Skip to content

Commit

Permalink
Fix service ca cert issue
Browse files Browse the repository at this point in the history
  • Loading branch information
LaylaLiu-gmail committed Jul 3, 2023
1 parent b6bc3d8 commit 4ad349b
Showing 1 changed file with 39 additions and 2 deletions.
41 changes: 39 additions & 2 deletions Kudu.Core/Kube/KubernetesClientUtil.cs
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
using System;
using System.IO;
using System.Net.Http;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
Expand All @@ -11,6 +12,7 @@ public class KubernetesClientUtil
public const int ClientRetryCount = 3;
public const int ClientRetryIntervalInSeconds = 5;
private const string caPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
private const string serviceCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt";

public static void ExecuteWithRetry(Action action)
{
Expand All @@ -27,6 +29,7 @@ public static bool ServerCertificateValidationCallback(
X509Chain certChain,
SslPolicyErrors sslPolicyErrors)
{
Console.WriteLine($"sslPolicyErrors: {sslPolicyErrors}");
if (sslPolicyErrors == SslPolicyErrors.None)
{
// certificate is already valid
Expand All @@ -36,6 +39,7 @@ public static bool ServerCertificateValidationCallback(
{
// only remaining error state is RemoteCertificateChainErrors
// check custom CA
bool caresult = true;
var privateChain = new X509Chain();
privateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

Expand All @@ -52,11 +56,44 @@ public static bool ServerCertificateValidationCallback(
// root CA cert is not always trusted.
chainStatus.Status != X509ChainStatusFlags.UntrustedRoot)
{
return false;
Console.WriteLine($"ca crt: {chainStatus.Status}");
caresult = false;
break;
}
}

return true;
if (caresult)
{
return true;
}

if (File.Exists(serviceCAPath))
{
var serviceCAprivateChain = new X509Chain();
serviceCAprivateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

var serviceCA = new X509Certificate2(serviceCAPath);
// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509chainpolicy?view=netcore-2.2
// Add CA cert to the chain store to include it in the chain check.
serviceCAprivateChain.ChainPolicy.ExtraStore.Add(serviceCA);
// Build the chain for `certificate` which should be the self-signed kubernetes api-server cert.
serviceCAprivateChain.Build(certificate);

foreach (X509ChainStatus chainStatus in serviceCAprivateChain.ChainStatus)
{
if (chainStatus.Status != X509ChainStatusFlags.NoError &&
// root CA cert is not always trusted.
chainStatus.Status != X509ChainStatusFlags.UntrustedRoot)
{
Console.WriteLine($"service crt: {chainStatus.Status} ");
return false;
}
}

return true;
}

return false;
}
else
{
Expand Down

0 comments on commit 4ad349b

Please sign in to comment.