Description
What happened (please include outputs or screenshots):
When I call config.load_kube_config() it bombs out loading the config when i have an OIDC auth method that talks to a host using a publicly signed cert
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='my.hostname.com', port=443): Max retries exceeded with url: /auth/idp/k8sIdp/.well-known/openid-configuration (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4149)')))
What you expected to happen:
No error should occur, the config works with every other client that I use it with, including kubectl.
How to reproduce it (as minimally and precisely as possible):
- name: username
user:
auth-provider:
config:
client-id: kubernetes
client-secret: ''
id-token: <redacted>
idp-certificate-authority-data: ""
idp-issuer-url: https://my.hostname.com/auth/idp/k8sIdp
refresh-token: <redacted>
name: oidc
Anything else we need to know?:
The problem is in this method:
python/kubernetes/base/config/kube_config.py
Line 422 in 9775a12
The code finds that the idp-certificate-authority-data key exists, and tries to use it even though it is empty.... but furthermore, even if you were to remove that line, that would cause it to fall down to disable the ssl check!! This should not happen. It should fall back to using the system default public CA bundle.
If I set idp-certificate-authority: /etc/ssl/certs/ca-certificates.crt then it works, but that is brittle since not every system will have the same setup and it should just fall back to system defaults anyway.
Environment:
-
Kubernetes version (
kubectl version):
Client Version: v1.32.1
Kustomize Version: v5.5.0
Server Version: v1.31.3 -
OS (e.g., MacOS 10.13.6): Docker image python:3.11
-
Python version (
python --version): Python 3.11.11 -
Python client version (
pip list | grep kubernetes): 32.0.0