Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for EC private keys #804

Merged
merged 4 commits into from Feb 19, 2022
Merged

Add support for EC private keys #804

merged 4 commits into from Feb 19, 2022

Conversation

farcaller
Copy link
Contributor

@farcaller farcaller commented Feb 4, 2022
edited

Motivation

Allows to use kube-rs with e.g. k3s and k3d default installs that use the Sec1 private keys.

Solution

This depends on

@farcaller
Copy link
Contributor Author

Note that this PR alone won't be enough to make k3s work as the default kubeconfig uses IP addresses. The relevant feature request is here: briansmith/webpki#54.

@kazk kazk linked an issue Feb 5, 2022 that may be closed by this pull request
rustls cannot use client-key in EC Private Keys format #542
Closed
@farcaller farcaller mentioned this pull request Feb 5, 2022
Closed
2 tasks
@kazk kazk mentioned this pull request Feb 7, 2022
Closed
@clux clux added the changelog-add changelog added category for prs label Feb 13, 2022
@codecov-commenter

This comment was marked as spam.

Sign in to view
@clux
Copy link
Member

clux commented Feb 13, 2022

Realised that the jobs here never ran, hence the sudden activity. The red deny ❌ looks like what was fixed in master.

@farcaller
Add Sec1 EC key support
f85952d 
Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com>
@farcaller
Bump rustls-pemfile to the verson that supports Sec1 EC keys
c164896 
Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com>
@farcaller
Bump rustls to the verson that supports Sec1 EC keys
5f2cc49 
Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com>
@farcaller farcaller marked this pull request as ready for review February 13, 2022 17:45
@farcaller
Copy link
Contributor Author

The deps caught up, this is now ready for review.

@clux
Copy link
Member

clux commented Feb 14, 2022

CI test failure remaining on cargo-deny: hyper-rustls brings in an older version of rustls-pemfile.
Looks like this will be resolved by rustls/hyper-rustls#165

@clux
Copy link
Member

clux commented Feb 14, 2022
edited

Can confirm that this works on k3d (with the old dns bypass) 🎉

Earlier error:

  • Error: rustls tls error: identity PEM is missing a private key: the key must be PKCS8 or RSA/PKCS1

New bypassable error:

  • Error: failed to perform initial object list: HyperError: error trying to connect: invalid dnsname

Bypass: #153 (add localhost entry to /etc/hosts and change the kube/config cluster.server url to use localhost)

@farcaller : it nothing major, all the real tests pass, and the pr works perfectly 👍 . the failing check is cargo-deny which you can run locally with make deny - it's just trying to limit multiple versions of dependencies in the dependency tree. It's possible we can put a bypass for it (this is an important fix after all), but it would be nicer if hypertls-rustls made a release with the updated pemfile dep.

@clux clux added this to the 0.70.0 milestone Feb 14, 2022
@clux
Copy link
Member

clux commented Feb 14, 2022

We will add an override file for this after making a 0.69 release (today/tomorrow), and merge this right after. then hopefully the ecosystem acquires internal consistency in the mean time (or else 0.70 release will be released with the override).

in either case don't want to delay this too much, but want to try to keep the set of dependencies consistent

@clux clux mentioned this pull request Feb 19, 2022
Merged
@clux
Copy link
Member

clux commented Feb 19, 2022

Override added so all checks passing now. Merging.

Thanks again!

@clux clux merged commit 440a5f6 into kube-rs:master Feb 19, 2022
@farcaller farcaller deleted the ec-private-key branch February 19, 2022 10:49
@clux clux mentioned this pull request Mar 19, 2022
Closed
@jvanz jvanz mentioned this pull request Apr 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clux clux clux approved these changes

Assignees
No one assigned
Labels
changelog-add changelog added category for prs
Projects
None yet
Milestone
0.70.0
Development

Successfully merging this pull request may close these issues.

rustls cannot use client-key in EC Private Keys format
3 participants
@farcaller @codecov-commenter @clux