attempt upgrading rustls to 0.20.0 - for #644

[clux]

a bit of major change based on the massive release history in https://github.com/rustls/rustls#release-history

it has some helpful changes:

• allowing an empty root cert store struct
• not having to implement the no client verification strategy ourselves seems to not work
• and we can do this without enabling dangerous configuration features no, still need it for token auth

but it also:

• changes the ClientConfig::builder to enforce a particular order
• somehow breaks the magic From implementation for hyper_rustls::HttpsConnector

not sure i got it all correct, or if i have changed behaviour subly, but it compiles now and can run on some clusters.

edited out confusion about rustls

however, have currently not gotten the last From impl to work... It currently fails with:

error[E0277]: the trait bound `Arc<rustls::client::ClientConfig>: From<Arc<ClientConfig>>` is not satisfied
   --> kube-client/src/client/config_ext.rs:155:12
    |
155 |         Ok(hyper_rustls::HttpsConnector::from((http, rustls_config)))
    |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the trait `From<Arc<ClientConfig>>` is not implemented for `Arc<rustls::client::ClientConfig>`
    |
    = help: the following implementations were found:
              <Arc<B> as From<Cow<'a, B>>>
              <Arc<CStr> as From<&CStr>>
              <Arc<CStr> as From<CString>>
              <Arc<OsStr> as From<&OsStr>>
            and 9 others
    = note: required because of the requirements on the impl of `Into<Arc<rustls::client::ClientConfig>>` for `Arc<ClientConfig>`
    = note: required because of the requirements on the impl of `From<(HttpConnector, Arc<ClientConfig>)>` for `HttpsConnector<HttpConnector>`

relies on the hyper-rustls rustls 0.20 branch

[kazk]

I guess hyper-rustls is not ready yet? rustls/hyper-rustls#156

[clux]

ok, thanks to the linked branch i have at least gotten it to work in the accept_invalid case (which i've enabled whenever there are no root certs because my token auth test cluster needs it to work - and don't want to edit kubeconfig because in kubectl get already works).

still fails on k3d like before thanks to the unrecognised cert.

EDIT: also looks like hyper_rustls::HttpsConnector::with_native_roots() is gone.

don't have any other clusters to test against, so any input beyond this is appreciated.

[kazk]

still fails on k3d like before thanks to the unrecognised cert.

You can work around that with the steps in #542.

don't have any other clusters to test against, so any input beyond this is appreciated.

Do you mind if I take it from here? I started playing with it, and got:

let config_builder = ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(root_store(root_certs)?);

let mut client_config = if let Some(auth) = identity_pem.map(client_auth).transpose()? {
    config_builder
        .with_single_cert(auth.cert_chain, auth.private_key)
        .map_err(|e| Error::SslError(format!("{}", e)))?
} else {
    config_builder.with_no_client_auth()
};

if accept_invalid {
    client_config
        .dangerous()
        .set_certificate_verifier(Arc::new(NoCertificateVerification {}));
}
Ok(client_config)

[clux]

Yeah, absolutely feel free to continue!

[kazk]

Superseded by #704. I think we're just waiting for hyper-rustls now.