Merge pull request #801 from tongcheng-elong/client-verify-ssl

enable k8s client verify_ssl param
jupyterhub · Nov 8, 2023 · a227db3 · a227db3
2 parents de31a7e + 5c0e87e
commit a227db3
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 3 deletions.
diff --git a/kubespawner/clients.py b/kubespawner/clients.py
@@ -67,7 +67,7 @@ async def close_client_task():
 
 
 @lru_cache()
-def load_config(host=None, ssl_ca_cert=None):
+def load_config(host=None, ssl_ca_cert=None, verify_ssl=None):
     """
     Loads global configuration for the Python client we use to communicate with
     a Kubernetes API server, and optionally tweaks that configuration based on
@@ -98,3 +98,7 @@ def load_config(host=None, ssl_ca_cert=None):
         global_conf = Configuration.get_default_copy()
         global_conf.host = host
         Configuration.set_default(global_conf)
+    if verify_ssl is not None:
+        global_conf = Configuration.get_default_copy()
+        global_conf.verify_ssl = verify_ssl
+        Configuration.set_default(global_conf)
diff --git a/kubespawner/proxy.py b/kubespawner/proxy.py
@@ -297,9 +297,25 @@ def _namespace_default(self):
         """,
     )
 
+    k8s_api_verify_ssl = Bool(
+        None,
+        allow_none=True,
+        config=True,
+        help="""
+        Verify TLS certificates when connecting to the k8s master.
+        
+        Set this to false to skip verifying SSL certificate when calling API
+        from https server.
+        """,
+    )
+
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        load_config(host=self.k8s_api_host, ssl_ca_cert=self.k8s_api_ssl_ca_cert)
+        load_config(
+            host=self.k8s_api_host,
+            ssl_ca_cert=self.k8s_api_ssl_ca_cert,
+            verify_ssl=self.k8s_api_verify_ssl,
+        )
         self.core_api = shared_client('CoreV1Api')
         self.networking_api = shared_client('NetworkingV1Api')
 

diff --git a/kubespawner/spawner.py b/kubespawner/spawner.py
@@ -201,9 +201,25 @@ def __init__(self, *args, **kwargs):
         # The attribute needs to exist, even though it is unset to start with
         self._start_future = None
 
-        load_config(host=self.k8s_api_host, ssl_ca_cert=self.k8s_api_ssl_ca_cert)
+        load_config(
+            host=self.k8s_api_host,
+            ssl_ca_cert=self.k8s_api_ssl_ca_cert,
+            verify_ssl=self.k8s_api_verify_ssl,
+        )
         self.api = shared_client("CoreV1Api")
 
+    k8s_api_verify_ssl = Bool(
+        None,
+        allow_none=True,
+        config=True,
+        help="""
+        Verify TLS certificates when connecting to the k8s master.
+        
+        Set this to false to skip verifying SSL certificate when calling API
+        from https server.
+        """,
+    )
+
     k8s_api_ssl_ca_cert = Unicode(
         "",
         config=True,