client cert authentication doesn't work with intermediate CAs

[geekofalltrades]

If your client certificate is issued from an intermediate CA, rather than from the Root CA, then it seems this plugin doesn't send the intermediate with the request, which causes a 401 from Kubernetes. I tested this with check-kube-nodes-ready.rb; I'm unsure if it affects the other plugins, as well.

Steps to reproduce:

• kube-apiserver is running with a Root CA ROOT as its --client-ca-file argument.
• Issue an intermediate, INT, from ROOT.
• Issue a client cert, CLI, from INT.
• Configure a sensu-plugins-kubernetes check, either via kubeconfig or directly via flags, to use the CLI cert and key to authenticate. Include the full chain from CLI back to ROOT in the cert file configured.
• Get a 401 from Kubernetes: Unable to authenticate the request due to an error: x509: certificate signed by unknown authority

If you instead send the INT cert and key, you are able to authenticate.

This makes me suspect that the plugin isn't sending the full chain from the client cert.

[geekofalltrades]

From https://github.com/sensu-plugins/sensu-plugins-kubernetes/blob/2.0.0/lib/sensu-plugins-kubernetes/client.rb#L84

Experimenting a little, it looks like OpenSSL::X509::Certificate just skims the first cert out of the file and discards the rest of the chain.

certtest.rb:

require 'openssl';

cert = OpenSSL::X509::Certificate.new(File.read('my-cert-with-chain.crt'))
print cert

$ /opt/sensu/embedded/bin/ruby certtest.rb 
-----BEGIN CERTIFICATE-----
<my client cert...>
-----END CERTIFICATE-----
# No chain is printed!

I don't know Ruby, so I don't know how to fix it.