From 1e5fd483bfb470cc43fbf523daa2fe98195993ef Mon Sep 17 00:00:00 2001
From: Elias Wilken <elias@nautik.io>
Date: Tue, 24 Oct 2023 16:30:13 +0200
Subject: [PATCH] add a `webpki-roots` feature to optionally use WebPKI roots
 on rustls

Signed-off-by: Elias Wilken <elias@nautik.io>
---
 kube-client/Cargo.toml        |  1 +
 kube-client/src/client/tls.rs | 12 +++++++++++-
 kube/Cargo.toml               |  1 +
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/kube-client/Cargo.toml b/kube-client/Cargo.toml
index 236e70519..c575c2c45 100644
--- a/kube-client/Cargo.toml
+++ b/kube-client/Cargo.toml
@@ -18,6 +18,7 @@ edition = "2021"
 [features]
 default = ["client"]
 rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls"]
+webpki-roots = ["hyper-rustls/webpki-roots"]
 openssl-tls = ["openssl", "hyper-openssl"]
 ws = ["client", "tokio-tungstenite", "rand", "kube-core/ws", "tokio/macros"]
 oauth = ["client", "tame-oauth"]
diff --git a/kube-client/src/client/tls.rs b/kube-client/src/client/tls.rs
index 45785a8c9..d535d25fd 100644
--- a/kube-client/src/client/tls.rs
+++ b/kube-client/src/client/tls.rs
@@ -48,7 +48,17 @@ pub mod rustls_tls {
                 .with_safe_defaults()
                 .with_root_certificates(root_store(certs)?)
         } else {
-            ClientConfig::builder().with_safe_defaults().with_native_roots()
+            #[cfg(feature = "webpki-roots")]
+            {
+                // Use WebPKI roots.
+                ClientConfig::builder().with_safe_defaults().with_webpki_roots()
+            }
+
+            #[cfg(not(feature = "webpki-roots"))]
+            {
+                // Use native roots. This will panic on Android and iOS.
+                ClientConfig::builder().with_safe_defaults().with_native_roots()
+            }
         };
 
         let mut client_config = if let Some((chain, pkey)) = identity_pem.map(client_auth).transpose()? {
diff --git a/kube/Cargo.toml b/kube/Cargo.toml
index 92af9cb6e..0c9e02503 100644
--- a/kube/Cargo.toml
+++ b/kube/Cargo.toml
@@ -36,6 +36,7 @@ admission = ["kube-core/admission"]
 derive = ["kube-derive", "kube-core/schema"]
 runtime = ["kube-runtime"]
 unstable-runtime = ["kube-runtime/unstable-runtime"]
+webpki-roots = ["kube-client/webpki-roots"]
 
 [package.metadata.docs.rs]
 features = ["client", "rustls-tls", "openssl-tls", "derive", "ws", "oauth", "jsonpatch", "admission", "runtime", "k8s-openapi/latest", "unstable-runtime"]