Use the system certificate store if no certificates are specified.

kubernetes-client · Apr 11, 2023 · f2be6f6 · f2be6f6
1 parent 2af57ca
commit f2be6f6
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 8 deletions.
diff --git a/src/KubernetesClient/Kubernetes.ConfigInit.cs b/src/KubernetesClient/Kubernetes.ConfigInit.cs
@@ -74,19 +74,33 @@ private void InitializeFromConfig(KubernetesClientConfiguration config)
                 {
                     if (CaCerts == null)
                     {
-                        throw new KubeConfigException("A CA must be set when SkipTlsVerify === false");
+                        var store = new X509Store(
+                            StoreName.CertificateAuthority,
+                            StoreLocation.CurrentUser);
+#if NET5_0_OR_GREATER
+                        HttpClientHandler.SslOptions.RemoteCertificateValidationCallback =
+#else
+                        HttpClientHandler.ServerCertificateCustomValidationCallback =
+#endif
+                            (sender, certificate, chain, sslPolicyErrors) =>
+                            {
+                                return CertificateValidationCallBack(sender, store.Certificates, certificate, chain,
+                                    sslPolicyErrors);
+                            };
                     }
-
+                    else
+                    {
 #if NET5_0_OR_GREATER
-                    HttpClientHandler.SslOptions.RemoteCertificateValidationCallback =
+                        HttpClientHandler.SslOptions.RemoteCertificateValidationCallback =
 #else
                     HttpClientHandler.ServerCertificateCustomValidationCallback =
 #endif
-                        (sender, certificate, chain, sslPolicyErrors) =>
-                        {
-                            return CertificateValidationCallBack(sender, CaCerts, certificate, chain,
-                                sslPolicyErrors);
-                        };
+                            (sender, certificate, chain, sslPolicyErrors) =>
+                            {
+                                return CertificateValidationCallBack(sender, CaCerts, certificate, chain,
+                                    sslPolicyErrors);
+                            };
+                    }
                 }
             }
 

diff --git a/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs b/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs
@@ -138,6 +138,20 @@ public void CheckClusterTlsSkipCorrectness()
             Assert.True(cfg.SkipTlsVerify);
         }
 
+        /// <summary>
+        ///     Checks that a KubeConfigException is not thrown when no certificate-authority-data is set and user do not require tls
+        ///     skip
+        /// </summary>
+        [Fact]
+        public void CheckClusterTlsNoSkipCorrectness()
+        {
+            var fi = new FileInfo("assets/kubeconfig.tls-no-skip.yml");
+            var cfg = KubernetesClientConfiguration.BuildConfigFromConfigFile(fi);
+            Assert.NotNull(cfg.Host);
+            Assert.Null(cfg.SslCaCerts);
+            Assert.False(cfg.SkipTlsVerify);
+        }
+
         /// <summary>
         ///     Checks that a KubeConfigException is thrown when the cluster defined in clusters and contexts do not match
         /// </summary>

diff --git a/tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml b/tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml
@@ -0,0 +1,22 @@
+# Sample file based on https://kubernetes.io/docs/tasks/access-application-cluster/authenticate-across-clusters-kubeconfig/
+# WARNING: File includes minor fixes
+---
+current-context: federal-context
+apiVersion: v1
+clusters:
+- cluster:
+    insecure-skip-tls-verify: false
+    server: https://horse.org:443
+  name: horse-cluster
+contexts:
+- context:
+    cluster: horse-cluster
+    namespace: chisel-ns
+    user: green-user
+  name: federal-context
+kind: Config
+users:
+- name: green-user
+  user:
+    password: secret
+    username: admin