Merge pull request #713 from helgi/fingerprint_k8s

helgi · helgi · commit d27cbff46818 · 2016-05-09T11:30:47.000-07:00
fix(scheduler): use CA cert to verify API SSL certficiate
diff --git a/rootfs/deis/settings.py b/rootfs/deis/settings.py
@@ -254,6 +254,8 @@
 # default scheduler settings
 SCHEDULER_MODULE = 'scheduler'
 SCHEDULER_URL = "https://{}:{}".format(
+    # accessing the k8s api server by IP address rather than hostname avoids
+    # intermittent DNS errors
     os.environ.get('KUBERNETES_SERVICE_HOST', 'kubernetes.default.svc.cluster.local'),
     os.environ.get('KUBERNETES_SERVICE_PORT', '443')
 )
diff --git a/rootfs/scheduler/__init__.py b/rootfs/scheduler/__init__.py
@@ -337,11 +337,7 @@ def __init__(self):
             'Content-Type': 'application/json',
             'User-Agent': user_agent('Deis Controller', deis_version)
         }
-        # TODO: accessing the k8s api server by IP address rather than hostname avoids
-        # TODO look at https://toolbelt.readthedocs.org/en/latest/adapters.html#fingerprintadapter
-        # intermittent DNS errors, but at the price of disabling cert verification.
-        # session.verify = '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
-        session.verify = False
+        session.verify = '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
         self.session = session
 
     def deploy(self, namespace, name, image, command, **kwargs):  # noqa

Original file line number	Diff line number	Diff line change
`@@ -254,6 +254,8 @@`
`254`	`254`	`# default scheduler settings`
`255`	`255`	`SCHEDULER_MODULE = 'scheduler'`
`256`	`256`	`SCHEDULER_URL = "https://{}:{}".format(`
	`257`	`+ # accessing the k8s api server by IP address rather than hostname avoids`
	`258`	`+ # intermittent DNS errors`
`257`	`259`	`os.environ.get('KUBERNETES_SERVICE_HOST', 'kubernetes.default.svc.cluster.local'),`
`258`	`260`	`os.environ.get('KUBERNETES_SERVICE_PORT', '443')`
`259`	`261`	`)`