From f2be6f6090817d0c49ea6c19b749e253744e3ed5 Mon Sep 17 00:00:00 2001 From: Marcus Bowyer Date: Mon, 10 Apr 2023 23:09:52 -0700 Subject: [PATCH 1/2] Use the system certificate store if no certificates are specified. --- src/KubernetesClient/Kubernetes.ConfigInit.cs | 30 ++++++++++++++----- .../KubernetesClientConfigurationTests.cs | 14 +++++++++ .../assets/kubeconfig.tls-no-skip.yml | 22 ++++++++++++++ 3 files changed, 58 insertions(+), 8 deletions(-) create mode 100644 tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml diff --git a/src/KubernetesClient/Kubernetes.ConfigInit.cs b/src/KubernetesClient/Kubernetes.ConfigInit.cs index 762b61f61..b77931d5f 100644 --- a/src/KubernetesClient/Kubernetes.ConfigInit.cs +++ b/src/KubernetesClient/Kubernetes.ConfigInit.cs @@ -74,19 +74,33 @@ private void InitializeFromConfig(KubernetesClientConfiguration config) { if (CaCerts == null) { - throw new KubeConfigException("A CA must be set when SkipTlsVerify === false"); + var store = new X509Store( + StoreName.CertificateAuthority, + StoreLocation.CurrentUser); +#if NET5_0_OR_GREATER + HttpClientHandler.SslOptions.RemoteCertificateValidationCallback = +#else + HttpClientHandler.ServerCertificateCustomValidationCallback = +#endif + (sender, certificate, chain, sslPolicyErrors) => + { + return CertificateValidationCallBack(sender, store.Certificates, certificate, chain, + sslPolicyErrors); + }; } - + else + { #if NET5_0_OR_GREATER - HttpClientHandler.SslOptions.RemoteCertificateValidationCallback = + HttpClientHandler.SslOptions.RemoteCertificateValidationCallback = #else HttpClientHandler.ServerCertificateCustomValidationCallback = #endif - (sender, certificate, chain, sslPolicyErrors) => - { - return CertificateValidationCallBack(sender, CaCerts, certificate, chain, - sslPolicyErrors); - }; + (sender, certificate, chain, sslPolicyErrors) => + { + return CertificateValidationCallBack(sender, CaCerts, certificate, chain, + sslPolicyErrors); + }; + } } } diff --git a/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs b/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs index ed664fb3c..976844836 100644 --- a/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs +++ b/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs @@ -138,6 +138,20 @@ public void CheckClusterTlsSkipCorrectness() Assert.True(cfg.SkipTlsVerify); } + /// + /// Checks that a KubeConfigException is not thrown when no certificate-authority-data is set and user do not require tls + /// skip + /// + [Fact] + public void CheckClusterTlsNoSkipCorrectness() + { + var fi = new FileInfo("assets/kubeconfig.tls-no-skip.yml"); + var cfg = KubernetesClientConfiguration.BuildConfigFromConfigFile(fi); + Assert.NotNull(cfg.Host); + Assert.Null(cfg.SslCaCerts); + Assert.False(cfg.SkipTlsVerify); + } + /// /// Checks that a KubeConfigException is thrown when the cluster defined in clusters and contexts do not match /// diff --git a/tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml b/tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml new file mode 100644 index 000000000..fe101ec3f --- /dev/null +++ b/tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml @@ -0,0 +1,22 @@ +# Sample file based on https://kubernetes.io/docs/tasks/access-application-cluster/authenticate-across-clusters-kubeconfig/ +# WARNING: File includes minor fixes +--- +current-context: federal-context +apiVersion: v1 +clusters: +- cluster: + insecure-skip-tls-verify: false + server: https://horse.org:443 + name: horse-cluster +contexts: +- context: + cluster: horse-cluster + namespace: chisel-ns + user: green-user + name: federal-context +kind: Config +users: +- name: green-user + user: + password: secret + username: admin From 990db89fd29b262093b6d0bdc1cef366e9b9cf8f Mon Sep 17 00:00:00 2001 From: Marcus Bowyer Date: Wed, 12 Apr 2023 21:15:55 -0700 Subject: [PATCH 2/2] Don't use ServerCertificateCustomValidationCallback when no CA is set --- src/KubernetesClient/Kubernetes.ConfigInit.cs | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/src/KubernetesClient/Kubernetes.ConfigInit.cs b/src/KubernetesClient/Kubernetes.ConfigInit.cs index b77931d5f..7fc808b9f 100644 --- a/src/KubernetesClient/Kubernetes.ConfigInit.cs +++ b/src/KubernetesClient/Kubernetes.ConfigInit.cs @@ -72,28 +72,12 @@ private void InitializeFromConfig(KubernetesClientConfiguration config) } else { - if (CaCerts == null) + if (CaCerts != null) { - var store = new X509Store( - StoreName.CertificateAuthority, - StoreLocation.CurrentUser); #if NET5_0_OR_GREATER HttpClientHandler.SslOptions.RemoteCertificateValidationCallback = #else HttpClientHandler.ServerCertificateCustomValidationCallback = -#endif - (sender, certificate, chain, sslPolicyErrors) => - { - return CertificateValidationCallBack(sender, store.Certificates, certificate, chain, - sslPolicyErrors); - }; - } - else - { -#if NET5_0_OR_GREATER - HttpClientHandler.SslOptions.RemoteCertificateValidationCallback = -#else - HttpClientHandler.ServerCertificateCustomValidationCallback = #endif (sender, certificate, chain, sslPolicyErrors) => {