Feature Request
Summary
When using Flux's GCP provider with a GKE DNS endpoint (*.gke.goog) and dnsLookup: "true", the kustomize-controller fails with a TLS certificate verification error:
tls: failed to verify certificate: x509: certificate signed by unknown authority
This is because the provider unconditionally uses the cluster's self-signed CA (MasterAuth.ClusterCaCertificate) for TLS verification — but DNS endpoints serve certificates signed by Google Trust Services (a public CA), not the cluster CA.
We would like the GCP provider to support using the system's trusted root CA bundle when a DNS endpoint is in use, either automatically or via an explicit ConfigMap field.
Environment
- Flux with GCP Workload Identity Federation (WIF)
- GKE cluster with DNS endpoint enabled
- Management cluster connecting to workload clusters via
kubeConfig.configMapRef
ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: my-cluster-configmap
namespace: wc-my-cluster
data:
provider: gcp
cluster: projects/my-project/locations/europe-west4/clusters/my-cluster
dnsLookup: "true"
address: gke-XXXXXXXXXXXXXXXXXXXX-XXXXXXXXXXXX.europe-west4.gke.goog
Current Behaviour
Could not determine release state: failed to retrieve last release from storage:
query: failed to query with labels:
Get "https://gke-XXXXXXXXXXXXXXXXXXXX-XXXXXXXXXXXX.europe-west4.gke.goog/api/v1/namespaces/kube-system/secrets?...": tls: failed to verify certificate: x509: certificate signed by unknown authority
Possible Root Cause
The issue may lie in auth/gcp/provider.go, in the NewRESTConfig function, which fetches CAData from the GKE API whenever it is not explicitly provided:
if host == "" || caData == "" {
clusterResource, _ := p.impl().GetCluster(ctx, cluster, client)
caData, _ = base64.StdEncoding.DecodeString(
clusterResource.MasterAuth.ClusterCaCertificate)
}When address is a DNS endpoint but caData is empty, the following may be happening:
host is set to the *.gke.goog DNS endpointcaData is empty → provider fetches the cluster's self-signed CA- The DNS endpoint's certificate is signed by Google Trust Services (public CA)
- The self-signed cluster CA cannot verify it → TLS handshake fails
This could point to a mismatch: IP-based endpoints use the cluster's self-signed CA, but DNS endpoints serve certificates signed by a public CA — and the provider may not currently distinguish between the two.
Note: fluxcd/pkg#1071 removed the address matching validation, enabling DNS endpoints to be specified — but it may not have updated CA handling, potentially leaving this gap.
Desired Behaviour
When dnsLookup: "true" is set (or the address is a *.gke.goog host), the GCP provider should support falling back to the system's trusted root CA bundle (which includes Google Trust Services) instead of always using the cluster's self-signed CA.
Suggested Implementation
Option 1 — Automatic detection: Skip cluster CA when a DNS endpoint is detected:
// Only use cluster CA for IP-based endpoints, not DNS endpoints
if !isDNSEndpoint(host) {
caData, err = base64.StdEncoding.DecodeString(
clusterResource.MasterAuth.ClusterCaCertificate)
}Option 2 — Explicit user control: Expose a new ConfigMap field useSystemCA: "true" so users can opt in:
data:
provider: gcp
cluster: projects/my-project/locations/europe-west4/clusters/my-cluster
dnsLookup: "true"
address: gke-XXXXXXXXXXXXXXXXXXXX-XXXXXXXXXXXX.europe-west4.gke.goog
useSystemCA: "true"
Related
Note
We are also open to the possibility that this may be a misconfiguration on our end. If dnsLookup: "true" with a *.gke.goog address requires additional configuration that we may have missed, please do let us know.
Feature Request
Summary
When using Flux's GCP provider with a GKE DNS endpoint (
*.gke.goog) anddnsLookup: "true", the kustomize-controller fails with a TLS certificate verification error:This is because the provider unconditionally uses the cluster's self-signed CA (
MasterAuth.ClusterCaCertificate) for TLS verification — but DNS endpoints serve certificates signed by Google Trust Services (a public CA), not the cluster CA.We would like the GCP provider to support using the system's trusted root CA bundle when a DNS endpoint is in use, either automatically or via an explicit ConfigMap field.
Environment
kubeConfig.configMapRefConfigMap
Current Behaviour
Possible Root Cause
The issue may lie in
auth/gcp/provider.go, in theNewRESTConfigfunction, which fetchesCADatafrom the GKE API whenever it is not explicitly provided:When
addressis a DNS endpoint butcaDatais empty, the following may be happening:hostis set to the*.gke.googDNS endpointcaDatais empty → provider fetches the cluster's self-signed CAThis could point to a mismatch: IP-based endpoints use the cluster's self-signed CA, but DNS endpoints serve certificates signed by a public CA — and the provider may not currently distinguish between the two.
Note: fluxcd/pkg#1071 removed the address matching validation, enabling DNS endpoints to be specified — but it may not have updated CA handling, potentially leaving this gap.
Desired Behaviour
When
dnsLookup: "true"is set (or the address is a*.gke.googhost), the GCP provider should support falling back to the system's trusted root CA bundle (which includes Google Trust Services) instead of always using the cluster's self-signed CA.Suggested Implementation
Option 1 — Automatic detection: Skip cluster CA when a DNS endpoint is detected:
Option 2 — Explicit user control: Expose a new ConfigMap field
useSystemCA: "true"so users can opt in:Related
Note
We are also open to the possibility that this may be a misconfiguration on our end. If
dnsLookup: "true"with a*.gke.googaddress requires additional configuration that we may have missed, please do let us know.