Skip to content

Fix multi-certificate loading from certificate-authority-data #1690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Fix multi-certificate loading from certificate-authority-data #1690

wants to merge 5 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Nov 25, 2025
edited
Loading

  • Address @tg123's feedback about .NET Framework 4 compatibility
  • Add CertUtils.LoadFromPemText() for all frameworks
  • Use ImportFromPem for modern .NET (5.0+)
  • Use BouncyCastle for Classic (.NET Standard 2.0, .NET Framework 4.8)
  • Simplify code by using CertUtils methods
  • Fix build issues
  • All tests passing

Summary

Successfully fixed the build by:

  1. Removing unnecessary System.Security.Cryptography.X509Certificates using from KubernetesClientConfiguration.ConfigFile.cs (no longer needed since we use CertUtils methods)
  2. Adding System.Text using to KubernetesClient.Classic/CertUtils.cs for the Encoding class

Both the main KubernetesClient and Classic projects now build successfully, and all multi-certificate tests pass.

Original prompt

This section details on the original issue you should resolve

<issue_title>Not all certificates from certificate-authority-data are loaded</issue_title>
<issue_description>Describe the bug
If i export a kubeconfig from Rancher there are three certificates present in the certificate-authority-data.

SetClusterDetails in KubernetesClientConfiguration.ConfigFile.cs uses X509CertificateLoader.LoadCertificate to load the certificate, but that does not support certificate collections. Therefore only the first certificate is loaded and the other two are lost and not added to SslCaCerts.

Kubernetes C# SDK Client Version
18.0.5

Dotnet Runtime Version
.NET 9.0+

To Reproduce
Load a kubeconfig file with more than one certificate. SslCaCerts will only contain the first one.

Expected behavior
All certificates are loaded.

Potential fix
X509Certificate2Collection.ImportFromPem imports a collection of PEM certificates and could be a potential fix. At least thats what we do as a workaround for now:

// Import all Certificates
var certData = kubernetesConfiguration.Clusters.FirstOrDefault()?.ClusterEndpoint?.CertificateAuthorityData;

if (!string.IsNullOrWhiteSpace(certData))
{
    var collection = new X509Certificate2Collection();
    var pemText = Encoding.UTF8.GetString(Convert.FromBase64String(certData));
    collection.ImportFromPem(pemText);

    kubernetesClientConfig.SslCaCerts = collection;
}
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 25, 2025
@tg123
Fix multi-certificate loading in SetClusterDetails method
10e1a4c 
Co-authored-by: tg123 <170430+tg123@users.noreply.github.com>
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 25, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Copilot
Once this PR has been reviewed and has the lgtm label, please ask for approval from tg123. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 25, 2025
@tg123
Specify UTF8 encoding when reading certificate file
3614d01 
Co-authored-by: tg123 <170430+tg123@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix loading of all certificates from certificate-authority-data Fix multi-certificate loading from certificate-authority-data Nov 25, 2025
Copilot AI requested a review from tg123 November 25, 2025 21:00
Copilot finished work on behalf of tg123 November 25, 2025 21:00
@tg123
Copy link
Member

tg123 commented Nov 25, 2025

@copilot

hi accroding to https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2collection.importfrompem?view=net-9.0

seems it is not available to net4

@tg123
Fix multi-certificate loading for all .NET frameworks
2016d1f 
- Add CertUtils.LoadFromPemText() method for both modern .NET and Classic
- Use ImportFromPem for .NET 5.0+ (net8.0, net9.0, net10.0)
- Use BouncyCastle for .NET Standard 2.0 and .NET Framework 4.8
- Simplify SetClusterDetails to use CertUtils methods for both certificate-authority-data and certificate-authority

Co-authored-by: tg123 <170430+tg123@users.noreply.github.com>
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 25, 2025
Copy link
Contributor Author

Copilot AI commented Nov 25, 2025

@copilot

hi accroding to https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2collection.importfrompem?view=net-9.0
...

Good catch! I've addressed the .NET Framework compatibility issue in commit 2016d1f.

The fix now:

  • Uses ImportFromPem for modern .NET versions (5.0+, including net8.0/net9.0/net10.0)
  • Uses BouncyCastle's X509CertificateParser.ReadCertificates() for .NET Standard 2.0 and .NET Framework 4.8 in the Classic project
  • Adds CertUtils.LoadFromPemText() method with framework-specific implementations to handle multiple certificates from PEM text
  • Simplifies SetClusterDetails to use CertUtils methods for both code paths

Both certificate-authority-data and certificate-authority now support multiple certificates across all target frameworks.

Copilot finished work on behalf of tg123 November 25, 2025 21:58
@tg123
Copy link
Member

tg123 commented Nov 26, 2025

@copilot could you please fix build

@tg123
Fix build: Remove unnecessary using and add System.Text to Classic
a86c2e2 
- Remove unused System.Security.Cryptography.X509Certificates using from ConfigFile.cs
- Add System.Text using to Classic CertUtils.cs for Encoding class

Co-authored-by: tg123 <170430+tg123@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Nov 26, 2025

@copilot could you please fix build

Build fixed in commit a86c2e2. The issues were:

  • Removed unnecessary System.Security.Cryptography.X509Certificates using from ConfigFile.cs
  • Added missing System.Text using to Classic CertUtils.cs

Both KubernetesClient and KubernetesClient.Classic projects now build successfully, and all tests pass.

Copilot finished work on behalf of tg123 November 26, 2025 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tg123 tg123 Awaiting requested review from tg123

Assignees

@tg123 tg123

Copilot code review Copilot

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Not all certificates from certificate-authority-data are loaded

3 participants

@k8s-ci-robot @tg123