How to disable tls verification(self signed certs)

hjacobs / kube-janitor

Clean up (delete) Kubernetes resources after a configured TTL (time to live)

GNU General Public License v3.0

472 stars 40 forks source link

How to disable tls verification(self signed certs) #40

Open svyatoslavmo opened 5 years ago

svyatoslavmo commented 5 years ago

Trying to run janitor on cluster with self signed certs. I'm getting this error urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /api/v1/namespaces (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1056)'))) Is there a way to ignore invalid certs?

hjacobs commented 5 years ago

@SHarrySeldon it should work automatically when running in a cluster as Pykube loads the ca.crt of the service account. What kind of cluster setup do you have exactly? Can you show what env vars are set within the pod and whether ca.crt exists? Relevant code: https://github.com/hjacobs/pykube/blob/master/pykube/config.py#L21

See also https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens --- AFAIK the ca.crt should always exist for service accounts (?).

svyatoslavmo commented 5 years ago

I see the code and yes, it should work automatically, but it doesn't. ca.crt exist as mounted secret within pod. Not sure if that is valid ca.crt, because it's baremetal cluster and I couldn't check certs on endpoint.

tkimball83 commented 4 years ago

I have the same issue on a cluster with self signed certificates. The ca.crt does exist within the pod, but its in no way valid as its just a development cluster with odd issuer/subject values.

Adding an option to ignore invalid certificates would be extremely useful!

hjacobs commented 4 years ago

I think this should be a feature request for pykube-ng: https://github.com/hjacobs/pykube

tkimball83 commented 4 years ago

See https://github.com/hjacobs/pykube/issues/76.

I also tried adding the following environment variables to the container, but had no luck.

env:
- name: REQUESTS_CA_BUNDLE
  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: CURL_CA_BUNDLE
  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: SSL_CERT_FILE
  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

Note that running a manual curl with --cacert pointing to the path above works without issue.