Too much struggles, I need to share.
Need: GET
/POST
on https://ip_cluster_/apis/v1/xxx
from the dev_appserver
(for local testing)
Error: Invalid and/or missing SSL certificate for URL
Cause: the k8s cluster endpoint use a autosigned certificate
Tries:
PYTHONHTTPSVERIFY: 0
in main.app
and locally with validate_certificate=None
with url_fetch
or verify=False
with requests
. Fails because unsecure SSL connexion with autosigned certificate is not allowed in AppEngine. PR : https://github.com/GoogleCloudPlatform/python-compat-runtime/pull/124https://container.googleapis.com/v1beta1/projects/<my-gcp-project>/locations/<location>/clusters/<my-cluster>
, decode base64, write in files, use them with cert=('cluster_k8s.cert', 'cluster_k8s.key')
in requests
. Fails because local certs support is disabled in AppEngine. Using them with curl works just fine. Obviously.gcloud config set core/custom_ca_certs_file=my_cert.pem
. Fails because life is hard.cd /usr/lib/google-cloud-sdk/platform/google_appengine/lib/cacerts/ cat my_cert >> urlfetch_cacerts.txt
Fails because life is even harder.Solution : use kubectl proxy like kubectl proxy --port=8001
The k8s services are know reachable in http from http://localhost:8001
Switch endpoint in your AppEngine with code like:
if os.getenv('SERVER_SOFTWARE', '').startswith('Google App Engine/'): # Production else: # Local development server