rustls: optionally use WebPKI roots to avoid panicking on Android & i…

…OS (#1323) * add a `webpki-roots` feature to optionally use WebPKI roots on rustls Signed-off-by: Elias Wilken <[email protected]> * create explicit allow rule for MPL-2.0 on `webpki-roots` Signed-off-by: Elias Wilken <[email protected]> * respect the `webpki-roots` feature on the OAuth & OIDC clients Signed-off-by: Elias Wilken <[email protected]> --------- Signed-off-by: Elias Wilken <[email protected]>
kube-rs · Sep 29, 2024 · 27a2129 · 27a2129
1 parent bb9a44e
commit 27a2129
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 5 deletions.
diff --git a/deny.toml b/deny.toml
@@ -40,6 +40,9 @@ exceptions = [
     # this is not a problem for us. See https://github.com/dtolnay/unicode-ident/pull/9/files
     # for more details.
     { allow = ["Unicode-DFS-2016"], name = "unicode-ident" },
+    # Pulled in via hyper-rustls when using the webpki-roots feature,
+    # which is off by default.
+    { allow = ["MPL-2.0"], name = "webpki-roots" },
 ]
 
 [[licenses.clarify]]

diff --git a/kube-client/Cargo.toml b/kube-client/Cargo.toml
@@ -14,6 +14,7 @@ categories = ["web-programming::http-client", "network-programming", "api-bindin
 [features]
 default = ["client"]
 rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls", "hyper-http-proxy?/rustls-tls-native-roots"]
+webpki-roots = ["hyper-rustls/webpki-roots"]
 aws-lc-rs = ["rustls?/aws-lc-rs"]
 openssl-tls = ["openssl", "hyper-openssl"]
 ws = ["client", "tokio-tungstenite", "rand", "kube-core/ws", "tokio/macros"]

diff --git a/kube-client/src/client/auth/oauth.rs b/kube-client/src/client/auth/oauth.rs
@@ -118,13 +118,19 @@ impl Gcp {
                 // Current TLS feature precedence when more than one are set:
                 // 1. rustls-tls
                 // 2. openssl-tls
-                #[cfg(feature = "rustls-tls")]
+                #[cfg(all(feature = "rustls-tls", not(feature = "webpki-roots")))]
                 let https = hyper_rustls::HttpsConnectorBuilder::new()
                     .with_native_roots()
                     .map_err(Error::NoValidNativeRootCA)?
                     .https_only()
                     .enable_http1()
                     .build();
+                #[cfg(all(feature = "rustls-tls", feature = "webpki-roots"))]
+                let https = hyper_rustls::HttpsConnectorBuilder::new()
+                    .with_webpki_roots()
+                    .https_only()
+                    .enable_http1()
+                    .build();
                 #[cfg(all(not(feature = "rustls-tls"), feature = "openssl-tls"))]
                 let https =
                     hyper_openssl::HttpsConnector::new().map_err(Error::CreateOpensslHttpsConnector)?;

diff --git a/kube-client/src/client/auth/oidc.rs b/kube-client/src/client/auth/oidc.rs
@@ -313,13 +313,19 @@ impl Refresher {
             .install_default()
             .unwrap();
 
-        #[cfg(feature = "rustls-tls")]
+        #[cfg(all(feature = "rustls-tls", not(feature = "webpki-roots")))]
         let https = hyper_rustls::HttpsConnectorBuilder::new()
             .with_native_roots()
             .map_err(|_| errors::RefreshInitError::NoValidNativeRootCA)?
             .https_only()
             .enable_http1()
             .build();
+        #[cfg(all(feature = "rustls-tls", feature = "webpki-roots"))]
+        let https = hyper_rustls::HttpsConnectorBuilder::new()
+            .with_webpki_roots()
+            .https_only()
+            .enable_http1()
+            .build();
         #[cfg(all(not(feature = "rustls-tls"), feature = "openssl-tls"))]
         let https = hyper_openssl::HttpsConnector::new()?;
 

diff --git a/kube-client/src/client/tls.rs b/kube-client/src/client/tls.rs
@@ -55,9 +55,18 @@ pub mod rustls_tls {
         let config_builder = if let Some(certs) = root_certs {
             ClientConfig::builder().with_root_certificates(root_store(certs)?)
         } else {
-            ClientConfig::builder()
-                .with_native_roots()
-                .map_err(Error::NoValidNativeRootCA)?
+            #[cfg(feature = "webpki-roots")]
+            {
+                // Use WebPKI roots.
+                ClientConfig::builder().with_webpki_roots()
+            }
+            #[cfg(not(feature = "webpki-roots"))]
+            {
+                // Use native roots. This will panic on Android and iOS.
+                ClientConfig::builder()
+                    .with_native_roots()
+                    .map_err(Error::NoValidNativeRootCA)?
+            }
         };
 
         let mut client_config = if let Some((chain, pkey)) = identity_pem.map(client_auth).transpose()? {

diff --git a/kube/Cargo.toml b/kube/Cargo.toml
@@ -37,6 +37,7 @@ unstable-runtime = ["kube-runtime/unstable-runtime", "runtime"]
 unstable-client = ["kube-client/unstable-client", "client"]
 socks5 = ["kube-client/socks5", "client"]
 http-proxy = ["kube-client/http-proxy", "client"]
+webpki-roots = ["kube-client/webpki-roots", "client"]
 
 [package.metadata.docs.rs]
 features = ["client", "rustls-tls", "openssl-tls", "derive", "ws", "oauth", "jsonpatch", "admission", "runtime", "k8s-openapi/latest", "unstable-runtime", "socks5", "http-proxy"]