Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unable to handle pinniped-provided mTLS credentials #5656

Closed
pktxu opened this issue Dec 19, 2023 · 0 comments · Fixed by #5657
Closed

unable to handle pinniped-provided mTLS credentials #5656

pktxu opened this issue Dec 19, 2023 · 0 comments · Fixed by #5657
Assignees
@pktxu
Milestone
6.10.0

Comments

@pktxu
Copy link
Contributor

pktxu commented Dec 19, 2023

Describe the bug

Trying to auth against a pinniped-enabled cluster with 6.10-SNAPSHOT results (after building with bouncycastle to use EC keys) in:

Caused by: java.lang.ClassCastException: class org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to class org.bouncycastle.openssl.PEMKeyPair (org.bouncycastle.asn1.pkcs.PrivateKeyInfo and org.bouncycastle.openssl.PEMKeyPair are in unnamed module of loader 'app')
	at io.fabric8.kubernetes.client.internal.CertUtils$1.call(CertUtils.java:188)
	at io.fabric8.kubernetes.client.internal.CertUtils.handleECKey(CertUtils.java:195)
	at io.fabric8.kubernetes.client.internal.CertUtils.loadKey(CertUtils.java:170)
	at io.fabric8.kubernetes.client.internal.CertUtils.createKeyStore(CertUtils.java:146)
	at io.fabric8.kubernetes.client.internal.CertUtils.createKeyStore(CertUtils.java:288)
	at io.fabric8.kubernetes.client.internal.SSLUtils.keyManagers(SSLUtils.java:188)
	at io.fabric8.kubernetes.client.internal.SSLUtils.keyManagers(SSLUtils.java:177)
	at io.fabric8.kubernetes.client.utils.HttpClientUtils.applyCommonConfiguration(HttpClientUtils.java:188)
	at io.fabric8.kubernetes.client.okhttp.OkHttpClientFactory.newBuilder(OkHttpClientFactory.java:82)
	at io.fabric8.kubernetes.client.okhttp.OkHttpClientFactory.newBuilder(OkHttpClientFactory.java:29)
	at io.fabric8.kubernetes.client.KubernetesClientBuilder.getHttpClient(KubernetesClientBuilder.java:90)
	at io.fabric8.kubernetes.client.KubernetesClientBuilder.build(KubernetesClientBuilder.java:79)

Fabric8 Kubernetes Client version

SNAPSHOT

Steps to reproduce

  1. Get a kubeconfig through pinniped
  2. examine the credentials through yq '.credentials[0].credential.clientKeyData' ~/.config/pinniped/credentials.yaml | openssl ec -text -noout
  3. Try to use a client built using pinniped's kubeconfig
  4. see it fail with the above stacktrace

Expected behavior

Client building to succeed

Runtime

other (please specify in additional context)

Kubernetes API Server version

1.25.3@latest

Environment

Amazon

Fabric8 Kubernetes Client Logs

No response

Additional context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pktxu pktxu

Labels
None yet
Projects
None yet
Milestone
6.10.0
Development

Successfully merging a pull request may close this issue.

support EC private key only for mTLS auth pktxu/kubernetes-client
2 participants
@manusa @pktxu