kubernetes-client: Certificates from system keystore are ignored by kubernetes client
There are two possible ways for providing certificates while creating OpenShift / K8S client:
KUBERNETES_CERTS_CA_FILE
- using the ENV VAR and creating client using default constructorwithCaCertFile()
- providing path to the certificate file if client is created viaConfigBuilder
However, if certificate is already installed in the system, client will ignore it and would expect certificate to be explicitly set during creation [1]
It looks like the kubernetes client creates an empty keystore and install the provided certificate into it. Basically, this approach ignores system keystore and valid certificates from it are simply not taken into account.
The issue should be reproducible for everyone who uses k8-client to talk to a different cluster, as it seems to assume only this clusters key is valid and ignore all other root chains.
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 3
- Comments: 21 (15 by maintainers)
Commits related to this issue
- issue #711 KeyStore tries to load both default keystore files When KeyStore is initialized it tries to load keystore file "~/.keystore" with the default passphrase "changeit" if the file is not prese... — committed to MatousJobanek/kubernetes-client by MatousJobanek 7 years ago
- issue #711 KeyStore tries to load both default keystore files When KeyStore is initialized it tries to load keystore file "~/.keystore" with the default passphrase "changeit" if the file is not prese... — committed to jstrachan/kubernetes-client by MatousJobanek 7 years ago
- issue #711 KeyStore tries to load both default keystore files When KeyStore is initialized it tries to load keystore file "~/.keystore" with the default passphrase "changeit" if the file is not prese... — committed to dhirajsb/kubernetes-client by MatousJobanek 7 years ago
- feat (#711): Add support for the client crd annotations. — committed to fabric8io/kubernetes-client by iocanel 3 years ago
- feat (#711): Add support for the client crd annotations. — committed to fabric8io/kubernetes-client by iocanel 3 years ago
- feat (#711): Add support for the client crd annotations. — committed to fabric8io/kubernetes-client by iocanel 3 years ago
- feat (#711): Add support for the client crd annotations. — committed to manusa/kubernetes-client by iocanel 3 years ago
It’s based on InstallCert https://github.com/almighty/keycloak/blob/f0daf238d59146b86a1676e100c6e8e4f3eeef40/docker/install_certificate.sh