optional feature to use aws-lc-rs rustls feature (#1568)

Signed-off-by: Mikaël Cluseau <[email protected]>
kube-rs · Sep 6, 2024 · b7bdab9 · b7bdab9
1 parent 4f78137
commit b7bdab9
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 1 deletion.
diff --git a/deny.toml b/deny.toml
@@ -28,6 +28,9 @@ allow = [
     # Blanket addition for Unicode-3.0 libs for optional features (affects many deps, but it's a very clean license)
     # https://github.com/unicode-org/icu4x/blob/main/LICENSE
     "Unicode-3.0",
+    # Pulled in via aws_lc_rs when using rustls-tls and aws-lc-rs features
+    # https://openssl-library.org/source/license/index.html
+    "OpenSSL",
 ]
 
 exceptions = [
@@ -58,6 +61,9 @@ multiple-versions = "deny"
 [[bans.skip]]
 name = "hermit-abi"
 
+[[bans.skip]]
+name = "rustls-native-certs"
+
 [[bans.skip]]
 # Needs a complicated upgrade
 name = "syn"

diff --git a/justfile b/justfile
@@ -53,7 +53,8 @@ hack:
   time cargo hack check --feature-powerset --no-private -p kube \
     --skip=oauth,oidc \
     --group-features=socks5,http-proxy,gzip \
-    --group-features=admission,jsonpatch,derive
+    --group-features=admission,jsonpatch,derive \
+    --group-features=rustls-tls,aws-lc-rs
   # Test groups features with minimal overlap that are grouped to reduce combinations.
   # Without any grouping this test takes an hour and has to test >11k combinations.
   # Skipped oauth and oidc, as these compile fails without a tls stack.

diff --git a/kube-client/Cargo.toml b/kube-client/Cargo.toml
@@ -14,6 +14,7 @@ categories = ["web-programming::http-client", "network-programming", "api-bindin
 [features]
 default = ["client"]
 rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls", "hyper-http-proxy?/rustls-tls-native-roots"]
+aws-lc-rs = ["rustls?/aws-lc-rs"]
 openssl-tls = ["openssl", "hyper-openssl"]
 ws = ["client", "tokio-tungstenite", "rand", "kube-core/ws", "tokio/macros"]
 kubelet-debug = ["ws", "kube-core/kubelet-debug"]

diff --git a/kube-client/src/client/auth/oidc.rs b/kube-client/src/client/auth/oidc.rs
@@ -308,6 +308,11 @@ impl Refresher {
         let client_id = get_field(Self::CONFIG_CLIENT_ID)?.into();
         let client_secret = get_field(Self::CONFIG_CLIENT_SECRET)?.into();
 
+        #[cfg(all(feature = "rustls-tls", feature = "aws-lc-rs"))]
+        rustls::crypto::aws_lc_rs::default_provider()
+            .install_default()
+            .unwrap();
+
         #[cfg(feature = "rustls-tls")]
         let https = hyper_rustls::HttpsConnectorBuilder::new()
             .with_native_roots()

diff --git a/kube-client/src/client/builder.rs b/kube-client/src/client/builder.rs
@@ -82,6 +82,15 @@ impl TryFrom<Config> for ClientBuilder<GenericService> {
         let mut connector = HttpConnector::new();
         connector.enforce_http(false);
 
+        #[cfg(all(feature = "aws-lc-rs", feature = "rustls-tls"))]
+        {
+            if rustls::crypto::CryptoProvider::get_default().is_none() {
+                // the only error here is if it's been initialized in between: we can ignore it
+                // since our semantic is only to set the default value if it does not exist.
+                let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+            }
+        }
+
         match config.proxy_url.as_ref() {
             #[cfg(feature = "socks5")]
             Some(proxy_url) if proxy_url.scheme_str() == Some("socks5") => {

diff --git a/kube/Cargo.toml b/kube/Cargo.toml
@@ -21,6 +21,7 @@ rustls-tls = ["kube-client/rustls-tls", "client"]
 
 # alternative features
 openssl-tls = ["kube-client/openssl-tls", "client"]
+aws-lc-rs = ["kube-client?/aws-lc-rs"]
 
 # auxiliary features
 ws = ["kube-client/ws", "kube-core/ws"]