SSL CA Certificate loading is broken...

[brendandburns]

We try to load the CA certificate twice, but the InputStream is exhausted...

[ceeaspb]

@brendandburns I have left comments in #197

[karthikkondapally]

@brendanburns
if this is about the below error

Exception in thread "main" java.lang.IllegalArgumentException: expected non-empty set of trusted certificates 
at io.kubernetes.client.ApiClient.applySslSettings(ApiClient.java:1134)

it is because of default value of verifySSl being true.
error vanished for me, once i added insecure-skip-tls-verify: true in kubeconfig.yaml (in cluster section).
or setVerifySSL to true using ClientBuilder.
Config.defaultClient().setVerifyingSsl(false) also throws the error, as applySslSettings(); is called in defaultClient() before setting verifySSL to false.

[brendandburns]

@kondapally1989 I don't think that's quite correct. The underlying problem is that applySslSettings can not be called more than once after the CA certificate has been set. We need to ultimately fix that in the ApiClient so that applySslSettings is idempotent...

[brendandburns]

@ceeaspb I don't quite follow your comments... Can you clarify the issue you're seeing and the needed repro?

Thanks

[karthikkondapally]

@brendanburns
my bad, read the issue in wrong way.
after keeping the line client.setSslCaCert(as in your push #200) at the end. its working without throwing non-empty error.

[ceeaspb]

with #200 similarly it works. I didn't spot the PR earlier. thanks

[karthikkondapally]

@brendanburns
I tried something, may be few pointers from you.
i cloned InputStream and passed the clone to certificateFactory.generateCertificates(sslCaCertCopy);
original sslCaCert will always persist.

        byte[] targetArray = null ;
        try {
          targetArray = new byte[sslCaCert.available()];
          sslCaCert.read(targetArray);
        }
        catch(Exception e) {
        }
        sslCaCert = new ByteArrayInputStream(targetArray);
        char[] password = null; // Any password will work.
        InputStream sslCaCertCopy =  new ByteArrayInputStream(targetArray);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(sslCaCertCopy);

above works without placing client.setSslCaCert at end of ClientBuilder
but ApiClient.java is a swagger generated code.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.