit more, it looks like the project you use for generating your files has actually fixed this issue: OpenAPITools/openapi-generator#8108

According to the sidebar, it is part of version 5.0.0. It seems that you are on version 4.3.0.

Is there any plan to upgrade that ?

0xf10413 avatar Sep 09 '21 21:09 0xf10413

@0xf10413 -- Created #1589 to update the OpenAPI Generator used for generating the client.

palnabarun avatar Oct 25 '21 17:10 palnabarun