You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PR #194 "Detect Self Signed Certificate Authority for Kubernetes Strategy" added support for using /run/secrets/kubernetes.io/serviceaccount/ca.crt as the cacert when making httpc connections. However, OTP 26 returns selfsigned_peer error if that ca.crt is the actual certificate being served by kubernetes. It is necessary to provide a custom verify_fun handler to the ssl options, in order to actually allow the ca.crt to be served, vs being the issuer of the actual served certificate.
In other words, the title of the PR is misleading and does not solve what is stated. #194 does add support for certificate validation using the kubernetes certificate authority, which is good. But it'd be useful for some scenarios to actually support an actual self signed peer certificate as well.
PR #194 "Detect Self Signed Certificate Authority for Kubernetes Strategy" added support for using
/run/secrets/kubernetes.io/serviceaccount/ca.crtas the cacert when making httpc connections. However, OTP 26 returns selfsigned_peer error if that ca.crt is the actual certificate being served by kubernetes. It is necessary to provide a custom verify_fun handler to the ssl options, in order to actually allow the ca.crt to be served, vs being the issuer of the actual served certificate.In other words, the title of the PR is misleading and does not solve what is stated. #194 does add support for certificate validation using the kubernetes certificate authority, which is good. But it'd be useful for some scenarios to actually support an actual self signed peer certificate as well.
See also erlang/otp#8057
The text was updated successfully, but these errors were encountered: