replace insecure_skip_tls_verify with auto set sni

.tool-versions

@@ -1,2 +1,3 @@
 erlang 26.2
-elixir 1.15.7
+elixir 1.15.7
+kind 0.20.0

README.md

@@ -32,7 +32,7 @@ Configure the flame backend in our configuration or application setup:
   children = [
     {FLAME.Pool,
       name: MyApp.SamplePool,
-      backend: {FLAMEK8sBackend, insecure_skip_tls_verify: true},
+      backend: FLAMEK8sBackend,
       min: 0,
       max: 10,
       max_concurrency: 5,

lib/flame_k8s_backend.ex

@@ -46,9 +46,6 @@ defmodule FLAMEK8sBackend do
 
     * `:log` - The log level to use for verbose logging. Defaults to `false`.
 
-    * `:insecure_skip_tls_verify` - Skip TLS hostname verification. This is
-      required if you connect to your cluster via IP address.
-
   ### Prerequisites
 
   In order for this to work, your application needs to meet some requirements.
@@ -172,7 +169,7 @@ defmodule FLAMEK8sBackend do
             log: false,
             req: nil
 
-  @valid_opts ~w(app_container_name insecure_skip_tls_verify runner_pod_tpl terminator_sup log)a
+  @valid_opts ~w(app_container_name runner_pod_tpl terminator_sup log)a
   @required_config ~w()a
 
   @impl true
@@ -205,7 +202,7 @@ defmodule FLAMEK8sBackend do
       |> FLAME.Parent.new(self(), __MODULE__)
       |> FLAME.Parent.encode()
 
-    {:ok, req} = K8sClient.connect(Keyword.take(provided_opts, [:insecure_skip_tls_verify]))
+    {:ok, req} = K8sClient.connect()
 
     case K8sClient.get_pod(req, System.get_env("POD_NAMESPACE"), System.get_env("POD_NAME")) do
       {:ok, base_pod} ->
@@ -250,7 +247,7 @@ defmodule FLAMEK8sBackend do
   @impl true
   def system_shutdown do
     # This is not very nice but I don't have the opts on the runner
-    {:ok, req} = K8sClient.connect(insecure_skip_tls_verify: true)
+    {:ok, req} = K8sClient.connect()
     namespace = System.get_env("POD_NAMESPACE")
     name = System.get_env("POD_NAME")
     K8sClient.delete_pod!(req, namespace, name)

lib/flame_k8s_backend/k8s_client.ex

@@ -5,17 +5,18 @@ defmodule FLAMEK8sBackend.K8sClient do
   @pod_tpl "/api/v1/namespaces/:namespace/pods/:name"
   @pod_list_tpl "/api/v1/namespaces/:namespace/pods"
 
-  def connect(opts) do
+  def connect() do
     ca_cert_path = Path.join(@sa_token_path, "ca.crt")
     token_path = Path.join(@sa_token_path, "token")
-
-    verify =
-      if Keyword.get(opts, :insecure_skip_tls_verify, false),
-        do: :verify_none,
-        else: :verify_peer
-
     apiserver_host = System.get_env("KUBERNETES_SERVICE_HOST")
-    apiserver_port = System.get_env("KUBERNETES_SERVICE_PORT")
+    apiserver_host_charlist = String.to_charlist(apiserver_host)
+    apiserver_port = System.get_env("KUBERNETES_SERVICE_PORT_HTTPS")
+
+    sni =
+      case :inet.parse_address(apiserver_host_charlist) do
+        {:ok, _} -> :disable
+        {:error, _} -> apiserver_host_charlist
+      end
 
     with {:ok, token} <- File.read(token_path),
          {:ok, ca_cert_raw} <- File.read(ca_cert_path),
@@ -24,7 +25,7 @@ defmodule FLAMEK8sBackend.K8sClient do
         Req.new(
           base_url: "https://#{apiserver_host}:#{apiserver_port}",
           headers: [{:Authorization, "Bearer #{token}"}],
-          connect_options: [transport_opts: [cacerts: [ca_cert], verify: verify]]
+          connect_options: [transport_opts: [cacerts: [ca_cert], server_name_indication: sni]]
         )
         |> Req.Request.append_response_steps(verify_2xs: &verify_2xs/1)
 

test_support/integration_test_runner.ex

@@ -10,7 +10,7 @@ defmodule FlameK8sBackend.IntegrationTestRunner do
         min: 0,
         max: 2,
         idle_shutdown_after: 1_000,
-        backend: {FLAMEK8sBackend, insecure_skip_tls_verify: true},
+        backend: {FLAMEK8sBackend},
         log: :debug
         }]