Skip to content

TLS auth with EcdsaP521 works with openssl but not with rustls #1562

New issue
New issue
Closed
#1568
Closed
TLS auth with EcdsaP521 works with openssl but not with rustls#1562
#1568
Labels
bugSomething isn't workingclientkube Client relatedrustlsrustls-tls related
@mcluseau

Description

@mcluseau
mcluseau
opened on Aug 19, 2024

Current and expected behavior

with a cluster definition like that in kubeconfig:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <REDACTED>
    server: https://10.1.1.1:6443
  name: test

and the following program:

use k8s_openapi::api::core::v1::Pod;
use kube::{
    api::{Api, ListParams},
    Client,
};

#[tokio::main]
async fn main() -> eyre::Result<()> {
    let cfg = kube::Config::infer().await?;
    let client: Client = cfg.try_into()?;

    let pods: Api<Pod> = Api::default_namespaced(client);
    println!(
        "found {} pods",
        pods.list(&ListParams::default()).await?.items.len()
    );

    Ok(())
}

(a) with the rustls feature:

$ grep ^k Cargo.toml  
k8s-openapi = { version = "0.22.0", features = ["v1_24"] }
kube = { version = "0.93.1", features = ["client", "config", "rustls-tls"], default-features = false }
$ cargo run
[...]
Error: ServiceError: client error (Connect)

Caused by:
   0: client error (Connect)
   1: invalid peer certificate: UnknownIssuer

Location:
    src/main.rs:16:9

(b) with the openssl feature:

$ grep ^k Cargo.toml  
k8s-openapi = { version = "0.22.0", features = ["v1_24"] }
kube = { version = "0.93.1", features = ["client", "config", "openssl-tls"], default-features = false }
$ cargo run
[...]
found 17 pods

Possible solution

Using openssl is a solution but from issue search I found it does not support tls-server-name.
I can live with it as I can setup the name resolution as I need it.
I can put a few hours on this and on #991 to see if I can find solutions.

Additional context

No response

Environment

$ kubectl version
Server Version: v1.28.6

Configuration and features

k8s-openapi = { version = "0.22.0", features = ["v1_24"] }
kube = { version = "0.93.1", features = ["client", "config", "rustls-tls"], default-features = false }

and

k8s-openapi = { version = "0.22.0", features = ["v1_24"] }
kube = { version = "0.93.1", features = ["client", "config", "openssl-tls"], default-features = false }

Affected crates

kube-client

Would you like to work on fixing this bug?

yes

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingclientkube Client relatedrustlsrustls-tls related

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions