Skip to content

client ssl handshake is only working with Mozilla's standard root certificates from certifi package. No custom root certificates possible. #2367

Open
@ChristianGroessinger

Description

@ChristianGroessinger

What happened (please include outputs or screenshots):
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api.a1.cp.cna.at', port=6443): Max retries exceeded with url: /apis/authentication.k8s.io/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')))
python-BaseException
What you expected to happen:
Missing implementation: configuration.ssl_ca_cert is always set to None!!!!!
There is no way where you can pass a custom ssl_ca_cert path

How to reproduce it (as minimally and precisely as possible):
use on premise kubernetes with your own local issuer certificate
Anything else we need to know?:
root cause of the problem is in rest.RESTClientObject.init
# ca_certs
if configuration.ssl_ca_cert:
# TODO: not implemented configuration.ssl_ca_cert is always set to None!!!!!
ca_certs = configuration.ssl_ca_cert
else:
# quick fix could be: use environment variable which is used in python requests (urllib)
import os
ca_certs = os.environ.get("REQUESTS_CA_BUNDLE")
if ca_certs is None:
# if not set certificate file, use Mozilla's root certificates.
ca_certs = certifi.where()

Environment:

  • Kubernetes version (kubectl version):
    oc version
    Client Version: 4.15.0-202411060036.p0.g8231637.assembly.stream.el8-8231637
    Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
    Kubernetes Version: v1.29.11+148a389

  • OS (e.g., MacOS 10.13.6): MacOS 15.3.1

  • Python version (python --version) >3.11

  • Python client version (pip list | grep kubernetes)
    kubernetes 32.0.0

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions