Use the system certificate store if no certificates are specified. (#1261)

* Use the system certificate store if no certificates are specified. * Don't use ServerCertificateCustomValidationCallback when no CA is set
2023-04-18 16:36:45 -07:00
parent 142fd14e25
commit 729b10c731
3 changed files with 45 additions and 11 deletions
--- a/src/KubernetesClient/Kubernetes.ConfigInit.cs
+++ b/src/KubernetesClient/Kubernetes.ConfigInit.cs
@@ -72,21 +72,19 @@ namespace k8s
                }
                else
                {
-                    if (CaCerts == null)
+                    if (CaCerts != null)
                    {
-                        throw new KubeConfigException("A CA must be set when SkipTlsVerify === false");
-                    }
-
 #if NET5_0_OR_GREATER
-                    HttpClientHandler.SslOptions.RemoteCertificateValidationCallback =
+                        HttpClientHandler.SslOptions.RemoteCertificateValidationCallback =
 #else
-                    HttpClientHandler.ServerCertificateCustomValidationCallback =
+                        HttpClientHandler.ServerCertificateCustomValidationCallback =
 #endif
-                        (sender, certificate, chain, sslPolicyErrors) =>
-                        {
-                            return CertificateValidationCallBack(sender, CaCerts, certificate, chain,
-                                sslPolicyErrors);
-                        };
+                            (sender, certificate, chain, sslPolicyErrors) =>
+                            {
+                                return CertificateValidationCallBack(sender, CaCerts, certificate, chain,
+                                    sslPolicyErrors);
+                            };
+                    }
                }
            }

--- a/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs
+++ b/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs
@@ -138,6 +138,20 @@ namespace k8s.Tests
            Assert.True(cfg.SkipTlsVerify);
        }

+        /// <summary>
+        ///     Checks that a KubeConfigException is not thrown when no certificate-authority-data is set and user do not require tls
+        ///     skip
+        /// </summary>
+        [Fact]
+        public void CheckClusterTlsNoSkipCorrectness()
+        {
+            var fi = new FileInfo("assets/kubeconfig.tls-no-skip.yml");
+            var cfg = KubernetesClientConfiguration.BuildConfigFromConfigFile(fi);
+            Assert.NotNull(cfg.Host);
+            Assert.Null(cfg.SslCaCerts);
+            Assert.False(cfg.SkipTlsVerify);
+        }
+
        /// <summary>
        ///     Checks that a KubeConfigException is thrown when the cluster defined in clusters and contexts do not match
        /// </summary>
--- a/tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml
+++ b/tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml
@@ -0,0 +1,22 @@
+# Sample file based on https://kubernetes.io/docs/tasks/access-application-cluster/authenticate-across-clusters-kubeconfig/
+# WARNING: File includes minor fixes
+---
+current-context: federal-context
+apiVersion: v1
+clusters:
+- cluster:
+    insecure-skip-tls-verify: false
+    server: https://horse.org:443
+  name: horse-cluster
+contexts:
+- context:
+    cluster: horse-cluster
+    namespace: chisel-ns
+    user: green-user
+  name: federal-context
+kind: Config
+users:
+- name: green-user
+  user:
+    password: secret
+    username: admin