rustls: optionally use WebPKI roots to avoid panicking on Android & iOS

[ewilken]

Motivation

Using kube-rs on iOS, I came across a panic in the underlying hyper-rustls root cert initialization trying to access the native roots, which doesn't work on Android or iOS, according to this open issue.

Solution

My solution was to add a check to fall back to the WebPKI roots when on Android or iOS, which fixes the issue for me, but could make sense upstream, too.

Please let me know if this change makes sense to you or whether I'm missing anything. And thanks a lot for all the work you've done on the kube-rs ecosystem! 😊

[clux]

Hey, thanks for this!

I do think this, or some variant of this makes sense, and am happy to include a variant of this. The few bits i am sceptical of atm are:

• default inclusion - as this would be a new dep for everyone, even though we use native roots elsewhere
• magic inference - it's probably better to let users choose this rather than bake in this (particularly as it gives the impression we test iOS/android which we dont)

There are two alternatives I think;

1. make an explicit feature for it so people can choose this option if they want to in general
2. try to do some [target.cfg...] magic in Cargo.toml

I think 1. makes the most sense, but it might be hairier to make a feature for this? At the very least reqwest has a quite hairy feature selection setup to get all the things exposed.

[codecov]

Codecov Report

Merging #1323 (eae3fc5) into main (9c81f1f) will increase coverage by 0.1%.
The diff coverage is 0.0%.

Additional details and impacted files

@@           Coverage Diff           @@
##            main   #1323     +/-   ##
=======================================
+ Coverage   72.4%   72.4%   +0.1%     
=======================================
  Files         75      75             
  Lines       6343    6343             
=======================================
+ Hits        4586    4587      +1     
+ Misses      1757    1756      -1     

Files	Coverage Δ
kube-client/src/client/tls.rs	63.7% <0.0%> (ø)

... and 1 file with indirect coverage changes

[ewilken]

Makes sense. Happy to try out either one of the two scenarios!

But is the failing CI check about webpki-roots bringing in an MPL-2.0 license a show-stopper?

[clux]

MPL-2.0

It shouldn't be a problem. Particularly if it's an opt-in feature, as then it's up to users whether they want the stricter license the transitive dependency comes with.

[clux]

Given we want opt-in for many reasons, i think if we add a feature for it in kube-client/Cargo.toml:

webpki-roots = ["hyper-rustls/webpki-roots"]

plus re-export it from kube/Cargo.toml (i.e. feature in kube crate needs to enable kube-client/webpki-roots).

then we should be good.

we would need a licenses.clarify entry in deny.toml (see docs) about this license being excluded because it is an optional feature.

[ewilken]

Gotcha. Do you think the feature should gate the current check to use WebPKI roots only on Android and iOS, or just alternate between native and WebPKI roots on every platform by setting the feature flag? My gut feeling is the latter is probably the cleaner thing to do and less confusing for an API consumer.