Skip to content

Support insecure ca root validation. #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mbohlool merged 1 commit into from
Jun 25, 2017
Merged

Support insecure ca root validation. #32

mbohlool merged 1 commit into from
Jun 25, 2017
+23 −10

Conversation

@brendandburns
Copy link
Contributor

@brendandburns brendandburns commented Jun 24, 2017
edited
Loading

@mbohlool this is needed for Bronze certification

Fixes #33

mbohlool
mbohlool reviewed Jun 25, 2017
View reviewed changes
util/src/main/java/io/kubernetes/client/util/Config.java
// grumpy'
String caCert = config.getCertificateAuthorityData();
String caCertFile = config.getCertificateAuthorityFile();
if (caCert != null || caCertFile != null) {
Copy link
Contributor

@mbohlool mbohlool Jun 25, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we fail if config.verifySSL() is true and both of these two are null?

Copy link
Contributor Author

@brendandburns brendandburns Jun 25, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, because you could be using a legit well-known CA issued cert, in which case you don't have to supply your own CA root.

util/src/main/java/io/kubernetes/client/util/Config.java
}
}
} else {
client.setVerifyingSsl(false);
Copy link
Contributor

@mbohlool mbohlool Jun 25, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we also set this to true in the previous block. just to be bullet proof (e.g. somebody loading config with verifySSL false and then again with it set to true.

Copy link
Contributor Author

@brendandburns brendandburns Jun 25, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This call is static and always creates both a new KubeConfig object and returns a new client, so I don't think that is a risk.

@brendandburns
Copy link
Contributor Author

brendandburns commented Jun 25, 2017

Comments addressed, relevant issue filed and linked.

@mbohlool
Copy link
Contributor

mbohlool commented Jun 25, 2017

LGTM

@mbohlool mbohlool merged commit 27b164e into kubernetes-client:master Jun 25, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mbohlool mbohlool mbohlool left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brendandburns @mbohlool @brendanburns