Merge pull request #144 from thephw/develop

Add support for FQDN K8s API servers and Root CA chains
coryodaniel · Mar 8, 2022 · a91689f · a91689f
2 parents 6990b83 + a4d157a
commit a91689f
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 7 deletions.
diff --git a/config/test.exs b/config/test.exs
@@ -3,4 +3,5 @@ import Config
 config :k8s,
   discovery_driver: K8s.Discovery.Driver.File,
   discovery_opts: [config: "test/support/discovery/example.json"],
-  http_provider: K8s.Client.DynamicHTTPProvider
+  http_provider: K8s.Client.DynamicHTTPProvider,
+  cacertfile: "/etc/ssl/cert.pem"
diff --git a/lib/k8s.ex b/lib/k8s.ex
@@ -44,4 +44,12 @@ defmodule K8s do
   def default_discovery_opts do
     Application.get_env(:k8s, :discovery_opts, [])
   end
+
+  @doc """
+  Returns the default CAStore
+  """
+  @spec default_cacertfile() :: module()
+  def default_cacertfile do
+    Application.get_env(:k8s, :cacertfile, CAStore.file_path())
+  end
 end
diff --git a/lib/k8s/conn.ex b/lib/k8s/conn.ex
@@ -28,7 +28,8 @@ defmodule K8s.Conn do
             middleware: K8s.Middleware.Stack.default(),
             discovery_driver: K8s.default_discovery_driver(),
             discovery_opts: K8s.default_discovery_opts(),
-            http_provider: K8s.default_http_provider()
+            http_provider: K8s.default_http_provider(),
+            cacertfile: K8s.default_cacertfile()
 
   @typedoc """
   * `cluster_name` - The cluster name if read from a kubeconfig file
@@ -45,7 +46,8 @@ defmodule K8s.Conn do
           middleware: K8s.Middleware.Stack.t(),
           discovery_driver: module(),
           discovery_opts: Keyword.t(),
-          http_provider: module()
+          http_provider: module(),
+          cacertfile: String.t()
         }
 
   @doc """
@@ -204,7 +206,7 @@ defmodule K8s.Conn do
 
           ca_options =
             case conn.ca_cert do
-              nil -> []
+              nil -> [cacertfile: conn.cacertfile |> String.to_charlist()]
               cert -> [cacerts: [cert]]
             end
 

diff --git a/mix.exs b/mix.exs
@@ -35,6 +35,7 @@ defmodule K8s.MixProject do
   # Run "mix help deps" to learn about dependencies.
   defp deps do
     [
+      {:castore, "~> 0.1"},
       {:yaml_elixir, "~> 2.8"},
       {:httpoison, "~> 1.7"},
       {:jason, "~> 1.0"},

diff --git a/mix.lock b/mix.lock
@@ -1,5 +1,6 @@
 %{
   "bunt": {:hex, :bunt, "0.2.0", "951c6e801e8b1d2cbe58ebbd3e616a869061ddadcc4863d0a2182541acae9a38", [:mix], [], "hexpm", "7af5c7e09fe1d40f76c8e4f9dd2be7cebd83909f31fee7cd0e9eadc567da8353"},
+  "castore": {:hex, :castore, "0.1.15", "dbb300827d5a3ec48f396ca0b77ad47058578927e9ebe792abd99fcbc3324326", [:mix], [], "hexpm", "c69379b907673c7e6eb229f09a0a09b60bb27cfb9625bcb82ea4c04ba82a8442"},
   "certifi": {:hex, :certifi, "2.9.0", "6f2a475689dd47f19fb74334859d460a2dc4e3252a3324bd2111b8f0429e7e21", [:rebar3], [], "hexpm", "266da46bdb06d6c6d35fde799bcb28d36d985d424ad7c08b5bb48f5b5cdd4641"},
   "credo": {:hex, :credo, "1.6.4", "ddd474afb6e8c240313f3a7b0d025cc3213f0d171879429bf8535d7021d9ad78", [:mix], [{:bunt, "~> 0.2.0", [hex: :bunt, repo: "hexpm", optional: false]}, {:file_system, "~> 0.2.8", [hex: :file_system, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "c28f910b61e1ff829bffa056ef7293a8db50e87f2c57a9b5c3f57eee124536b7"},
   "dialyxir": {:hex, :dialyxir, "1.1.0", "c5aab0d6e71e5522e77beff7ba9e08f8e02bad90dfbeffae60eaf0cb47e29488", [:mix], [{:erlex, ">= 0.2.6", [hex: :erlex, repo: "hexpm", optional: false]}], "hexpm", "07ea8e49c45f15264ebe6d5b93799d4dd56a44036cf42d0ad9c960bc266c0b9a"},

diff --git a/test/k8s/conn_test.exs b/test/k8s/conn_test.exs
@@ -124,7 +124,7 @@ defmodule K8s.ConnTest do
                RequestOptions.generate(conn)
 
       assert [Authorization: _bearer_token] = headers
-      assert [verify: :verify_none] = ssl_options
+      assert [verify: :verify_none, cacertfile: '/etc/ssl/cert.pem'] = ssl_options
     end
 
     test "generates ssl_options for the given auth provider" do
@@ -135,7 +135,9 @@ defmodule K8s.ConnTest do
                RequestOptions.generate(conn)
 
       assert headers == []
-      assert [cert: _, key: _, verify: :verify_none] = ssl_options
+
+      assert [cert: _, key: _, verify: :verify_none, cacertfile: '/etc/ssl/cert.pem'] =
+               ssl_options
     end
 
     test "includes cacerts if provided" do
@@ -157,7 +159,9 @@ defmodule K8s.ConnTest do
                RequestOptions.generate(conn)
 
       assert headers == []
-      assert [cert: _, key: _, verify: :verify_none] = ssl_options
+
+      assert [cert: _, key: _, verify: :verify_none, cacertfile: '/etc/ssl/cert.pem'] =
+               ssl_options
     end
   end
 end