Closed ridangotaavi closed 2 weeks ago
So it looks like the problem here is the validate=True
, which raises an exception if the base64 encoded certificate contains invalid characters (like newlines). If we remove this then it goes back to the default behaviour of stripping the newlines automatically and things work as expected with the example you provided.
It looks like the validate=True
was introduced in #324 to handle situations where the cert is in plaintext and not base64 encoded, but is the correct length and therefore gets mistakenly decoded.
I think the fix here is to remove the validate=True
in favour of some other way to check if the string is base64 encoded or not.
Hmm unfortunately it's not straight forward to check if a string is base64 encoded. Any string where len(s) % 4 == 0
will successfully decode. And if you encode it again you get the same string out that you started with.
So I think we are going to need to first check whether the input data is a valid certificate instead, and if it isn't then attempt to base64 decode it.
We could either use something like cryptography.x509.load_pem_x509_certificates()
to verify the cert, or maybe it would be simpler to just check if it starts with -----BEGIN CERTIFICATE-----
.
Which project are you reporting a bug for?
kr8s
What happened?
Kr8s version: 0.17.2 Python version: 3.11.2
I have a kubeconfig, which contains the CA certificate in the following format:
When trying to use this kubeconfig with kr8s, it fails with the following traceback:
I have used this same kubeconfig pretty much everywhere else (including kubectl) and this is the first time I run into this kind of problem.
Anything else?
Replacing line 236 in _auth.py with this:
seems to fix the issue, but I am not sure whether this is a proper fix.