SSL verification fails for GKE with custom certificate authorities fails

[vitali-s]

We have a clusters with GKE custom certificates authorities configured (https://cloud.google.com/kubernetes-engine/docs/tutorials/run-your-own-cas-keys). In such cases GKE have an appropriate volume mount:

  - name: kube-api-access-vp784
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace

It works well for majority of our deployments, however, kiwigrid/k8s-sidecar is failing with SSL verification issue:

{"time": "2024-12-06T18:21:09.337171+00:00", "taskName": null, "msg": "Retrying (Retry(total=3, connect=10, read=5, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERFY_FAILED[] certificate verify failed: unsuitable certificate purpose (_ssl.c:1000)'))': /api/v1/configmaps?labelSelector=grafana_dashboard&timeoutSeconds=60&watch=True", "level": "WARNING"}

We know there is an option to skip TLS verification, however, as kube-root-ca.crt is available and mounted it would be great to support it.