Fix service ca cert issue

Author: LaylaLiu-gmail

Kudu.Core/Kube/KubernetesClientUtil.cs

@@ -1,4 +1,5 @@
 using System;
+using System.IO;
 using System.Net.Http;
 using System.Net.Security;
 using System.Security.Cryptography.X509Certificates;
@@ -11,6 +12,7 @@ public class KubernetesClientUtil
         public const int ClientRetryCount = 3;
         public const int ClientRetryIntervalInSeconds = 5;
         private const string caPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
+        private const string serviceCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt";
 
         public static void ExecuteWithRetry(Action action)
         {
@@ -27,6 +29,7 @@ public static bool ServerCertificateValidationCallback(
             X509Chain certChain,
             SslPolicyErrors sslPolicyErrors)
         {
+            Console.WriteLine($"sslPolicyErrors: {sslPolicyErrors}");
             if (sslPolicyErrors == SslPolicyErrors.None)
             {
                 // certificate is already valid
@@ -36,6 +39,7 @@ public static bool ServerCertificateValidationCallback(
             {
                 // only remaining error state is RemoteCertificateChainErrors
                 // check custom CA
+                bool caresult = true;
                 var privateChain = new X509Chain();
                 privateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
 
@@ -52,11 +56,44 @@ public static bool ServerCertificateValidationCallback(
                         // root CA cert is not always trusted.
                         chainStatus.Status != X509ChainStatusFlags.UntrustedRoot)
                     {
-                        return false;
+                        Console.WriteLine($"ca crt: {chainStatus.Status}");
+                        caresult = false;
+                        break;
                     }
                 }
 
-                return true;
+                if (caresult)
+                {
+                    return true;
+                }
+
+                if (File.Exists(serviceCAPath))
+                {
+                    var serviceCAprivateChain = new X509Chain();
+                    serviceCAprivateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+
+                    var serviceCA = new X509Certificate2(serviceCAPath);
+                    // https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509chainpolicy?view=netcore-2.2
+                    // Add CA cert to the chain store to include it in the chain check.
+                    serviceCAprivateChain.ChainPolicy.ExtraStore.Add(serviceCA);
+                    // Build the chain for `certificate` which should be the self-signed kubernetes api-server cert.
+                    serviceCAprivateChain.Build(certificate);
+
+                    foreach (X509ChainStatus chainStatus in serviceCAprivateChain.ChainStatus)
+                    {
+                        if (chainStatus.Status != X509ChainStatusFlags.NoError &&
+                            // root CA cert is not always trusted.
+                            chainStatus.Status != X509ChainStatusFlags.UntrustedRoot)
+                        {
+                            Console.WriteLine($"service crt: {chainStatus.Status} ");
+                            return false;
+                        }
+                    }
+
+                    return true;
+                }
+
+                return false;
             }
             else
             {