How to bypass certificate check when connect to Kubernetes

[hunglv8863]

Hi all, Im having a Kubernetes cluster which connects to external Vault v1.15.5 (vault is running directly in Ubuntu host). My Kubernetes is running in rancher, and the certificate is currently for the Internal IP. When trying to login using serviceaccount token, Vault shows this error in log:

auth.kubernetes.auth_kubernetes_e9501638: login unauthorized: err="Post \"https://10.0.41.150:6443/apis/authentication.k8s.io/v1/tokenreviews\": tls: failed to verify certificate: x509: certificate is valid for 10.0.30.221, 127.0.0.1, 10.43.0.1, not 10.0.41.150"

It seems that Vault got error when connecting to Kubernetes, and the Kubernetes's certificate is not valid.

Is there any parameter that can disable kubernetes's cert check ? I dont find any in documentation. Even I added all certs in chain to kubernetes_ca_cert parameter, it still show the same error.

Thank you.

[benashz]

@hunglv8863 Ideally the configured CA chain should suffice in this case. I don't think we would ever add a feature to skip the TLS verification, since that would make the authentication request susceptible to a man-in-the-middle type of attack.

It does look like the issue is due to the K8s cluster TLS certificate not including the specific the IP/host in its Subject Alternative Name (SAN). Any way could configure your https://developer.hashicorp.com/vault/api-docs/auth/kubernetes#kubernetes_host to use one of those IPs to access your K8s cluster?