search

kubernetes-client / java

Official Java client library for kubernetes
http://kubernetes.io/
Apache License 2.0
3.53k stars 1.88k forks source link

Add support for FIPS Bouncy Castle library #3590

Closed robhafner closed 4 weeks ago

robhafner commented 1 month ago

Describe the bug

We are attempting to use version 19.0.1 of the Kubernetes Java Client from a Spring Boot 2.7 application to invoke the Kubernetes API server to validate a service account token. Our Spring Boot application is configured with the FIPS enabled version 1.0.2.4 of the Bouncy Castle library (and does not include the non FIPS version of the Bouncy Castle library). The call to the API with a valid token results in the following status.

class V1TokenReviewStatus { audiences: null authenticated: null error: [invalid bearer token, service account token has been invalidated] user: class V1UserInfo { extra: null groups: null uid: null username: null } }

Stepping through the debugger the token appears to be consider invalid as a result of the non FIPS enabled bouncy castle class not being available which is defined in src/main/java/io/kubernetes/client/SSLUtils.java

static { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); }

Updating the SSLUtils.java with the following changes allows the token to be verified successfully.

` static –{ Provider provider; try { Class clazz = getProvider(); provider = (Provider) clazz.getDeclaredConstructor(null).newInstance(); } catch (Exception e) { throw new RuntimeException(e); }

Security.addProvider(provider);

}

public static Class getProvider() throws ClassNotFoundException { Class clazz; try { clazz = Class.forName("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } catch(ClassNotFoundException cnf) { clazz = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider"); } return clazz; } `

I'd be happy to put a PR together with this change to resolve this issue. However, I ran across another issue which seemed very similar which was closed without a fix.

https://github.com/kubernetes-client/java/issues/2086

Can you confirm if the Kubernetes Java Client project is willing to support the FIPS version of Bouncy Castle? If not, we will likely be forced to fork the library to meet our needs.

Client Version 1.29.2

Kubernetes Version 1.28.2

Java Version Java 17

To Reproduce Steps to reproduce the behavior:

Expected behavior The call to verify a token works successfully when only the FIPS version of bouncy castle is on the classpath.

KubeConfig If applicable, add a KubeConfig file with secrets redacted.

Server (please complete the following information): Linux

brendandburns commented 1 month ago

This looks like a server side error? This SDK is only client side. Can you explain why the FIPS provider is required?

I'm not opposed in principal to supporting both providers, but I need further explanation about why it is causing this specific problem.

brendandburns commented 4 weeks ago

Closing this via #3595