-
Notifications
You must be signed in to change notification settings - Fork 526
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
self signed certificate in certificate chain error in 1.0.0-rc4 #1509
Comments
There is a similar error here: which appears to be related to the runtime environment. |
@brendandburns do you know if maybe my token in my kube config is not being attached with the kubernetes client? I tried the same request I am trying with the API call of |
Just tested with |
The switch to v1.0.4 includes a switch to a different underlying HTTP client. (fetch vs request) it's possible that's different, but it seems to work for other people. What is the kubernetes distro that you are using? Can you send the contents of your |
Take in mind I also am seeing this issue with The Kubernetes distro is Openshift, and this is the kubeconfig (with secrets redacted): apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: https://<myserver>:<myport>
name: <myserver>:<myport>
contexts:
- context:
cluster: <myserver>:<myport>
namespace: <namespace>
user: <user>/<server>:<myport>
name: default/<myserver>:<myport>/<user>
current-context: default/<myserver>:<myport>/<user>
kind: Config
preferences: {}
users:
- name: <myuser>/<myserver>:<myport>
user:
token: <token> |
ah, ok so you are explicitly turning off cert checking with:
I suspect that something broke in our handling of that parameter. I'll try to reproduce in unit tests. |
Thank you for your help with this, please keep me updated. |
So I think that this is because you are using a BearerToken for auth. The codepath for that is different and I don't think it respects the SSL in that case. I'm not quite sure about the right way to fix it, but I will keep looking. In the meantime if you could try a different auth method and see if that works, that would be useful. |
Thanks for the update! I believe currently my team has only token auth setup in our cluster so I may not be able to try another auth method for the time being unfortunately, thanks again for looking into resolving this issue! If a pull request is made could you link it to this issue? |
@brendandburns any updates for this issue? |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/reopen |
@brendandburns: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/remove-lifecycle rotten |
Unfortunately, I haven't been able to reproduce this. In general, setting tls auth to ignore self-signed certificates is pretty insecure, so I would recommend not doing that in general (and certainly not in production) The security risks from disabling TLS checks are far worse than the security risks associated with the But in general, you should really not be disabling TLS checks. |
The relevant code is here: https://github.com/kubernetes-client/javascript/blob/master/src/config.ts#L473 (0.x branch) If this is truly blocking you I'd encourage you to investigate those codepaths and see what is going wrong. I don't have an environment where I use self-signed certificates to reproduce this. |
I can see your reasoning behind this @brendandburns , but the issue is that some dev environments don't have certs purposely setup (obviously in production this should not be done), so ideally we want to support both scenarios to allow environments like these to test. In the case of certs, how do I attach my cert to CoreV1API instance? I have another environment where I setup the kube config to have the cert to pointed to the proper directory & |
I would second this, our team is also using an OpenShift cluster and our API's in development environments are failing with the same |
Describe the bug
A clear and concise description of what the bug is.
I receive the following error:
this was not appearing on previous versions of the kubernetes client, I also noticed it on
0.20.0
but had to upgrade due to vulnerability issues withrequest
, is there a way to get rid of this error? I am logging into my cluster and generating a token just fine which used to work.** Client Version **
e.g.
0.12.0
v1.0.0-rc4
** Server Version **
e.g.
1.19.1
v1.26.6
To Reproduce
Steps to reproduce the behavior:
run any request with kubernetes client, e.g:
Expected behavior
A clear and concise description of what you expected to happen.
I should be able to make calls without errors about self-signed certs in cert chain.
** Example Code**
Code snippet for what you are doing
Environment (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: