The Kubernetes authenticator makes two separate connection types to the k8s API:

• Request/response HTTP API connections using kubeclient (for pod metadata).
• Websocket connection using an internal client (for auth certificate injection).

Server Name Indication (SNI) is a TLS extension that allows a web server to serve content securely for multiple domain names by including the intended hostname in the TLS handshake.

Currently, our kubeclient connection does support SNI, but the websocket connection does not. This means each of these connection phases can receive a different server certificate. This can lead to certificate verification errors unless the CA certificates for both SNI and non-SNI connections are configured in the kubernetes/ca-cert authentication webservice annotation.

Acceptance Criteria:

• A regression test exists that verifies SNI behavior for the websocket client
• The websocket client supports SNI when establishing the connection