Unable to get --insecure to take effect

[davidkarlsen]

Describe the bug
We have an internal CA, and hence the cert is not trusted when running testkube cli through docker.
For ease of use I just want to ignore the issuer by using --insecure=true

To Reproduce
Steps to reproduce the behavior:

1. Have a self-signed cert on your ingress
2. Run docker run --rm kubeshop/testkube-cli:latest --api-uri https://testkube-ui.apps.youringress.tld/ --insecure=true --client direct run testworkflow yourworkflow -f
3. Observe it fail:

Context:  (2.0.3)   Namespace: testkube
---------------------------------------
execute test workflow ftm-cucumber-tests from namespace testkube (error: Post "https://testkube-ui.apps.ftm-aro-dev-nore.dev.mydomain/v1/test-workflows/ftm-cucumber-tests/executions": tls: failed to verify certificate: x509: certificate signed by unknown authority)`

Expected behavior
Should ignore issuer

Version / Cluster

• Which testkube version? 2.0.3
• What Kubernetes cluster? (e.g. GKE, EKS, Openshift etc, local KinD, local Minikube) N/A
• What Kubernetes version? N/A

Screenshots
If applicable, add CLI commands/output to help explain your problem.

Additional context
Add any other context about the problem here.

[vsukhin]

@davidkarlsen will pick it up

[vsukhin]

yes, we do multiple calls and one of them ignore the flag

[vsukhin]

but this one call is not used in api request. so, can you try to run it locally and also for other commands like kubectl testkube get tests

[davidkarlsen]

It will work "locally" - as outside of docker - because there the CA is trusted. It is the use-case as explained in the issue that fails. Also inside docker we don't provide k8s authentication.

[vsukhin]

okay, what about get command?

[vsukhin]

And flag is passed to cli if it's executed in docker, Do you have any url to test, it can be not testkube one, any web site just signed with the same cert?
you can also try curl -k v1/info, but most likely it will not work, because your server requires client certs

[davidkarlsen]

sure - flags are passed - as demonstrated in the initial reporting.
curl passes just fine with -k using https://hub.docker.com/r/curlimages/curl
PS: No client-cert here - the core of this issue is to have testkube's http client ignore server-side issuer of cert.

[davidkarlsen]

okay, what about get command?

get testworkflow ftm-cucumber-tests will yield same error: "tls: failed to verify certificate: x509: certificate signed by unknown authority"

[davidkarlsen]

BTW: I noticed the distro is musl based - it is notoriously known for it's flaws - do you statically compile the cmd line?

[vsukhin]

yes, cmd line is statically compiled, but it uses system libraries. but good question. @ypoplavs do we have anywhere self signed ingress to test? @ypoplavs do we miss RUN apk --no-cache add ca-certificates libssl1.1 ?

[davidkarlsen]

yes, cmd line is statically compiled, but it uses system libraries. but good question. @ypoplavs do we have anywhere self signed ingress to test? @ypoplavs do we miss RUN apk --no-cache add ca-certificates libssl1.1 ?

probably both of these are in place since:

1. if you depend on the system-libraries, and they are not present, it would break before the handshake
2. ca-certificates aren't really relevant here as it is an internal-issues cert, i.e. not depending on standard bundles

[vsukhin]

we tested it out on self signed ingress, souds like it's distro related issuue. investigating what is missing

[vsukhin]

found the bug #5639