Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubernetes Authenticator Websocket Client doesn't support Server Name Indication (SNI) #2181

Open
2 tasks
micahlee opened this issue May 18, 2021 · 0 comments
Open
2 tasks

Kubernetes Authenticator Websocket Client doesn't support Server Name Indication (SNI) #2181

micahlee opened this issue May 18, 2021 · 0 comments
Labels
kind/bug kind/support

Comments

@micahlee
Copy link
Contributor

micahlee commented May 18, 2021
edited

The Kubernetes authenticator makes two separate connection types to the k8s API:

  • Request/response HTTP API connections using kubeclient (for pod metadata).
  • Websocket connection using an internal client (for auth certificate injection).

Server Name Indication (SNI) is a TLS extension that allows a web server to serve content securely for multiple domain names by including the intended hostname in the TLS handshake.

Currently, our kubeclient connection does support SNI, but the websocket connection does not. This means each of these connection phases can receive a different server certificate. This can lead to certificate verification errors unless the CA certificates for both SNI and non-SNI connections are configured in the kubernetes/ca-cert authentication webservice annotation.

Acceptance Criteria:

  • A regression test exists that verifies SNI behavior for the websocket client
  • The websocket client supports SNI when establishing the connection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug kind/support
Milestone
No milestone
Development

No branches or pull requests
1 participant
@micahlee