How to access the k8s services from AppEngine development server

7/5/2018

Too much struggles, I need to share.

Need: GET/POST on https://ip_cluster_/apis/v1/xxx from the dev_appserver (for local testing)

Error: Invalid and/or missing SSL certificate for URL

Cause: the k8s cluster endpoint use a autosigned certificate

Tries:

  • Use a Let's Encrypt certificate with ingress. Fails because Let's encrypt needs a DNS
  • Asks to AppEngine to do an unsecure connexion : globally with PYTHONHTTPSVERIFY: 0 in main.app and locally with validate_certificate=None with url_fetch or verify=False with requests. Fails because unsecure SSL connexion with autosigned certificate is not allowed in AppEngine. PR : https://github.com/GoogleCloudPlatform/python-compat-runtime/pull/124
  • Get cert/key from https://container.googleapis.com/v1beta1/projects/<my-gcp-project>/locations/<location>/clusters/<my-cluster>, decode base64, write in files, use them with cert=('cluster_k8s.cert', 'cluster_k8s.key') in requests. Fails because local certs support is disabled in AppEngine. Using them with curl works just fine. Obviously.
  • Get cert/key like above and add them as custom certs in google cloud sdk: gcloud config set core/custom_ca_certs_file=my_cert.pem. Fails because life is hard.
  • Get cert/key like above and append them to the google cloud sdk one: cd /usr/lib/google-cloud-sdk/platform/google_appengine/lib/cacerts/ cat my_cert >> urlfetch_cacerts.txt Fails because life is even harder.
-- seeb0h
google-app-engine
google-kubernetes-engine
kubernetes
ssl-certificate

1 Answer

7/5/2018

Solution : use kubectl proxy like kubectl proxy --port=8001

The k8s services are know reachable in http from http://localhost:8001

Switch endpoint in your AppEngine with code like:

if os.getenv('SERVER_SOFTWARE', '').startswith('Google App Engine/'): # Production else: # Local development server

-- seeb0h
Source: StackOverflow