rustls cannot reach a cluster through ip #153
Comments
clux
added
bug
- Add `Config::native_tls_connector` and `Config::rustls_client_config` - Remove the requirement of having `native-tls` or `rustls-tls` enabled when `client` is enabled. Allow one, both or none. - When both, the default Service will use `native-tls` because of kube-rs#153. `rustls` can be still used with a custom client. Users will have an option to configure TLS at runtime. - When none, HTTP connector is used. - Note that `oauth` feature still requires tls feature. - Remove tls features from kube-runtime
- Add `Config::native_tls_connector` and `Config::rustls_client_config` - Remove the requirement of having `native-tls` or `rustls-tls` enabled when `client` is enabled. Allow one, both or none. - When both, the default Service will use `native-tls` because of kube-rs#153. `rustls` can be still used with a custom client. Users will have an option to configure TLS at runtime. - When none, HTTP connector is used. - Note that `oauth` feature still requires tls feature. - Remove tls features from kube-runtime
- Add `Config::native_tls_connector` and `Config::rustls_client_config` - Remove the requirement of having `native-tls` or `rustls-tls` enabled when `client` is enabled. Allow one, both or none. - When both, the default Service will use `native-tls` because of kube-rs#153. `rustls` can be still used with a custom client. Users will have an option to configure TLS at runtime. - When none, HTTP connector is used. - Note that `oauth` feature still requires tls feature. - Remove tls features from kube-runtime
|
This is not really "fixed" but worked around in |
|
@clux there doesn't appear to be any workaround for accessing a cluster with a numeric hostname from the outside with rustls. Though I'm not sure kube-rs has any responsibility here, at least until the following issues are resolved?
That said, should this remain open for tracking? |
|
Outside the cluster you can workaround it by tweaking I think you're right and that even though it's by default worked around in-cluster, it still requires work outside. |
|
@clux thanks for the quick response. Unfortunately, I don’t think I can override in my case, because the certs won’t match the hostname. |
Signed-off-by: clux <[email protected]>
Unfortunately, kube doesn't work with rustls when talking to local clusters: kube-rs/kube#153 Thankfully, openssl is only a dependency if the test-utils feature is enabled, so our release builds will not depend on openssl. Unfortunately, that means that our release builds will be interacting with Kubernetes using a different TLS library than our tests use.
|
JFYI: the rustls folks have forked the Currently there's no official release of this forked crate, plus a bunch of projects will need to switch to |
|
This does indeed appear fixed in Expect this change included in |
This is due to missing support for it upstream: rustls/hyper-rustls#56
In-cluster
brokenfixedCannot seem to get this to work within-cluster yet because we always get a straight IP to connect to.
At least in EKS I seem to just get a straight IP to connect to the api server. So this is pretty ununsable for me atm.
Update: in-cluster fixed in #597
local minikube / k3d workaround
Add an ip entry (here
192.168.64.3 localhost) to/etc/hosts, then and search replace the ip withlocalhostin~/.kube/configThe text was updated successfully, but these errors were encountered: