Pinniped ignore kubeconfig with insecure-skip-tls-verify

[HamzaZo]

Hello,

I'm using the latest version of pinniped v0.28.0 with kubernetes 1.29 and the apiserver of our clusters use self signed certificate (I know it's not good but it's been designed like this, making it difficult to change existing clusters )
Setting insecure-skip-tls-verify: true in the below kubeconfig seems to be ignored by getting the following error:

Error: could not complete Concierge credential exchange: could not login: Post"https://apiserver.org:443/apis/login.concierge.pinniped.dev/v1alpha1/tokencredentialrequests" tls : failed to verify certificate: x509 certificate signed by unknown authority 

apiVersion: v1
clusters:
- cluster: 
      #certificate-authority-data: LS0...
     server: https://apiserver.org:443
     insecure-skip-tls-verify: true 
   name: cluster-1
contexts: 
- context: 
     cluster: cluster-1
     user: k8s
   name: context1
kind:  config
users: 
- name: k8s
  user: 
    exec: 
      apiVersion: client.authentication.k8s.io/v1beta1
     args: 
     - login
     - oidc
     - --enable-concierge
     - ...
     - --concierge-endpoint=https://apiserver.org:443
     - --concierge-ca-bundle-data=LS0...

Any idea please how to skip the tls verify ?

[cfryanr]

Hi @HamzaZo, for security reasons Pinniped does not offer an option to skip TLS verification. However, you should be able to specify the server's CA bundle as the CA bundle in --concierge-ca-bundle-data, even if the server's certificate and/or CA is self-signed.

[HamzaZo]

Hi @cfryanr it's what I did, but pinniped returns failed to verify certificate: x509 certificate signed by unknown authority

[cfryanr]

Hi @HamzaZo,

Are you using the Concierge's impersonation proxy? You can check by looking at the status of the CredentialIssuer on that cluster. If so, the pinniped get kubeconfig command should have automatically filled in the CA bundle into the kubeconfig that it outputs.

If you are not using the impersonation proxy on that cluster, then the pinniped get kubeconfig command will copy the CA bundle from your admin kubeconfig (your current kubeconfig at the time that you run pinniped get kubeconfig). Does that admin kubeconfig have a CA bundle, or is it skipping TLS verification? (By the way, there isn't any reason for a kubeconfig to skip TLS verification, because it can use the server's self-signed CA to verify TLS, but if you are not the creator of that cluster then I understand that might be beyond your control.)

If the admin kubeconfig is skipping TLS verification and therefore does not contain any CA bundle, then you should be able to get the CA bundle from the server using openssl s_client -showcerts -connect <hostname>:<port>. However, note that this is less secure, because the request that fetches the certs is not verifying TLS, so you can't be sure that you're talking to the legitimate server. If this is a concern, ask the owner of the cluster to provide you with the CA bundle so you can be sure that it is the legitimate CA bundle for that cluster.