CERTIFICATE_VERIFY_FAILED

[Bast66]

Hi
when connecting to a kubernetes cluster I use the client-certificate-data: from ~/.kube/config and get the following exception.

HandshakeException (HandshakeException: Handshake error in client (OS Error:
CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393)))

where I am supposed to install the certificate-authority-data: from ~/.kube/config ?
Or is there an easier way to get this done?

Thanks. Bast

[rohanmars]

You can achieve this by parsing the kube config, something like:

      var kubeConfig = loadYaml(environment.apiConfig!);
      if (kubeConfig['kind'] == 'Config') {
        var currentContext = kubeConfig["current-context"];
        if (kubeConfig["contexts"] != null) {
          for (var context in kubeConfig["contexts"]) {
            if (context['name'] == currentContext) {
              var clusterName = context['context']['cluster'];
              // set namespace if not set
              var clusterNamespace = context['context']['namespace'];
              if (environment.namespace == null && clusterNamespace != null) {
                environment.namespace = clusterNamespace;
              }
              for (var cluster in kubeConfig['clusters']) {
                if (clusterName == cluster['name']) {
                  environment.apiUrl ??= cluster['cluster']['server'];
                  environment.apiClientCA ??=
                  cluster['cluster']['certificate-authority-data'];
                  break;
                }
              }

              var userName = context['context']['user'];
              for (var user in kubeConfig['users']) {
                if (userName == user['name']) {
                  environment.apiToken ??= user['user']['token'];
                  environment.apiClientCert ??=
                  user['user']['client-certificate-data'];
                  environment.apiClientKey ??= user['user']['client-key-data'];
                  break;
                }
              }
              break;
            }
          }
        }
      }

I'm using environment as a custom class to contain the kube cluster configuration.

Then in your client:

    if (environment.apiToken != null) {
      _kubernetesClient = KubernetesClient(
          serverUrl: environment.apiUrl!,
          accessToken: environment.apiToken!);
    } else if (environment.apiClientCert != null && environment.apiClientKey != null && environment.apiClientCA != null) {
      SecurityContext context = SecurityContext(withTrustedRoots: true);
      context.setTrustedCertificatesBytes(base64.decode(environment.apiClientCA!));
      context.useCertificateChainBytes(base64.decode(environment.apiClientCert!));
      context.usePrivateKeyBytes(base64.decode(environment.apiClientKey!));
      HttpClient httpClient = HttpClient(context: context);
      IOClient ioClient = IOClient(httpClient);

      _kubernetesClient = KubernetesClient(
          serverUrl: environment.apiUrl!,
          accessToken: '',
          httpClient: ioClient);
    }

I set the accessToken to '' in the client cert approach, the api should not probably make the accessToken required!

[rohanmars]

I noticed also there is a kubeconfig auth processor in the codebase (https://github.com/xclud/dart_kubernetes/blob/main/lib/src/config.dart) which could be used to parse the kubeconfig file and then setup the SecurityContext as above.

[Bast66]

Thanks! Could something like this work also?

kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes.io/service-account.name']=='default')].data.token}"