Skip to content

Commit

Permalink
add a webpki-roots feature to optionally use WebPKI roots on rustls
Browse files Browse the repository at this point in the history
Signed-off-by: Elias Wilken <[email protected]>
  • Loading branch information
ewilken committed Sep 28, 2024
1 parent bb9a44e commit efe81c6
Show file tree
Hide file tree
Showing 4 changed files with 16 additions and 3 deletions.
2 changes: 2 additions & 0 deletions deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ allow = [
# Pulled in via aws_lc_rs when using rustls-tls and aws-lc-rs features
# https://openssl-library.org/source/license/index.html
"OpenSSL",
# Pulled in via hyper-rustls when using the webpki-roots feature
"MPL-2.0",
]

exceptions = [
Expand Down
1 change: 1 addition & 0 deletions kube-client/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ categories = ["web-programming::http-client", "network-programming", "api-bindin
[features]
default = ["client"]
rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls", "hyper-http-proxy?/rustls-tls-native-roots"]
webpki-roots = ["hyper-rustls/webpki-roots"]
aws-lc-rs = ["rustls?/aws-lc-rs"]
openssl-tls = ["openssl", "hyper-openssl"]
ws = ["client", "tokio-tungstenite", "rand", "kube-core/ws", "tokio/macros"]
Expand Down
15 changes: 12 additions & 3 deletions kube-client/src/client/tls.rs
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,18 @@ pub mod rustls_tls {
let config_builder = if let Some(certs) = root_certs {
ClientConfig::builder().with_root_certificates(root_store(certs)?)
} else {
ClientConfig::builder()
.with_native_roots()
.map_err(Error::NoValidNativeRootCA)?
#[cfg(feature = "webpki-roots")]
{
// Use WebPKI roots.
ClientConfig::builder().with_webpki_roots()

Check warning on line 61 in kube-client/src/client/tls.rs

View check run for this annotation

Codecov / codecov/patch

kube-client/src/client/tls.rs#L61

Added line #L61 was not covered by tests
}
#[cfg(not(feature = "webpki-roots"))]
{
// Use native roots. This will panic on Android and iOS.
ClientConfig::builder()

Check warning on line 66 in kube-client/src/client/tls.rs

View check run for this annotation

Codecov / codecov/patch

kube-client/src/client/tls.rs#L66

Added line #L66 was not covered by tests
.with_native_roots()
.map_err(Error::NoValidNativeRootCA)?

Check warning on line 68 in kube-client/src/client/tls.rs

View check run for this annotation

Codecov / codecov/patch

kube-client/src/client/tls.rs#L68

Added line #L68 was not covered by tests
}
};

let mut client_config = if let Some((chain, pkey)) = identity_pem.map(client_auth).transpose()? {
Expand Down
1 change: 1 addition & 0 deletions kube/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ unstable-runtime = ["kube-runtime/unstable-runtime", "runtime"]
unstable-client = ["kube-client/unstable-client", "client"]
socks5 = ["kube-client/socks5", "client"]
http-proxy = ["kube-client/http-proxy", "client"]
webpki-roots = ["kube-client/webpki-roots", "client"]

[package.metadata.docs.rs]
features = ["client", "rustls-tls", "openssl-tls", "derive", "ws", "oauth", "jsonpatch", "admission", "runtime", "k8s-openapi/latest", "unstable-runtime", "socks5", "http-proxy"]
Expand Down

0 comments on commit efe81c6

Please sign in to comment.