lens icon indicating copy to clipboard operation
lens copied to clipboard

Published 20 hours ago verified publisher icon lensapp

Connection problem to self-signed tls certificates still present

Open typoworx-de opened this issue 2 years ago • 4 comments

Describe the bug I am trying to connect to a kubernetes hosted on our office ESXi-Server. Local kubectl works fine there, but trying to connect from my workstation Lens stucks as the CA/Cert for kubernetes is self signed.

I have been trying to modify kube-config:

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    certificate-authority-data: {PRIVATE}

Now the error in Lens has changed as follows:

error: specifying a root certificates file with the insecure flag is not allowed

I think this is misbehaving. I know that my CA/Cert is self-signed and I want to override this warning.

Trying the same without insecure-skip-tls-verify: true the Lens error is as follows:

E0427 12:19:27.284567 88962 proxy_server.go:147] Error while proxying request: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")

x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")

Trying to connect with renaming certificate-authority-data with prefix '__' works! But this leads to user-confusion having to know that.

Comparing this to CLI kubectl, there it works fine!

$> kubectl --insecure-skip-tls-verify get pods

Expected behavior I think it should be valid to have the certificate-authority-data present in combination with insecure-skip-tls-verify: true so it should connect!

Environment (please complete the following information):

  • Lens Version: 5.4.6-latest
  • OS: OSX

typoworx-de avatar Apr 27 '22 10:04 typoworx-de

What version of kubectl are you using on the command line?

Nokel81 avatar May 02 '22 12:05 Nokel81

I have the same problem.

CajuCLC avatar Jul 24 '22 13:07 CajuCLC

same

smarakdas314 avatar Aug 24 '22 13:08 smarakdas314

same

nicole-lihui avatar Sep 14 '22 05:09 nicole-lihui

I have a home lap k8s cluster and I am having the same issue, I usually connect to it by running kubectl --insecure-skip-tls-verify but I dont know how to connect using Lens

kmarji avatar Sep 16 '22 05:09 kmarji

remove the certificate-authority-data works for me

image

solarhell avatar Sep 19 '22 02:09 solarhell

Removing the certificate is the correct thing to do. This requirement come from client-go itself. If you need to use the flag with kubectl then having the certificate in your kubeconfig is useless anyway.

Nokel81 avatar Oct 11 '22 19:10 Nokel81