Skip to content
This repository has been archived by the owner on Oct 3, 2020. It is now read-only.

How to disable tls verification(self signed certs) #40

Open
svyatoslavmo opened this issue Aug 13, 2019 · 5 comments
Open

How to disable tls verification(self signed certs) #40

svyatoslavmo opened this issue Aug 13, 2019 · 5 comments

Comments

@svyatoslavmo
Copy link

Trying to run janitor on cluster with self signed certs.
I'm getting this error urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /api/v1/namespaces (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1056)')))
Is there a way to ignore invalid certs?

@hjacobs
Copy link
Owner

hjacobs commented Aug 13, 2019

@SHarrySeldon it should work automatically when running in a cluster as Pykube loads the ca.crt of the service account. What kind of cluster setup do you have exactly? Can you show what env vars are set within the pod and whether ca.crt exists? Relevant code: https://github.com/hjacobs/pykube/blob/master/pykube/config.py#L21

See also https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens --- AFAIK the ca.crt should always exist for service accounts (?).

@svyatoslavmo
Copy link
Author

I see the code and yes, it should work automatically, but it doesn't.
ca.crt exist as mounted secret within pod. Not sure if that is valid ca.crt, because it's baremetal cluster and I couldn't check certs on endpoint.

@tkimball83
Copy link

I have the same issue on a cluster with self signed certificates. The ca.crt does exist within the pod, but its in no way valid as its just a development cluster with odd issuer/subject values.

Adding an option to ignore invalid certificates would be extremely useful!

@hjacobs
Copy link
Owner

hjacobs commented Sep 1, 2020

I think this should be a feature request for pykube-ng: https://github.com/hjacobs/pykube

@tkimball83
Copy link

tkimball83 commented Sep 2, 2020

See hjacobs/pykube#76.

I also tried adding the following environment variables to the container, but had no luck.

env:
- name: REQUESTS_CA_BUNDLE
  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: CURL_CA_BUNDLE
  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: SSL_CERT_FILE
  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

Note that running a manual curl with --cacert pointing to the path above works without issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants