kubernetes-client/haskell

InternalException - certificate unknown with `mkKubeClientConfig`

cirquit opened this issue · 4 comments

cirquit commented

After trying this snippet (thanks to @akshaymankar for proving the functionality) and replacing it with my local kube configuration file I got the following error:

haskell-test-exe: HttpExceptionRequest Request {
  host                 = "172.24.59.88"
  port                 = 6443
  secure               = True
  requestHeaders       = [("User-Agent","kubernetes-client-core/0.1.0.0"),("accept","application/json")]
  path                 = "/api/v1/pods"
  queryString          = ""
  method               = "GET"
  proxy                = Nothing
  rawBody              = False
  redirectCount        = 10
  responseTimeout      = ResponseTimeoutDefault
  requestVersion       = HTTP/1.1
}
 (InternalException (HandshakeFailed (Error_Protocol ("certificate rejected: [NameMismatch \"172.24.59.88\"]",True,CertificateUnknown))))

I'm slightly out of my domain with managing certificates, but it seems that the underlying SSL library (#63?) can not find the needed certificates / does not trust them for some reason.

To set up helm it sufficed to point it to the kubernetes config file, so I'm not really sure what to do now.

Versions:

> kubectl version --short         
Client Version: v1.15.0
Server Version: v1.15.4
> stack --numeric-version         
1.9.3

Currently using the 95eb28b commit for both kubernetes-client and kubernetes-client-core.

akshaymankar commented

@cirquit You are right implementation of #63 should solve your problem.

You get the error because the native Haskell TLS implementation doesn't support validating servers based on IP address. There is a PR pending for this: haskell-tls/hs-certificate#113, when it is merged, this should work.

Easiest thing you can do is to replace the package x509-validation with the commit in the above PR in your stack.yaml. You can see an example of this in #61 .

  • 👍1
cirquit commented

So, after adding the your current PR to the extra-deps in the stack.yaml file as follows:

...
extra-deps:
  - git: https://github.com/akshaymankar/hs-certificate
    commit: 2a71b5
    subdirs:
      - x509-validation
  - ...

I get the following error as I stack build:

--  While building package connection-0.2.8 using:
      /home/asa/.stack/setup-exe-cache/x86_64-linux/Cabal-simple_mPHDZzAJ_2.4.0.1_ghc-8.6.5 --builddir=.stack-work/dist/x86_64-linux/Cabal-2.4.0.1 build --ghc-options " -ddump-hi -ddump-to-file"
    Process exited with code: ExitFailure 1
    Logs have been written to: /home/asa/Documents/github-repos/kubernetes-playground/haskell-amqp+kube-example/haskell-test/.stack-work/logs/connection-0.2.8.log

    Configuring connection-0.2.8...
    Preprocessing library for connection-0.2.8..
    Building library for connection-0.2.8..
    [1 of 2] Compiling Network.Connection.Types ( Network/Connection/Types.hs, .stack-work/dist/x86_64-linux/Cabal-2.4.0.1/build/Network/Connection/Types.o )
    
    /tmp/stack9755/connection-0.2.8/Network/Connection/Types.hs:19:1: warning: [-Wdeprecations]
        Module ‘Network.BSD’ is deprecated:
          This platform dependent module is no longer supported.
       |
    19 | import Network.BSD (HostName)
       | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    [2 of 2] Compiling Network.Connection ( Network/Connection.hs, .stack-work/dist/x86_64-linux/Cabal-2.4.0.1/build/Network/Connection.o )
    
    /tmp/stack9755/connection-0.2.8/Network/Connection.hs:63:1: error:
        Could not find module ‘Network.Socks5’
        There are files missing in the ‘socks-0.5.6’ package,
        try running 'ghc-pkg check'.
        Use -v to see a list of the files searched for.
       |
    63 | import Network.Socks5
       | ^^^^^^^^^^^^^^^^^^^^^

The full paste is found here.

I've checked the source of connection-0.2.8 and it uses the Network.Socks5 import. The apparently missing file should definitely be there as seen from the socks-0.5.6 documentation.

EDIT: Got it running by creating a fresh project.

My stack.yaml:

extra-deps:
  - http-client-0.5.14@sha256:4880b27d6741e331454a1d4c887d96ce3d7d625322c8433983a4b1cd08538577
  - http-media-0.7.1.3@sha256:481a40a26f71caaa1a9d9bf4c0fabdd4b51847c6bfa59b8e790fa07ef52dfea6
  - socks-0.5.6@sha256:bb051589a00d18301556dbff82d89955a5534baf91a5e050e5f3a65f3415609c
  - oidc-client-0.4.0.1@sha256:d35d29351ea7db2aa0ecd4b4792b8bac4bf13f10c050e3c0cab0072b74acd996
  - git: https://github.com/kubernetes-client/haskell
    commit: 95eb28b
    subdirs: 
      - kubernetes-client
      - kubernetes
  - git: https://github.com/akshaymankar/hs-certificate
    commit: 2a71b5
    subdirs:
      - x509-validation
  - connection-0.2.8

My package.yaml:

...
dependencies:
- base >= 4.7 && < 5
- kubernetes-client >= 0.1.0.1 && < 2
- kubernetes-client-core >= 0.1.0.1 && < 2
- connection >= 0.2.8 && < 3
- containers
- x509-validation
- stm >= 2.5.0.0 && < 3
...
  • 🎉1
akshaymankar commented

@cirquit I am closing this issue as #63 exists to track the TLS issue. Feel free to re-open if you think I missed something

/close

  • 👍1
k8s-ci-robot commented

@akshaymankar: Closing this issue.

In response to this:

@cirquit I am closing this issue as #63 exists to track the TLS issue. Feel free to re-open if you think I missed something

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.