hostname issues

[edbonddevo]

-  "k8s": {:hex, :k8s, "1.2.0", "d94a7fb1040a2a8e6cc7f4182808c6ec9382c1a30ac6177adcc75343ad26b04b", [:mix], [{:castore, "~> 0.1", [hex: :castore, repo: "hexpm", optional: false]}, {:httpoison, "~> 1.
7", [hex: :httpoison, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:telemetry, "~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}, {
:websockex, "~> 0.4.0", [hex: :websockex, repo: "hexpm", optional: false]}, {:yaml_elixir, "~> 2.8", [hex: :yaml_elixir, repo: "hexpm", optional: false]}], "hexpm", "f12e830d82c3089b5694026ce4f736c03
84593115985e2f7bd3f21153c3b0672"},
+  "k8s": {:hex, :k8s, "2.0.3", "4bbc2140d05f5b3db5aba342b8f10ba1822b35f88acbf0b109799a1a791b4df3", [:mix], [{:castore, "~> 0.1", [hex: :castore, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", 
[hex: :jason, repo: "hexpm", optional: false]}, {:mint_web_socket, "~> 1.0", [hex: :mint_web_socket, repo: "hexpm", optional: false]}, {:poolboy, "~> 1.5", [hex: :poolboy, repo: "hexpm", optional: fa
lse]}, {:telemetry, "~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}, {:yaml_elixir, "~> 2.8", [hex: :yaml_elixir, repo: "hexpm", optional: false]}], "hexpm", "fd722ab58d5055afb7531c11ab3
5b331a76f0cdda763bff61a1bcced0be3680b"},

with the upgrade

I have to add

insecure-skip-tls-verify: true

to the kubeconfig context.

Minikube for example exposes the cert, but doesn't have the hostname for verification.

this is the error

** (MatchError) no match of right hand side value: {:error, %K8s.Client.HTTPError{message: "TLS client: In state wait_cert at ssl_handshake.erl:2100 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}", adapter_specific_error: %Mint.TransportError{reason: {:tls_alert, {:handshake_failure, 'TLS client: In state wait_cert at ssl_handshake.erl:2100 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}'}}}}}
                (bonny 1.1.0) lib/bonny/server/watcher.ex:27: Bonny.Server.Watcher.get_raw_stream/2
                (bonny 1.1.0) lib/bonny/controller_v2.ex:134: Bonny.ControllerV2.init/1
                (stdlib 4.1.1) supervisor.erl:330: :supervisor.init/1
                (stdlib 4.1.1) gen_server.erl:851: :gen_server.init_it/2
                (stdlib 4.1.1) gen_server.erl:814: :gen_server.init_it/6
                (stdlib 4.1.1) proc_lib.erl:240: :proc_lib.init_p_do_apply/3

Would a option being passed to K8s.Conn.from_file be helpful?

      K8s.Conn.from_file("~/.kube/config",
        context: "minikube",
        insecure_skip_tls_verify: true
      )

[edbonddevo]

This works as well as a workaround

  def get!(:dev) do
    {:ok, conn} =
      K8s.Conn.from_file("~/.kube/config",
        context: "minikube"
      )

    conn
    |> Map.merge(%{insecure_skip_tls_verify: true})
  end

[mruoss]

Yes this is known. See #203 and the migration doc: https://hexdocs.pm/k8s/migrations.html#local-clusters-and-tls-hostname-verification

An option might be helpful, yes.

[edbonddevo]

Thanks @mruoss , I came from the latest in bonny and it just stopped working from the latest upgrade.

[awoimbee]

Hi, I'm upgrading from v1.1 to v2.4 and I get the exact same issue, except I'm running EKS (1.27), so I expect TLS certs to be good, I'm creating connections via K8s.Conn.from_service_account().
IDK what to do to get you more logs of what's happening.

[mruoss]

Yeah this is still not very clear to me why HTTPoison let this skip and Mint doesn't. You probably know this but you can fix it by using K8s.Conn.from_service_account(insecure_skip_tls_verify: true).

[mruoss]

#7968

[mruoss]

Note that you can remove your insecure-skip-tls-verify: true with version 2.6.1 of k8s.