[GitHub] [airflow] wselfjes commented on pull request #25023: fix: change disable_verify_ssl behaviour

[GitBox <gi...@apache.org>]

wselfjes commented on PR #25023:
URL: https://github.com/apache/airflow/pull/25023#issuecomment-1184854024

   hi @dstandish
   The problem that we found in our company is that when we want to use `KubernetesExecutor`, airflow crashes with an error:
   ```
   MaxRetryError: HTTPSConnectionPool(host=‘host’, port=6443): Max retries exceeded with url: /api/v1/pods?watch=False (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1091)')))
   ```
   We tried to play around with certificates but the problem stayed. Other services work fine.
   So we decide to specify `verify_ssl = False` and `AIRFLOW__KUBERNETES__VERIFY_SSL: false` in the airflow config. 
   But it didn’t work the same way as in the documentation.
   
   After some research I found that airflow 2.3.2 has following behaviour with `get_kube_client()` and `_disable_verify_ssl()`:
   1. sets `verify_ssl=False` in the in-memory kubernetes config
   2. reads incluster config that rewrites previous set field. 
   
   The result is that airflow config field does not apply.
   
   I propose a solution to change the order of `get_kube_client()` actions:
   1. read incluster config or local `./kube/config` file
   2. if `verify_ssl = False` set , set it in in-memory config


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org