Add override to allow custom CA location
We've recently been looking into using this kube-downscaler but run into issues as we run a large on prem cluster that uses it's own certificate authority. This means that we need to provide the CA path as an environment variable to allow us to successfuly comminicate with the Kubernetes API.
I've attempted to create a PR to allow the ability to use the environment variable and also add a test to ensure it does as we expect it to.
I'm not actually familiar with Python so I hope the PR isn't too terrible!
Thank you in advance!
Hi @hjacobs the root CA that is in the Kubeconfig file is the root CA that was used for our kubernetes cluster. However, the API uses a different internal certificate authority so when it attempts to use the certificate-authority from the kubeconfig file it returns an exception. Our normal process is to mount the CA into the pod and then provide an environment variable with the path to the certificate-authority.
We've tried the above PR by bundling it into the kube-downscaler, building a new docker image and trying it on our kubernetes cluster which works!
@hjacobs We aren't using pykube-ng yet. We're wanting this PR to be accepted so that we can start using the kube-downscaler project that you started :) The only issue we're having is that the API request gets rejected. Below is the stack trace:
raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://kubernetes.default.svc.cluster.local/api/v1/pods
@hjacobs I've not used any personally in our cluster. I can get the above to work okay locally just not inside the cluster without mounting the root ca.
I've just had a look at some of our custom operators which are written in go. These have an issuer helper passed in which takes an os.file
Unfortunately, I'm not at all involved in the management of the kubernetes cluster / infrastructure so I'm not sure why they are different.
@hjacobs I've just asked the question. It looks like the cert that's populated into the kube config is the intermediate cert but nodejs / python clients don't seem to like using the intermediate and only seem to work using the root CA.
Deleting a branch is permanent. It CANNOT be undone. Continue?