How to disable tls verification(self signed certs)
svyatoslavmo opened this issue · 5 comments
Trying to run janitor on cluster with self signed certs.
I'm getting this error urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /api/v1/namespaces (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1056)')))
Is there a way to ignore invalid certs?
@SHarrySeldon it should work automatically when running in a cluster as Pykube loads the ca.crt of the service account. What kind of cluster setup do you have exactly? Can you show what env vars are set within the pod and whether ca.crt exists? Relevant code: https://github.com/hjacobs/pykube/blob/master/pykube/config.py#L21
See also https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens --- AFAIK the ca.crt should always exist for service accounts (?).
I see the code and yes, it should work automatically, but it doesn't.
ca.crt exist as mounted secret within pod. Not sure if that is valid ca.crt, because it's baremetal cluster and I couldn't check certs on endpoint.
I have the same issue on a cluster with self signed certificates. The ca.crt does exist within the pod, but its in no way valid as its just a development cluster with odd issuer/subject values.
Adding an option to ignore invalid certificates would be extremely useful!
I think this should be a feature request for pykube-ng: https://github.com/hjacobs/pykube
See hjacobs/pykube#76.
I also tried adding the following environment variables to the container, but had no luck.
env:
- name: REQUESTS_CA_BUNDLE
value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: CURL_CA_BUNDLE
value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: SSL_CERT_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Note that running a manual curl with --cacert pointing to the path above works without issue.