use custom hostname_check to match ips as dns_id

mruoss · Dec 19, 2023 · 27652dc · 27652dc
1 parent ea2afb0
commit 27652dc
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,13 +10,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 <!-- ### Added | Changed | Deprecated | Removed | Fixed | Security -->
 
+### Changed
+
+- Remove`:insecure_skip_tls_verify` option and use a custom `match_fun` instead to work around failing hostname verification for IP addresses. - [#5](https://github.com/mruoss/flame_k8s_backend/pull/5)
+
 <!--------------------- Don't add new entries after this line --------------------->
 
 ## [0.2.3] - 2023-12-15
 
 ### Added
 
-- `runner_pod_tpl` option for better control over the runner pod manifest [#2](https://github.com/mruoss/flame_k8s_backend/pull/2)
+- `runner_pod_tpl` option for better control over the runner pod manifest - [#2](https://github.com/mruoss/flame_k8s_backend/pull/2)
 - Basic integration test
 
 ### Changed

diff --git a/lib/flame_k8s_backend/k8s_client.ex b/lib/flame_k8s_backend/k8s_client.ex
@@ -8,15 +8,9 @@ defmodule FLAMEK8sBackend.K8sClient do
   def connect() do
     ca_cert_path = Path.join(@sa_token_path, "ca.crt")
     token_path = Path.join(@sa_token_path, "token")
-    apiserver_host = System.get_env("KUBERNETES_SERVICE_HOST") |> String.to_charlist()
+    apiserver_host = System.get_env("KUBERNETES_SERVICE_HOST")
     apiserver_port = System.get_env("KUBERNETES_SERVICE_PORT_HTTPS")
 
-    sni =
-      case :inet.parse_address(apiserver_host) do
-        {:ok, _} -> :disable
-        {:error, _} -> apiserver_host
-      end
-
     with {:ok, token} <- File.read(token_path),
          {:ok, ca_cert_raw} <- File.read(ca_cert_path),
          {:ok, ca_cert} <- cert_from_pem(ca_cert_raw) do
@@ -27,8 +21,7 @@ defmodule FLAMEK8sBackend.K8sClient do
           connect_options: [
             transport_opts: [
               cacerts: [ca_cert],
-              verify: :verify_peer,
-              server_name_indication: sni
+              customize_hostname_check: [match_fun: &check_ips_as_dns_id/2]
             ]
           ]
         )
@@ -93,4 +86,18 @@ defmodule FLAMEK8sBackend.K8sClient do
       {request, RuntimeError.exception(response.body["message"])}
     end
   end
+
+  # Temporary workaround until this is fixed in some lower layer
+  # https://github.com/erlang/otp/issues/7968
+  # https://github.com/elixir-mint/mint/pull/418
+  defp check_ips_as_dns_id({:dns_id, hostname}, {:iPAddress, ip}) do
+    with {:ok, ip_tuple} <- :inet.parse_address(hostname),
+         ^ip <- Tuple.to_list(ip_tuple) do
+      true
+    else
+      _ -> :default
+    end
+  end
+
+  defp check_ips_as_dns_id(_, _), do: :default
 end