SSL certificate verification fails when using Teleport Kubernetes proxy

[prein]

Describe the bug
KRR fails with SSL certificate verification errors when connecting to Kubernetes clusters through Teleport proxy, even though kubectl works correctly with the same kubeconfig. The Prometheus/Victoria Metrics connection works fine when specified with -p, but all Kubernetes API calls fail.

To Reproduce

1. Configure Kubernetes access via Teleport (generates kubeconfig with tls-server-name)
2. Verify kubectl get pods works
3. Run krr simple -p <prometheus-url>
4. See SSL verification errors on all Kubernetes API calls

Teleport kubeconfig structure:

clusters:
- cluster:
    certificate-authority-data: <base64-encoded-ca>
    server: https://company.teleport.sh:443
    tls-server-name: kube-teleport-proxy-alpn.company.teleport.sh
  name: company.teleport.sh

Error:

SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: 
unable to get local issuer certificate (_ssl.c:1006)'))

Expected behavior
KRR should respect the tls-server-name field from kubeconfig and successfully connect to the Kubernetes API through Teleport proxy, just like kubectl does.

Screenshots
N/A

Are you interested in contributing a fix for this?
Yes - happy to help test. May try working on a fix too, with AI help. The fix likely involves either:

1. Upgrading kubernetes-client dependency to v28+ (has better tls-server-name support)
2. Adding explicit tls-server-name handling in config_patch.py similar to proxy-url

Desktop (please complete the following information):

• OS: macOS
• KRR Version: 1.27.0 (Homebrew)
• Python kubernetes-client bundled: 26.1.0

Additional context

• The CERTIFICATE env var was tried with the base64-encoded CA from kubeconfig - KRR prints "added custom certificate" but still fails
• Possible root cause: When Teleport is used, the server URL is https://company.teleport.sh:443 but TLS negotiation must use SNI kube-teleport-proxy-alpn.company.teleport.sh. The CA is valid for the SNI name, not the server hostname.

[arikalon1]

Proposed Fix Analysis

After analyzing the codebase, here's the recommended fix approach for tls-server-name support:

Root Cause

The config_patch.py file already handles proxy-url by extending the KubeConfigLoader class. The same pattern should be applied for tls-server-name to pass the SNI (Server Name Indication) to the SSL context.

Suggested Code Change for robusta_krr/core/integrations/kubernetes/config_patch.py:

# NOTE: This is a workaround for the issue described here:
# https://github.com/kubernetes-client/python/pull/1863

from __future__ import annotations

from typing import Optional

from kubernetes.client import configuration
from kubernetes.config import kube_config


class KubeConfigLoader(kube_config.KubeConfigLoader):
    def _load_cluster_info(self):
        super()._load_cluster_info()

        if "proxy-url" in self._cluster:
            self.proxy = self._cluster["proxy-url"]
        
        # Add tls-server-name support for Teleport and similar proxies
        if "tls-server-name" in self._cluster:
            self.tls_server_name = self._cluster["tls-server-name"]

    def _set_config(self, client_configuration):
        super()._set_config(client_configuration)

        for key in ["proxy", "tls_server_name"]:
            if key in self.__dict__:
                setattr(client_configuration, key, getattr(self, key))


class Configuration(configuration.Configuration):
    def __init__(
        self,
        proxy: Optional[str] = None,
        tls_server_name: Optional[str] = None,
        **kwargs,
    ):
        super().__init__(**kwargs)

        self.proxy = proxy
        self.tls_server_name = tls_server_name


configuration.Configuration = Configuration
kube_config.KubeConfigLoader = KubeConfigLoader

Additional Notes

1. The tls_server_name attribute needs to be passed to the SSL context as the server_hostname parameter
2. You may also need to ensure the underlying urllib3 connection uses this SNI value
3. Testing with a Teleport-proxied cluster would be ideal

Copilot has been assigned to work on this fix.