Update rustls to 0.20.1

[kazk]

Continuing from #692 for #644 after rebasing. webpki is no longer necessary, so this is the last one.

TODO

• Refine errors
• Replace hyper_rustls::HttpsConnector::with_native_roots with HttpsConnectorBuilder
• Use published hyper-rustls (Prepare 0.23 rustls/hyper-rustls#159)

---

Closes #644

[kazk]

Changed to get all sections at once, but it should behave the same. Use the last found private key, and PKCS8 key is preferred.

[clux]

This seems to work as well as before. Thought I had a regression on rustls vs rancher, but turns out rancher just never worked with local kubeconfig on rustls.

rancher gives this type of setup:

clusters:
- cluster:
    server: https://rancher.xxx.io/k8s/clusters/clusterid
  name: mycluster
users:
- name: myuser
  user:
    token: kubeconfig-u-somegenuser.c-id:somelongtoken
contexts:
- context:
    cluster: mycluster
    user: myuser
  name: mycontext

error

[2021-11-15T22:06:29Z DEBUG kube_client::config] failed to load client identity from kubeconfig: failed to load client certificate 
[2021-11-15T22:06:29Z DEBUG kube_client::client] HTTP; http.method=GET http.url=https://rancher.xxx.io/k8s/clusters/clusterid/api/v1/namespaces/default/pods? otel.name="list" otel.kind="client"
[2021-11-15T22:06:29Z DEBUG kube_client::client] requesting 
[2021-11-15T22:06:30Z WARN  rustls::conn] Sending fatal alert BadCertificate
[2021-11-15T22:06:30Z DEBUG kube_client::client] HTTP; otel.status_code="ERROR"
[2021-11-15T22:06:30Z ERROR kube_client::client] failed with error error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer 
Error: failed to perform initial object list: HyperError: error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

Caused by:
   0: HyperError: error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
   1: error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
   2: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

Location:
    /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/core/src/result.rs:1915:27

interestingly this works with openssl, but with rustls i have to add insecure-skip-tls-verify: true to the cluster entry. not sure if you have an idea of this. can open a separate bug if not.

[kazk]

interestingly this works with openssl, but with rustls i have to add insecure-skip-tls-verify: true to the cluster entry. not sure if you have an idea of this. can open a separate bug if not.

I think native-tls includes the system cert store by default, while rustls doesn't. We can load with rustls-native-certs which is already a dependency of hyper-rustls.

[kazk]

#711 is working :)

error[B004]: found 2 duplicate entries for crate 'rustls'
    ┌─ /github/workspace/Cargo.lock:151:1
    │  
151 │ ╭ rustls 0.19.1 registry+rust-lang/crates.io-index
152 │ │ rustls 0.20.1 registry+rust-lang/crates.io-index
    │ ╰───────────────────────────────────────────────────────────────────^ lock entries
    │  
    = rustls v0.19.1
      └── tokio-rustls v0.22.0
          └── warp v0.3.2
              └── (dev) examples v0.1.0
    = rustls v0.20.1
      ├── hyper-rustls v0.23.0
      │   └── kube-client v0.63.2

[clux]

Great work 👍

[kazk]

I'll merge this after cleaning up the commits:

• Move all edits to Cargo.toml to the first commit
• Merge commit removing Error::SslError with refining error one
• Merge commit fixing doc cfg with refining error one

I thought of squash merging, but I think it's better to keep the upgrade and refactoring separate after merging.