From 3bc59dc964a50f7ffe8b72432699efc646733b9d Mon Sep 17 00:00:00 2001
From: Hector Ros <hectorros@Mac.localdomain>
Date: Tue, 20 Jan 2026 17:57:23 +0100
Subject: [PATCH] Fix: Apply skipTLSVerify in loadFromCluster mode

When K8S_IN_CLUSTER=true, backend uses loadFromCluster() which needs
skipTLSVerify to work with self-signed cluster certificates.

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
---
 src/lib/k8s.ts | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/src/lib/k8s.ts b/src/lib/k8s.ts
index 47a5b9b..f33c092 100644
--- a/src/lib/k8s.ts
+++ b/src/lib/k8s.ts
@@ -20,22 +20,18 @@ export function initK8sClient() {
 
   if (inCluster) {
     k8sConfig.loadFromCluster()
+
+    // Skip TLS verification when in cluster
+    // This is needed because the cluster uses self-signed certificates
+    const cluster = k8sConfig.getCurrentCluster()
+    if (cluster) {
+      cluster.skipTLSVerify = true
+      console.log('🔓 K8s client configured to skip TLS verification (in-cluster mode)')
+    }
   } else {
     // Load from kubeconfig file
     const configPath = process.env.K8S_CONFIG_PATH || process.env.KUBECONFIG || '~/.kube/config'
     k8sConfig.loadFromFile(configPath)
-
-    // When running in K8s (but not detected as in-cluster), trust the cluster CA
-    // This happens when backend pod needs to manage other pods
-    if (process.env.KUBERNETES_SERVICE_HOST) {
-      // We're running in K8s, configure to trust cluster certificates
-      const cluster = k8sConfig.getCurrentCluster()
-      if (cluster) {
-        // Skip TLS verification for development (NOT recommended for production)
-        // In production, use proper CA certificates
-        cluster.skipTLSVerify = true
-      }
-    }
   }
 
   k8sClient = k8sConfig.makeApiClient(k8s.CoreV1Api)