-
-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rustls cannot reach a cluster through ip #153
Comments
- Add `Config::native_tls_connector` and `Config::rustls_client_config` - Remove the requirement of having `native-tls` or `rustls-tls` enabled when `client` is enabled. Allow one, both or none. - When both, the default Service will use `native-tls` because of kube-rs#153. `rustls` can be still used with a custom client. Users will have an option to configure TLS at runtime. - When none, HTTP connector is used. - Note that `oauth` feature still requires tls feature. - Remove tls features from kube-runtime
- Add `Config::native_tls_connector` and `Config::rustls_client_config` - Remove the requirement of having `native-tls` or `rustls-tls` enabled when `client` is enabled. Allow one, both or none. - When both, the default Service will use `native-tls` because of kube-rs#153. `rustls` can be still used with a custom client. Users will have an option to configure TLS at runtime. - When none, HTTP connector is used. - Note that `oauth` feature still requires tls feature. - Remove tls features from kube-runtime
- Add `Config::native_tls_connector` and `Config::rustls_client_config` - Remove the requirement of having `native-tls` or `rustls-tls` enabled when `client` is enabled. Allow one, both or none. - When both, the default Service will use `native-tls` because of kube-rs#153. `rustls` can be still used with a custom client. Users will have an option to configure TLS at runtime. - When none, HTTP connector is used. - Note that `oauth` feature still requires tls feature. - Remove tls features from kube-runtime
This is not really "fixed" but worked around in |
@clux there doesn't appear to be any workaround for accessing a cluster with a numeric hostname from the outside with rustls. Though I'm not sure kube-rs has any responsibility here, at least until the following issues are resolved?
That said, should this remain open for tracking? |
Outside the cluster you can workaround it by tweaking I think you're right and that even though it's by default worked around in-cluster, it still requires work outside. |
@clux thanks for the quick response. Unfortunately, I don’t think I can override in my case, because the certs won’t match the hostname. |
Signed-off-by: clux <[email protected]>
Unfortunately, kube doesn't work with rustls when talking to local clusters: kube-rs/kube#153 Thankfully, openssl is only a dependency if the test-utils feature is enabled, so our release builds will not depend on openssl. Unfortunately, that means that our release builds will be interacting with Kubernetes using a different TLS library than our tests use.
JFYI: the rustls folks have forked the Currently there's no official release of this forked crate, plus a bunch of projects will need to switch to |
This does indeed appear fixed in Expect this change included in |
This is due to missing support for it upstream: rustls/hyper-rustls#56
In-cluster
brokenfixedCannot seem to get this to work within-cluster yet because we always get a straight IP to connect to.
At least in EKS I seem to just get a straight IP to connect to the api server. So this is pretty ununsable for me atm.
Update: in-cluster fixed in #597
local minikube / k3d workaround
Add an ip entry (here
192.168.64.3 localhost
) to/etc/hosts
, then and search replace the ip withlocalhost
in~/.kube/config
The text was updated successfully, but these errors were encountered: