use cluster dns to reach apiserver for rustls - for #587 (#597)

* use cluster dns to reach apiserver when on rustls - for #587 * ci test run with rustls
kube-rs · Jul 26, 2021 · e2f816e · e2f816e
1 parent 36ff94c
commit e2f816e
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 6 deletions.
diff --git a/kube/src/config/incluster_config.rs b/kube/src/config/incluster_config.rs
@@ -2,8 +2,12 @@ use std::env;
 
 use crate::{config::utils, Result};
 
+// Old method to connect to kubernetes
 pub const SERVICE_HOSTENV: &str = "KUBERNETES_SERVICE_HOST";
 pub const SERVICE_PORTENV: &str = "KUBERNETES_SERVICE_PORT";
+// New method to connect to kubernetes
+pub const SERVICE_DNS: &str = "kubernetes.default.svc";
+// Mounted credential files
 const SERVICE_TOKENFILE: &str = "/var/run/secrets/kubernetes.io/serviceaccount/token";
 const SERVICE_CERTFILE: &str = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
 const SERVICE_DEFAULT_NS: &str = "/var/run/secrets/kubernetes.io/serviceaccount/namespace";
@@ -15,6 +19,15 @@ pub fn kube_server() -> Option<String> {
     Some(format!("https://{}:{}", host, port))
 }
 
+pub fn kube_dns() -> http::Uri {
+    http::Uri::builder()
+        .scheme("https")
+        .authority(SERVICE_DNS)
+        .path_and_query("/")
+        .build()
+        .unwrap()
+}
+
 fn kube_host() -> Option<String> {
     env::var(SERVICE_HOSTENV).ok()
 }
@@ -43,6 +56,7 @@ fn test_kube_host() {
     let expected = "fake.io";
     env::set_var(SERVICE_HOSTENV, expected);
     assert_eq!(kube_host().unwrap(), expected);
+    kube_dns(); // verify kube_dns always unwraps
 }
 
 #[test]

diff --git a/kube/src/config/mod.rs b/kube/src/config/mod.rs
@@ -91,11 +91,17 @@ impl Config {
     /// and relies on you having the service account's token mounted,
     /// as well as having given the service account rbac access to do what you need.
     pub fn from_cluster_env() -> Result<Self> {
-        let cluster_url = incluster_config::kube_server().ok_or(ConfigError::MissingInClusterVariables {
-            hostenv: incluster_config::SERVICE_HOSTENV,
-            portenv: incluster_config::SERVICE_PORTENV,
-        })?;
-        let cluster_url = cluster_url.parse::<http::Uri>()?;
+
+        let cluster_url = if cfg!(feature = "rustls-tls") {
+            // try rolling out new method for rustls which does not support ip based urls anyway
+            // see https://github.com/kube-rs/kube-rs/issues/587
+            incluster_config::kube_dns()
+        } else {
+            incluster_config::kube_server().ok_or(ConfigError::MissingInClusterVariables {
+                hostenv: incluster_config::SERVICE_HOSTENV,
+                portenv: incluster_config::SERVICE_PORTENV,
+            })?.parse::<http::Uri>()?
+        };
 
         let default_namespace = incluster_config::load_default_ns()
             .map_err(Box::new)

diff --git a/tests/Cargo.toml b/tests/Cargo.toml
@@ -16,7 +16,7 @@ path = "dapp.rs"
 anyhow = "1.0.37"
 env_logger = "0.8.2"
 futures = "0.3.8"
-kube = { path = "../kube", version = "^0.58.0"}
+kube = { path = "../kube", version = "^0.58.1", default-features = false, features = ["client", "rustls-tls"] }
 k8s-openapi = { version = "0.12.0", features = ["v1_20"], default-features = false }
 log = "0.4.11"
 serde_json = "1.0.61"