krr cannot connect to clusters using certificates signed by a private CA, stored in system CA store

[jutley]

Describe the bug
A clear and concise description of what the bug is.

To Reproduce

1. Set up a Kubernetes cluster with the API server certificate signed by a private CA
2. Add the private CA to your system CA management tool (platform specific)
3. Add the cluster into your kubeconfig, don't explicitly provide the CA

Expected behavior
krr should be able to connect to the cluster, just as kubectl is able to.

Logs

on 0: [INFO] Listing scannable objects in private-cluster
on 0: [ERROR] Error trying to list hpa in cluster private-cluster:
      HTTPSConnectionPool(host='controller.private-cluster.com', port=443): Max retries exceeded with url:
      /apis/autoscaling/v2/horizontalpodautoscalers?watch=False (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
      CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
on 0: [ERROR] Will assume that there are no HPA. Be careful as this may lead to inaccurate results if object actually has HPA.

Desktop (please complete the following information):

• OS: MacOS 13.5.2
• Version KRR 1.6.0

Additional context

Even providing an "insecure" option would be helpful. Right now I need to run a local proxy that krr can connect to, which is a pain.

[aantn]

Hey, this sounds like a bug. Any interest in contributing a PR for this?

[Beauline]

I had the same issue. Installing module pip_system_certs solved it.
All the ways to fix it (f.i. for MacOS) are mentioned here: https://stackoverflow.com/questions/50236117/scraping-ssl-certificate-verify-failed-error-for-http-en-wikipedia-org

[camaeel]

I spent quite a lot of time, tried importing certificates into macos keychain and so on but it didn't work.
It would make sense to have an option to have a flag like --insecure to simply skip this certificate valdiation.

[aantn]

Yes, we should be able to add something like that.

Slightly off-topic, but we're currently doing user interviews to prioritize issues for KRR next year. If any of you are open to participating, can you please message me (Natan Yellin) on the Robusta slack. We'll send every participant a "Chief YAML Officer T-shirt" in appreciation.

[littlechicks]

Just add insecure-skip-tls-verify: true inside cluster item in your kubeconfig file.

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    certificate-authority-data: CA_DATA
    server: https://kube:6443
  name: kubernetes
....

[ecourreges-orange]

I had the same issue. Installing module pip_system_certs solved it. All the ways to fix it (f.i. for MacOS) are mentioned here: https://stackoverflow.com/questions/50236117/scraping-ssl-certificate-verify-failed-error-for-http-en-wikipedia-org

For me this does not seem to work for kubernetes calls, because the kubernetes lib uses urllib3 directly and not requests which is patched by the module pip_system_certs.

But the insecure-skip-tls-verify: true in the kube config file definitely works.