From efe81c65aee2ac6f8d422396fc3aefade4a89d1e Mon Sep 17 00:00:00 2001 From: Elias Wilken Date: Sat, 28 Sep 2024 12:32:27 +0200 Subject: [PATCH 1/3] add a `webpki-roots` feature to optionally use WebPKI roots on rustls Signed-off-by: Elias Wilken --- deny.toml | 2 ++ kube-client/Cargo.toml | 1 + kube-client/src/client/tls.rs | 15 ++++++++++++--- kube/Cargo.toml | 1 + 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/deny.toml b/deny.toml index a7a99e607..5a0b5d85d 100644 --- a/deny.toml +++ b/deny.toml @@ -31,6 +31,8 @@ allow = [ # Pulled in via aws_lc_rs when using rustls-tls and aws-lc-rs features # https://openssl-library.org/source/license/index.html "OpenSSL", + # Pulled in via hyper-rustls when using the webpki-roots feature + "MPL-2.0", ] exceptions = [ diff --git a/kube-client/Cargo.toml b/kube-client/Cargo.toml index 69ce0a222..c7c262933 100644 --- a/kube-client/Cargo.toml +++ b/kube-client/Cargo.toml @@ -14,6 +14,7 @@ categories = ["web-programming::http-client", "network-programming", "api-bindin [features] default = ["client"] rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls", "hyper-http-proxy?/rustls-tls-native-roots"] +webpki-roots = ["hyper-rustls/webpki-roots"] aws-lc-rs = ["rustls?/aws-lc-rs"] openssl-tls = ["openssl", "hyper-openssl"] ws = ["client", "tokio-tungstenite", "rand", "kube-core/ws", "tokio/macros"] diff --git a/kube-client/src/client/tls.rs b/kube-client/src/client/tls.rs index 136a9bfa0..25bdb737e 100644 --- a/kube-client/src/client/tls.rs +++ b/kube-client/src/client/tls.rs @@ -55,9 +55,18 @@ pub mod rustls_tls { let config_builder = if let Some(certs) = root_certs { ClientConfig::builder().with_root_certificates(root_store(certs)?) } else { - ClientConfig::builder() - .with_native_roots() - .map_err(Error::NoValidNativeRootCA)? + #[cfg(feature = "webpki-roots")] + { + // Use WebPKI roots. + ClientConfig::builder().with_webpki_roots() + } + #[cfg(not(feature = "webpki-roots"))] + { + // Use native roots. This will panic on Android and iOS. + ClientConfig::builder() + .with_native_roots() + .map_err(Error::NoValidNativeRootCA)? + } }; let mut client_config = if let Some((chain, pkey)) = identity_pem.map(client_auth).transpose()? { diff --git a/kube/Cargo.toml b/kube/Cargo.toml index ef579effd..d56d470eb 100644 --- a/kube/Cargo.toml +++ b/kube/Cargo.toml @@ -37,6 +37,7 @@ unstable-runtime = ["kube-runtime/unstable-runtime", "runtime"] unstable-client = ["kube-client/unstable-client", "client"] socks5 = ["kube-client/socks5", "client"] http-proxy = ["kube-client/http-proxy", "client"] +webpki-roots = ["kube-client/webpki-roots", "client"] [package.metadata.docs.rs] features = ["client", "rustls-tls", "openssl-tls", "derive", "ws", "oauth", "jsonpatch", "admission", "runtime", "k8s-openapi/latest", "unstable-runtime", "socks5", "http-proxy"] From 05eee2eb8f20f94cd2f267b98b3f33ffff8185ba Mon Sep 17 00:00:00 2001 From: Elias Wilken Date: Sat, 28 Sep 2024 18:30:08 +0200 Subject: [PATCH 2/3] create explicit allow rule for MPL-2.0 on `webpki-roots` Signed-off-by: Elias Wilken --- deny.toml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deny.toml b/deny.toml index 5a0b5d85d..5a67b9755 100644 --- a/deny.toml +++ b/deny.toml @@ -31,8 +31,6 @@ allow = [ # Pulled in via aws_lc_rs when using rustls-tls and aws-lc-rs features # https://openssl-library.org/source/license/index.html "OpenSSL", - # Pulled in via hyper-rustls when using the webpki-roots feature - "MPL-2.0", ] exceptions = [ @@ -42,6 +40,9 @@ exceptions = [ # this is not a problem for us. See https://github.com/dtolnay/unicode-ident/pull/9/files # for more details. { allow = ["Unicode-DFS-2016"], name = "unicode-ident" }, + # Pulled in via hyper-rustls when using the webpki-roots feature, + # which is off by default. + { allow = ["MPL-2.0"], name = "webpki-roots" }, ] [[licenses.clarify]] From f5c33fec45619d19a5670bec434838b1ec2f19aa Mon Sep 17 00:00:00 2001 From: Elias Wilken Date: Sat, 28 Sep 2024 18:31:44 +0200 Subject: [PATCH 3/3] respect the `webpki-roots` feature on the OAuth & OIDC clients Signed-off-by: Elias Wilken --- kube-client/src/client/auth/oauth.rs | 8 +++++++- kube-client/src/client/auth/oidc.rs | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/kube-client/src/client/auth/oauth.rs b/kube-client/src/client/auth/oauth.rs index 4363f6775..0def2f39d 100644 --- a/kube-client/src/client/auth/oauth.rs +++ b/kube-client/src/client/auth/oauth.rs @@ -118,13 +118,19 @@ impl Gcp { // Current TLS feature precedence when more than one are set: // 1. rustls-tls // 2. openssl-tls - #[cfg(feature = "rustls-tls")] + #[cfg(all(feature = "rustls-tls", not(feature = "webpki-roots")))] let https = hyper_rustls::HttpsConnectorBuilder::new() .with_native_roots() .map_err(Error::NoValidNativeRootCA)? .https_only() .enable_http1() .build(); + #[cfg(all(feature = "rustls-tls", feature = "webpki-roots"))] + let https = hyper_rustls::HttpsConnectorBuilder::new() + .with_webpki_roots() + .https_only() + .enable_http1() + .build(); #[cfg(all(not(feature = "rustls-tls"), feature = "openssl-tls"))] let https = hyper_openssl::HttpsConnector::new().map_err(Error::CreateOpensslHttpsConnector)?; diff --git a/kube-client/src/client/auth/oidc.rs b/kube-client/src/client/auth/oidc.rs index ecd8364e6..820dbf701 100644 --- a/kube-client/src/client/auth/oidc.rs +++ b/kube-client/src/client/auth/oidc.rs @@ -313,13 +313,19 @@ impl Refresher { .install_default() .unwrap(); - #[cfg(feature = "rustls-tls")] + #[cfg(all(feature = "rustls-tls", not(feature = "webpki-roots")))] let https = hyper_rustls::HttpsConnectorBuilder::new() .with_native_roots() .map_err(|_| errors::RefreshInitError::NoValidNativeRootCA)? .https_only() .enable_http1() .build(); + #[cfg(all(feature = "rustls-tls", feature = "webpki-roots"))] + let https = hyper_rustls::HttpsConnectorBuilder::new() + .with_webpki_roots() + .https_only() + .enable_http1() + .build(); #[cfg(all(not(feature = "rustls-tls"), feature = "openssl-tls"))] let https = hyper_openssl::HttpsConnector::new()?;