Use the system certificate store if no certificates are specified. (#1261)

marcusbooyah · web-flow · commit 729b10c73187 · 2023-04-18T16:36:45.000-07:00
* Use the system certificate store if no certificates are specified.

* Don't use ServerCertificateCustomValidationCallback when no CA is set
diff --git a/src/KubernetesClient/Kubernetes.ConfigInit.cs b/src/KubernetesClient/Kubernetes.ConfigInit.cs
@@ -72,21 +72,19 @@ private void InitializeFromConfig(KubernetesClientConfiguration config)
                 }
                 else
                 {
-                    if (CaCerts == null)
+                    if (CaCerts != null)
                     {
-                        throw new KubeConfigException("A CA must be set when SkipTlsVerify === false");
-                    }
-
 #if NET5_0_OR_GREATER
-                    HttpClientHandler.SslOptions.RemoteCertificateValidationCallback =
+                        HttpClientHandler.SslOptions.RemoteCertificateValidationCallback =
 #else
-                    HttpClientHandler.ServerCertificateCustomValidationCallback =
+                        HttpClientHandler.ServerCertificateCustomValidationCallback =
 #endif
-                        (sender, certificate, chain, sslPolicyErrors) =>
-                        {
-                            return CertificateValidationCallBack(sender, CaCerts, certificate, chain,
-                                sslPolicyErrors);
-                        };
+                            (sender, certificate, chain, sslPolicyErrors) =>
+                            {
+                                return CertificateValidationCallBack(sender, CaCerts, certificate, chain,
+                                    sslPolicyErrors);
+                            };
+                    }
                 }
             }
 
diff --git a/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs b/tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs
@@ -138,6 +138,20 @@ public void CheckClusterTlsSkipCorrectness()
             Assert.True(cfg.SkipTlsVerify);
         }
 
+        /// <summary>
+        ///     Checks that a KubeConfigException is not thrown when no certificate-authority-data is set and user do not require tls
+        ///     skip
+        /// </summary>
+        [Fact]
+        public void CheckClusterTlsNoSkipCorrectness()
+        {
+            var fi = new FileInfo("assets/kubeconfig.tls-no-skip.yml");
+            var cfg = KubernetesClientConfiguration.BuildConfigFromConfigFile(fi);
+            Assert.NotNull(cfg.Host);
+            Assert.Null(cfg.SslCaCerts);
+            Assert.False(cfg.SkipTlsVerify);
+        }
+
         /// <summary>
         ///     Checks that a KubeConfigException is thrown when the cluster defined in clusters and contexts do not match
         /// </summary>
diff --git a/tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml b/tests/KubernetesClient.Tests/assets/kubeconfig.tls-no-skip.yml
@@ -0,0 +1,22 @@
+# Sample file based on https://kubernetes.io/docs/tasks/access-application-cluster/authenticate-across-clusters-kubeconfig/
+# WARNING: File includes minor fixes
+---
+current-context: federal-context
+apiVersion: v1
+clusters:
+- cluster:
+    insecure-skip-tls-verify: false
+    server: https://horse.org:443
+  name: horse-cluster
+contexts:
+- context:
+    cluster: horse-cluster
+    namespace: chisel-ns
+    user: green-user
+  name: federal-context
+kind: Config
+users:
+- name: green-user
+  user:
+    password: secret
+    username: admin
