[JENKINS-29213] configure HttpClient to accept (self-signed) certificate

pom.xml

@@ -88,6 +88,16 @@
 			<artifactId>jackson-datatype-joda</artifactId>
 			<version>${jackson.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>org.apache.httpcomponents</groupId>
+			<artifactId>httpclient</artifactId>
+			<version>4.3</version>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcprov-jdk16</artifactId>
+			<version>1.46</version>
+		</dependency>
 
 		<dependency>
 			<groupId>junit</groupId>

src/main/java/com/github/kubernetes/java/client/v2/KubernetesApiClient.java

@@ -33,6 +33,11 @@ public KubernetesApiClient(String endpointUrl, String username, String password)
     }
 
     public KubernetesApiClient(String endpointUrl, String username, String password, RestFactory factory) {
+        this(endpointUrl, username, password, null, factory);
+    }
+
+
+    public KubernetesApiClient(String endpointUrl, String username, String password, String serverCertificate, RestFactory factory) {
         try {
             if (endpointUrl.matches("/api/v1[a-z0-9]+")) {
                 LOG.warn("Deprecated: KubernetesApiClient endpointUrl should not include the /api/version section in "
@@ -44,7 +49,7 @@ public KubernetesApiClient(String endpointUrl, String username, String password,
         } catch (URISyntaxException e) {
             throw new RuntimeException(e);
         }
-        api = factory.createAPI(endpointURI, username, password);
+        api = factory.createAPI(endpointURI, username, password, serverCertificate);
     }
 
     public Pod getPod(String podId) throws KubernetesClientException {

src/main/java/com/github/kubernetes/java/client/v2/RestFactory.java

@@ -1,23 +1,35 @@
 package com.github.kubernetes.java.client.v2;
 
-import java.net.URI;
-import java.net.URISyntaxException;
-
+import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
 import org.apache.http.HttpHost;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.UsernamePasswordCredentials;
 import org.apache.http.client.AuthCache;
-import org.apache.http.client.protocol.ClientContext;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.client.protocol.HttpClientContext;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.conn.ssl.SSLContextBuilder;
 import org.apache.http.impl.auth.BasicScheme;
 import org.apache.http.impl.client.BasicAuthCache;
-import org.apache.http.impl.client.DefaultHttpClient;
-import org.apache.http.protocol.BasicHttpContext;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.bouncycastle.openssl.PEMReader;
 import org.jboss.resteasy.client.jaxrs.ProxyBuilder;
 import org.jboss.resteasy.client.jaxrs.ResteasyClient;
 import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
 import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine;
 
-import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
+import java.io.IOException;
+import java.io.StringReader;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 
 public class RestFactory {
 
@@ -41,7 +53,7 @@ public RestFactory connectionPoolSize(int connectionPoolSize) {
         return this;
     }
 
-    public KubernetesAPI createAPI(URI uri, String userName, String password) {
+    public KubernetesAPI createAPI(URI uri, String userName, String password, String serverCertificate) {
 
         // Configure HttpClient to authenticate preemptively
         // by prepopulating the authentication data cache.
@@ -50,24 +62,57 @@ public KubernetesAPI createAPI(URI uri, String userName, String password) {
 
         HttpHost targetHost = new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme());
 
-        DefaultHttpClient httpclient = new DefaultHttpClient();
 
-        httpclient.getCredentialsProvider().setCredentials(
+        SSLConnectionSocketFactory sslsf = null;
+        if (serverCertificate != null) {
+            try {
+                KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+                ks.load(null);
+
+                PEMReader reader = new PEMReader(new StringReader(serverCertificate));
+                X509Certificate cert = (X509Certificate) reader.readObject();
+                ks.setCertificateEntry(uri.getHost(), cert);
+
+                sslsf = new SSLConnectionSocketFactory(
+                        new SSLContextBuilder()
+                                .loadTrustMaterial(ks)
+                                .build());
+            } catch (NoSuchAlgorithmException e) {
+                e.printStackTrace();
+            } catch (KeyManagementException e) {
+                e.printStackTrace();
+            } catch (KeyStoreException e) {
+                e.printStackTrace();
+            } catch (CertificateException e) {
+                e.printStackTrace();
+            } catch (IOException e) {
+                e.printStackTrace();
+            }
+        }
+
+        CredentialsProvider credsProvider = new BasicCredentialsProvider();
+        credsProvider.setCredentials(
                 new AuthScope(targetHost.getHostName(), targetHost.getPort()),
                 new UsernamePasswordCredentials(userName, password));
 
+        CloseableHttpClient httpclient = HttpClients.custom()
+                .setSSLSocketFactory(sslsf)
+                .setDefaultCredentialsProvider(credsProvider)
+                .build();
+
         // Create AuthCache instance
         AuthCache authCache = new BasicAuthCache();
         // Generate BASIC scheme object and add it to the local auth cache
         BasicScheme basicAuth = new BasicScheme();
         authCache.put(targetHost, basicAuth);
 
         // Add AuthCache to the execution context
-        BasicHttpContext localcontext = new BasicHttpContext();
-        localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
+        HttpClientContext context = HttpClientContext.create();
+        context.setCredentialsProvider(credsProvider);
+        context.setAuthCache(authCache);
 
         // 4. Create client executor and proxy
-        ApacheHttpClient4Engine engine = new ApacheHttpClient4Engine(httpclient, localcontext);
+        ApacheHttpClient4Engine engine = new ApacheHttpClient4Engine(httpclient, context);
         ResteasyClient client = new ResteasyClientBuilder().connectionPoolSize(connectionPoolSize).httpEngine(engine)
                 .build();
 
@@ -80,7 +125,16 @@ public KubernetesAPI createAPI(URI uri, String userName, String password) {
     }
 
     public KubernetesAPI createAPI(String url, String userName, String password) throws URISyntaxException {
+        return createAPI(url, userName, password, null);
+    }
+
+    public KubernetesAPI createAPI(URI uri, String userName, String password) {
+        return createAPI(uri, userName, password, null);
+    }
+
+
+    public KubernetesAPI createAPI(String url, String userName, String password, String serverCertificate) throws URISyntaxException {
         URI uri = new URI(url);
-        return createAPI(uri, userName, password);
+        return createAPI(uri, userName, password, serverCertificate);
     }
 }