From fb199bc64ee3b1be4532ea75c9aa40ec9a33d09a Mon Sep 17 00:00:00 2001 From: Brendan Burns Date: Thu, 22 Feb 2018 23:44:50 -0800 Subject: [PATCH] Fix a bug in certificate loading... --- util/pom.xml | 2 +- .../kubernetes/client/util/ClientBuilder.java | 18 +++++++++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/util/pom.xml b/util/pom.xml index 6f9f9e11be..065aae55b3 100644 --- a/util/pom.xml +++ b/util/pom.xml @@ -30,7 +30,7 @@ commons-codec commons-codec - 1.10 + 1.11 org.apache.commons diff --git a/util/src/main/java/io/kubernetes/client/util/ClientBuilder.java b/util/src/main/java/io/kubernetes/client/util/ClientBuilder.java index 93c11a6948..d18b2aa696 100644 --- a/util/src/main/java/io/kubernetes/client/util/ClientBuilder.java +++ b/util/src/main/java/io/kubernetes/client/util/ClientBuilder.java @@ -159,7 +159,6 @@ public static ClientBuilder kubeconfig(KubeConfig config) throws IOException { if (caBytes != null) { builder.setCertificateAuthority(caBytes); } - builder.setVerifyingSsl(config.verifySSL()); builder.setBasePath(server); @@ -211,14 +210,23 @@ public ApiClient build() { client.setVerifyingSsl(verifyingSsl); - if (caCertBytes != null) { - client.setSslCaCert(new ByteArrayInputStream(caCertBytes)); - } - if (authentication != null) { authentication.provide(client); } + // NOTE: this ordering is important. The API Client re-evaluates the CA certificate every + // time the SSL info changes, which means that if this comes after the following call + // you will try to load a certificate with an exhausted InputStream. So setting the CA + // certificate _has_ to be the last thing that you do related to SSL. + // + // TODO: this (imho) is broken in the generate Java Swagger Client code. We should fix it + // upstream and remove this dependency. + // + // TODO: Add a test to ensure that this works correctly... + if (caCertBytes != null) { + client.setSslCaCert(new ByteArrayInputStream(caCertBytes)); + } + return client; } }