-
-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove crate private identity_pem
field from Config
#771
Conversation
Signed-off-by: kazk <kazk.dev@gmail.com>
Codecov Report
@@ Coverage Diff @@
## master #771 +/- ##
==========================================
+ Coverage 71.56% 71.64% +0.08%
==========================================
Files 54 54
Lines 3569 3562 -7
==========================================
- Hits 2554 2552 -2
+ Misses 1015 1010 -5
Continue to review full report at Codecov.
|
proxy_url: loader.proxy_url()?, | ||
auth_info: loader.user, | ||
}) | ||
} | ||
|
||
/// Client certificate and private key in PEM. | ||
pub(crate) fn identity_pem(&self) -> Option<Vec<u8>> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only necessary at the moment because of the way the TLS functions work. The identity PEM is split into a certificate chain and a private key anyway, so I'm planning to change TLS functions to accept them separately.
Having a private key separate makes it easier to implement some workarounds like converting a private key format without having to parse and extract it first. For example, #542 can be fixed by converting to PKCS#8 and that can be done in pure Rust (topk8).
Yep. I don't know why it is that way, it might have been me trying to be defensive 2 years back - even though it's ultimately more aggressive. |
The concatenated
identity_pem
field shouldn't be necessary. At least, it shouldn't be necessary to be stored inConfig
because the client certificates and the private key are inconfig.auth_info
.I'm not sure why we're doing the following:
https://github.com/kube-rs/kube-rs/blob/52f69b9a89aa9e23605eb7f9c3ca673260e21853/kube-client/src/config/mod.rs#L269-L278
where
accept_invalid_certs
only respects the config when failing to loadidentity_pem
and wheninsecure_skip_tls_verify
is set true.The following should be fine:
Also, the error from
identity_pem()
is ignored. I don't thinkload_client_certificate()
andload_client_key()
called inidentity_pem()
are defined correctly.https://github.com/kube-rs/kube-rs/blob/52f69b9a89aa9e23605eb7f9c3ca673260e21853/kube-client/src/config/file_config.rs#L404-L414
These errors when the fields are not present in config, but that's valid and should return
None
in that case.Ideally, we should validate the configured fields when creating a
Config
and error when it's configured with an invalid Base64 or path.This PR removes
identity_pem
field with minimal changes.