-
-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mac: My cluster isn't trusted #89
Comments
Some proper digging around led me to a solution that "works". If I comment out my convenient call to load_kube_config(), then I can build up a Configuration as follows:
and then proceed from there. It's nasty but I can work with it for now. |
Oh, interesting. There's presumably a flag in your I think that flag, if it exists, should map to the one exposed by reqwest, but it does not seem to be the case atm 🤔 |
No (although thank you for the tip about insecure-skip-tls-verify: true). I think (and I'm not an expert in this) that it works by distributing certificate authority data. My kubernetes config looks something like:
My understanding is that kubectl makes use of the certificate-authority-data (similar to |
Okay. It sounds like this is incorrectly wired up at the very least. Sorry, I'm not really able to help at the moment. If you are able to help diagnose / find a fix for it, I'm happy to take PRs for it. I'm not really in possession of a cluster atm to test this out properly. |
No problem. I thought I'd bring it to the attention of a wider audience in case a known solution was out there. It looks like it may be a problem in reqwest, since even adding the root certificate manually to build the connection didn't work. |
I investigated about this issue, because 2 persons report this issue to my kubectl plugin: I setup a minimal cluster GKE, and a small reqwest app (I'll shutdown the cluster in few day, if you want to try) : GKE access failed via reqwest What I found :
I guess the cause is :
I see few (bad) work around (but no quick solution):
I can work on a PR if we agree about a solution/ work around (working on TLS is out of my skill). EDIT: I modify my comment (above), because I'm not sur if rusttls use security-framework or if it's a side effect of reqwest, hyper-tls or ??? |
compementary info extracted from: "Certificate not standards compliant" on macOS Catalina, iOS 13 · Issue #174 · FiloSottile/mkcert
|
An other alternatives: use curl (via its crate) instead of reqwest:
with a code like // curl -i -v https://35.232.6.83 --cacert ./cert3.x509.crt
async fn main_with_curl() -> Result<(), Box<dyn std::error::Error>> {
use curl::easy::Easy;
use std::io::{stdout, Write};
// Write the contents of rust-lang.org to stdout
let mut easy = Easy::new();
let cacert = std::path::Path::new("ca.x509.crt");
std::fs::write(cacert, CACERT_PEM)?;
easy.cainfo(cacert)?;
easy.url(SERVERAPI_URL)?;
easy.write_function(|data| {
stdout().write_all(data).unwrap();
Ok(data.len())
})?;
easy.perform()?;
Ok(())
} |
Yeah, we've run into quite a few catalina issues in general, didn't realize this bug was related to that. Appreciate all the digging you've done here @davidB - lots of really helpful info. Have merged your temporary hack, and will try to make a release with it. |
Ugh, kind of needed a new reqwest version, might leave it in master for seanmonstar/reqwest#740 for now - they are meant to "release this week". |
FWIW GKE team is aware of the issue, and it's likely to be addressed. However, it's fair to assume that there will be a bunch of GKE clusters around with these certificates deemed as invalid for at least year. |
Appreciate that. There are also long cert expires on my EKS clusters so don't think this is a GKE only problem, it sounds primarily like a mac-forcing-everyone-to-change problem. Have released the hacky fix in kube 0.23.0. I'm not sure if this helps the original issue with self-signed certificates though.. |
Am considering reverting this hack in the next version of kube for a few reasons:
Will probably just not port the fix to rustls and eventually drop it in native-tls as well. MitigationsSuppose you've got teleport auth, or something else that give you k8s certs with too long of a lifetime, you can just tell your system configuration to trust these certs regardless. Here for macos (where the issue was seen): PORT=3026
DIR=teleport-certs
mkdir -p $DIR
# add your hosts here
HOSTS=(
teleport-x.somehost
)
for HOST in ${HOSTS[@]}; do
echo -n | openssl s_client -connect $HOST:$PORT \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $DIR/$HOST.crt
echo "Adding $HOST certificate to keychain"
security add-trusted-cert -p ssl -r trustAsRoot -k ~/Library/Keychains/login.keychain-db $DIR/$HOST.crt
done adopt as necessary. |
iirc, I tried the mitigation "trust the root certificate into the keychain store" and it didn't work (like the screenshot about safari at #89 (comment)) |
It's been close to two years since we put in the hacky fix. The original hack was to allow long certs (of lifetime > 825 days) on mac because of kubernetes clusters in the wild likely still using those certs. GKE comment suggested that we wait at least a year. Possibly it's worth waiting longer, but it's also possible for users to set Thinking that we potentially draw a line in the sand here and suggest that we remove this hack at the end of 2022, unless there are compelling reasons why we might still keep it (i'll post a reminder in 3months before if there are no reasons against). |
Hey, we seem to have encountered this issue on our end. Would you accept a PR adding support for respecting |
Hey @aviramha , we'd definitely be interested to see what you are trying. We parse into this part of the kubeconfig, if you are trying to fix for mac cert handling on rustls, go for it. I'd be somewhat surprised if this is the same issue though, because this was connected to the lifetime of the certs being deemed invalid by macos, and we only have a hack for it for openssl due to long lived certs. If you're in a new system it might be another issue. Feel free to raise a more detailed issue if it's not. |
Oh! You are correct. I thought that property is just being ignored (as that's the behavior we see when using kube rs + rust tls + Ubuntu). |
Think it's been in long enough at this point, adding this to milestone for removal in 0.77. |
kube/kube-client/src/config/mod.rs Lines 399 to 408 in 2821378
macOS with We should probably just remove |
kube-rs: 0.17.1
I'm trying to interact with a GCP hosted cluster. The cluster certificate is self-signed. When I start my application I see errors like this:
If I update my client OS and tell it to trust the certificate then the problem disappears, so I guess the problem is related to the library not realising that it needs to process the cluster certificate somehow. I had a trawl around in the source, but couldn't see anything obviously wrong. There seemed to be some calls to add_root_certificate, but I wasn't sure if they were being called or if I needed to configure my client somehow or...?
Wish I could file something more useful, but maybe that's enough detail for someone to point me towards a solution.
(BTW: I can't employ my certificate work-around in real life, that was just to help understand the problem.)
The text was updated successfully, but these errors were encountered: