kubeclient 4.9.2 → 4.9.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9220de071696f945ccb667a13ea89c697d935f97abaabad9350bf8d39596d0b3
4
- data.tar.gz: 508742ac151675cc00e0dda915f5f44cb5622c90ad56aa97de06967880925297
3
+ metadata.gz: 3f402a08fef66f160df49d507487769073b248828869a2c874d78e947b1d6686
4
+ data.tar.gz: 5d371f47861538f1e3e9deced8d1c41be1e0ca857ab8ed0607a75417948bb6f6
5
5
  SHA512:
6
- metadata.gz: ab7ec603082fd9c11089e721ebb7d98bdd4092b76f9d173f3075351db41c4ab76ca2e8cf2a54818bf0f6bc5d9749ed64dc51af262acc93c527ba0a4e1b1637cb
7
- data.tar.gz: daaf00389fbd89a5eff46397e4a176de5fb540a292a706c093c289f476c250f1cdb7caaad3fa3a865841704c1a141be6861d189f8a59bda2dcff35581742e981
6
+ metadata.gz: f06a16d02e150194d06a4aa2c37a23bd1b7bbef4daca379ed7f60dd9581310b98cd3026d86e90b1b23d861fe6186d05e003d41380cb1edeaf7a2e52ccc594520
7
+ data.tar.gz: 7fbceb84c48af3bf4f28eadb05a2807a61196a26a66d72eb836ee5faa23d9a22fb1bd8e76fd16febd794007f1f0fd487000db40f543143789d33225c2350ccd0
@@ -10,18 +10,24 @@ on:
10
10
  - '**'
11
11
  jobs:
12
12
  build:
13
- runs-on: ${{ matrix.os }}
13
+ continue-on-error: true
14
+ runs-on: ${{ matrix.os_and_command.os }}
14
15
  strategy:
15
16
  matrix:
16
- ruby: [ '2.5', '2.6', '2.7', '3.0', 'truffleruby-head' ]
17
- os: ['ubuntu-latest', 'macos-latest']
18
- task: [test]
17
+ ruby: [ '2.5', '2.6', '2.7', '3.0', '3.1', 'ruby-head', 'truffleruby-head' ]
18
+ os_and_command:
19
+ - os: 'macos-latest'
20
+ command: 'env TESTOPTS="--verbose" bundle exec rake test'
21
+ - os: ubuntu-latest
22
+ # Sometimes minitest starts and then just hangs printing nothing.
23
+ # Github by default kills after 6hours(!). Hopefully SIGTERM may let it print some details?
24
+ command: 'timeout --signal=TERM 3m env TESTOPTS="--verbose" test/config/update_certs_k0s.rb'
19
25
  include:
20
26
  # run rubocop against lowest supported ruby
21
27
  - os: ubuntu-latest
22
28
  ruby: '2.5'
23
- task: rubocop
24
- name: ${{ matrix.os }} ${{ matrix.ruby }} rake ${{ matrix.task }}
29
+ command: 'bundle exec rake rubocop'
30
+ name: ${{ matrix.os_and_command.os }} ${{ matrix.ruby }} rake ${{ matrix.os_and_command.command }}
25
31
  steps:
26
32
  - uses: actions/checkout@v2
27
33
  # actions/setup-ruby did not support truffle or bundler caching
@@ -31,5 +37,6 @@ jobs:
31
37
  bundler-cache: false # disable running 'bundle install' and caching installed gems see https://github.com/httprb/http/issues/572
32
38
  - run: gem install rake bundler
33
39
  - run: bundle install
34
- - run: bundle exec rake ${{ matrix.task }}
40
+ - run: ${{ matrix.os_and_command.command }}
41
+ timeout-minutes: 10
35
42
 
data/CHANGELOG.md CHANGED
@@ -4,6 +4,45 @@ Notable changes to this project will be documented in this file.
4
4
  The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
5
5
  Kubeclient release versioning follows [SemVer](https://semver.org/).
6
6
 
7
+ ## 4.9.3 — 2021-03-23
8
+
9
+ ### Fixed
10
+
11
+ - VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA
12
+ (normal situation for production clusters with public domain and certificate!),
13
+ `Config` was returning ssl_options[:verify_ssl] hard-coded to `VERIFY_NONE` :-(
14
+
15
+ Assuming you passed those ssl_options to Kubeclient::Client, this means that
16
+ instead of checking server's certificate against your system CA store,
17
+ it would accept ANY certificate, allowing easy man-in-the middle attacks.
18
+
19
+ This is especially dangerous with user/password or token credentials
20
+ because MITM attacker could simply steal those credentials to the cluster
21
+ and do anything you could do on the cluster.
22
+
23
+ This was broken IN ALL RELEASES MADE BEFORE 2022, ever since
24
+ [`Kubeclient::Config` was created](https://github.com/ManageIQ/kubeclient/pull/127/files#diff-32e70f2f6781a9e9c7b83ae5e7eaf5ffd068a05649077fa38f6789e72f3de837R41-R48).
25
+
26
+ - Bug fix: kubeconfig `insecure-skip-tls-verify` field was ignored.
27
+ When kubeconfig did define custom CA, `Config` was returning hard-coded `VERIFY_PEER`.
28
+
29
+ Now we honor it, return `VERIFY_NONE` iff kubeconfig has explicit
30
+ `insecure-skip-tls-verify: true`, otherwise `VERIFY_PEER`.
31
+
32
+ - `Config`: fixed parsing of `certificate-authority` file containing concatenation of
33
+ several certificates. Previously, server's cert was checked against only first CA cert,
34
+ resulting in possible "certificate verify failed" errors.
35
+
36
+ An important use case is a chain of root & intermediate cert(s) - necessary when cluster's CA
37
+ itself is signed by another custom CA.
38
+ But also helps when you simply concatenate independent certs. (#461, #552)
39
+
40
+ - Still broken (#460): inline `certificate-authority-data` is still parsed using `add_cert`
41
+ method that handles only one cert.
42
+
43
+ These don't affect code that supplies `Client` parameters directly,
44
+ only code that uses `Config`.
45
+
7
46
  ## 4.9.2 — 2021-05-30
8
47
 
9
48
  ### Added
data/README.md CHANGED
@@ -9,6 +9,13 @@ The client supports GET, POST, PUT, DELETE on all the entities available in kube
9
9
  The client currently supports Kubernetes REST api version v1.
10
10
  To learn more about groups and versions in kubernetes refer to [k8s docs](https://kubernetes.io/docs/api/)
11
11
 
12
+ ## VULNERABILITY❗
13
+
14
+ If you use `Kubeclient::Config`, all gem versions released before 2022 could return incorrect `ssl_options[:verify_ssl]`,
15
+ endangering your connection and cluster credentials.
16
+ See [latest CHANGELOG.md](https://github.com/ManageIQ/kubeclient/blob/master/CHANGELOG.md) for details and which versions got a fix.
17
+ Open an issue if you want a backport to another version.
18
+
12
19
  ## Installation
13
20
 
14
21
  Add this line to your application's Gemfile:
data/kubeclient.gemspec CHANGED
@@ -31,6 +31,7 @@ Gem::Specification.new do |spec|
31
31
  spec.add_development_dependency 'googleauth', '~> 0.5.1'
32
32
  spec.add_development_dependency('mocha', '~> 1.5')
33
33
  spec.add_development_dependency 'openid_connect', '~> 1.1'
34
+ spec.add_development_dependency 'net-smtp'
34
35
 
35
36
  spec.add_dependency 'jsonpath', '~> 1.0'
36
37
  spec.add_dependency 'rest-client', '~> 2.0'
@@ -51,20 +51,22 @@ module Kubeclient
51
51
  user['exec_result'] = ExecCredentials.run(exec_opts)
52
52
  end
53
53
 
54
- ca_cert_data = fetch_cluster_ca_data(cluster)
55
54
  client_cert_data = fetch_user_cert_data(user)
56
55
  client_key_data = fetch_user_key_data(user)
57
56
  auth_options = fetch_user_auth_options(user)
58
57
 
59
58
  ssl_options = {}
60
59
 
61
- if !ca_cert_data.nil?
60
+ ssl_options[:verify_ssl] = if cluster['insecure-skip-tls-verify'] == true
61
+ OpenSSL::SSL::VERIFY_NONE
62
+ else
63
+ OpenSSL::SSL::VERIFY_PEER
64
+ end
65
+
66
+ if cluster_ca_data?(cluster)
62
67
  cert_store = OpenSSL::X509::Store.new
63
- cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
64
- ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
68
+ populate_cert_store_from_cluster_ca_data(cluster, cert_store)
65
69
  ssl_options[:cert_store] = cert_store
66
- else
67
- ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_NONE
68
70
  end
69
71
 
70
72
  unless client_cert_data.nil?
@@ -131,11 +133,16 @@ module Kubeclient
131
133
  [cluster, user, namespace]
132
134
  end
133
135
 
134
- def fetch_cluster_ca_data(cluster)
136
+ def cluster_ca_data?(cluster)
137
+ cluster.key?('certificate-authority') || cluster.key?('certificate-authority-data')
138
+ end
139
+
140
+ def populate_cert_store_from_cluster_ca_data(cluster, cert_store)
135
141
  if cluster.key?('certificate-authority')
136
- File.read(ext_file_path(cluster['certificate-authority']))
142
+ cert_store.add_file(ext_file_path(cluster['certificate-authority']))
137
143
  elsif cluster.key?('certificate-authority-data')
138
- Base64.decode64(cluster['certificate-authority-data'])
144
+ ca_cert_data = Base64.decode64(cluster['certificate-authority-data'])
145
+ cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
139
146
  end
140
147
  end
141
148
 
@@ -1,4 +1,4 @@
1
1
  # Kubernetes REST-API Client
2
2
  module Kubeclient
3
- VERSION = '4.9.2'.freeze
3
+ VERSION = '4.9.3'.freeze
4
4
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: kubeclient
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.9.2
4
+ version: 4.9.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Alissa Bonas
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-05-30 00:00:00.000000000 Z
11
+ date: 2022-03-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -150,6 +150,20 @@ dependencies:
150
150
  - - "~>"
151
151
  - !ruby/object:Gem::Version
152
152
  version: '1.1'
153
+ - !ruby/object:Gem::Dependency
154
+ name: net-smtp
155
+ requirement: !ruby/object:Gem::Requirement
156
+ requirements:
157
+ - - ">="
158
+ - !ruby/object:Gem::Version
159
+ version: '0'
160
+ type: :development
161
+ prerelease: false
162
+ version_requirements: !ruby/object:Gem::Requirement
163
+ requirements:
164
+ - - ">="
165
+ - !ruby/object:Gem::Version
166
+ version: '0'
153
167
  - !ruby/object:Gem::Dependency
154
168
  name: jsonpath
155
169
  requirement: !ruby/object:Gem::Requirement
@@ -270,7 +284,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
270
284
  - !ruby/object:Gem::Version
271
285
  version: '0'
272
286
  requirements: []
273
- rubygems_version: 3.2.3
287
+ rubygems_version: 3.3.3
274
288
  signing_key:
275
289
  specification_version: 4
276
290
  summary: A client for Kubernetes REST api