Merge pull request #1158 from kmala/ssl-hack

fix(apiserver): Add an option to skip ssl verification when interacti…

Author: kmala

charts/controller/templates/controller-deployment.yaml

@@ -58,6 +58,8 @@ spec:
             # NOTE(bacongobbler): use deis/registry_proxy to work around Docker --insecure-registry requirements
             - name: "DEIS_REGISTRY_SERVICE_HOST"
               value: "localhost"
+            - name: "K8S_API_VERIFY_TLS"
+              value: "{{ .Values.k8s_api_verify_tls }}"
             - name: "DEIS_REGISTRY_SERVICE_PORT"
               value: "{{ .Values.global.host_port }}"
             - name: "APP_STORAGE"

charts/controller/values.yaml

@@ -9,6 +9,8 @@ app_pull_policy: "Always"
 # disabled - turns off open registration
 # admin_only - allows for registration by an admin only.
 registration_mode: "enabled"
+# Option to disable ssl verification to connect to k8s api server
+k8s_api_verify_tls: "true"
 
 global:
   # Set the storage backend

rootfs/api/models/__init__.py

@@ -47,7 +47,7 @@ class Meta:
     @property
     def _scheduler(self):
         mod = importlib.import_module(settings.SCHEDULER_MODULE)
-        return mod.SchedulerClient(settings.SCHEDULER_URL)
+        return mod.SchedulerClient(settings.SCHEDULER_URL, settings.K8S_API_VERIFY_TLS)
 
     def _fetch_service_config(self, app):
         try:

rootfs/api/settings/production.py

@@ -247,6 +247,8 @@
     os.environ.get('KUBERNETES_SERVICE_PORT', '443')
 )
 
+K8S_API_VERIFY_TLS = bool(strtobool(os.environ.get('K8S_API_VERIFY_TLS', 'true')))
+
 # security keys and auth tokens
 random_secret = 'CHANGEME_sapm$s%upvsw5l_zuy_&29rkywd^78ff(qi*#@&*^'
 SECRET_KEY = os.environ.get('DEIS_SECRET_KEY', random_secret)

rootfs/scheduler/__init__.py

@@ -17,7 +17,7 @@
 resource_mapping = OrderedDict()
 
 
-def get_session():
+def get_session(k8s_api_verify_tls):
     global session
     if session is None:
         with open('/var/run/secrets/kubernetes.io/serviceaccount/token') as token_file:
@@ -28,18 +28,21 @@ def get_session():
             'Content-Type': 'application/json',
             'User-Agent': user_agent('Deis Controller', deis_version)
         }
-        session.verify = '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+        if k8s_api_verify_tls:
+            session.verify = '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+        else:
+            session.verify = False
     return session
 
 
 class KubeHTTPClient(object):
     # ISO-8601 which is used by kubernetes
     DATETIME_FORMAT = '%Y-%m-%dT%H:%M:%SZ'
 
-    def __init__(self, url):
+    def __init__(self, url, k8s_api_verify_tls=True):
         global resource_mapping
         self.url = url
-        self.session = get_session()
+        self.session = get_session(k8s_api_verify_tls)
 
         # map the various k8s Resources to an internal property
         from scheduler.resources import Resource  # lazy load

rootfs/scheduler/mock.py

@@ -907,7 +907,7 @@ def session():
 
 
 class MockSchedulerClient(KubeHTTPClient):
-    def __init__(self, url):
+    def __init__(self, url, k8s_api_verify_tls=True):
         super().__init__(url)
 
         # set version data