I've been using the Kubernetes .net client library version for a while now to access the Kubernetes api from within a container. Today I updated from client library version 1.6.11 to 4.0.21 but this broke some part of the authentication of the client.

This is the exception I'm getting:

HttpRequestException. The SSL connection could not be established, see inner exception.
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   (rest of the stack trace ommited)

With the inner exception:

AuthenticationException. The remote certificate is invalid because of errors in the certificate chain: PartialChain.
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

I use the default inClusterConfiguration to create an instance of the Kubernetes Client:

KubernetesClientConfiguration config = KubernetesClientConfiguration.InClusterConfig();
Kubernetes client = new Kubernetes(config);

After verifying that I could still talk with the API through curl using the token associated with the pod's service account stored in /var/run/secrets/kubernetes.io/serviceaccount/.

I'm not that familiar with SSL but after some struggling I found a work-around by copying the ca.cert file from the serviceaccount directory to /usr/local/share/ca-certificates/ and running update-ca-certificates but I do wonder what has changed that this action is now required.

Is there some way I can configure the client such that this is done automatically or resolved in some other way?