Skip to content
This repository has been archived by the owner on Mar 13, 2022. It is now read-only.

Open ssl certificate verify failed #177

Closed
svivier-orange opened this issue Nov 22, 2019 · 7 comments
Closed

Open ssl certificate verify failed #177

svivier-orange opened this issue Nov 22, 2019 · 7 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.

Comments

@svivier-orange
Copy link

Cant use the InClusterConfigLoader with an self signed ca.cert
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate ferify failed: self signed certificate in certificate chain
I propose to add a parameter or an env variable to allow a verify=false .
@roycaihw
Copy link
Member

/help

@k8s-ci-robot
Copy link
Contributor

@roycaihw:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Nov 26, 2019
@ellieayla
Copy link

ellieayla commented Nov 26, 2019
edited
Loading

You should be able to pass an arbitrary PEM-formatted ca-certificate file (eg the public half of your self-signed cert) to InClusterConfigLoader() to trust today. Is that not feasible? https://github.com/alanjcastonguay/python-base/blob/master/config/incluster_config.py

@roycaihw roycaihw mentioned this issue Nov 26, 2019
Closed
@svivier-orange
Copy link
Author

I've found a (temporary) workaround, the Configuration object is global scoped and use default values, whom can be writted before the InClusterConfigLoader (as long as InClusterConfigLoader don't override it, wish is the case for verify_ssl).

@roycaihw
Copy link
Member

roycaihw commented Dec 2, 2019

InClusterConfigLoader overrides the default object. You could set verify_ssl to False in a local Configuration object after load_incluster_config and use it with you clients.

@svivier-orange
Copy link
Author

Thanks for your help

@attila123
Copy link

Taking this idea with verify_ssl from @roycaihw further I could make this work. So after loading the configuration (with either load_incluster_config() or load_kube_config() (I used the latter) I did this:

from kubernetes.client import Configuration

<...>

<config is loaded, e.g. kubernetes.config.load_kube_config()>

Configuration._default.verify_ssl = False

<now you can use your code unchanged, without creating any Configuration object or whatever>

This may not be so nice to modify a "private" member, but for me with 1-2 lines of code change it worked fine for quickly testing things without refactoring the whole production code with custom Configuration objects or whatnot.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ellieayla @attila123 @roycaihw @k8s-ci-robot @svivier-orange