respect the webpki-roots feature on the OAuth & OIDC clients

Signed-off-by: Elias Wilken <[email protected]>
nautik-io · Sep 28, 2024 · f5c33fe · f5c33fe
1 parent 05eee2e
commit f5c33fe
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/kube-client/src/client/auth/oauth.rs b/kube-client/src/client/auth/oauth.rs
@@ -118,13 +118,19 @@ impl Gcp {
                 // Current TLS feature precedence when more than one are set:
                 // 1. rustls-tls
                 // 2. openssl-tls
-                #[cfg(feature = "rustls-tls")]
+                #[cfg(all(feature = "rustls-tls", not(feature = "webpki-roots")))]
                 let https = hyper_rustls::HttpsConnectorBuilder::new()
                     .with_native_roots()
                     .map_err(Error::NoValidNativeRootCA)?
                     .https_only()
                     .enable_http1()
                     .build();
+                #[cfg(all(feature = "rustls-tls", feature = "webpki-roots"))]
+                let https = hyper_rustls::HttpsConnectorBuilder::new()
+                    .with_webpki_roots()
+                    .https_only()
+                    .enable_http1()
+                    .build();
                 #[cfg(all(not(feature = "rustls-tls"), feature = "openssl-tls"))]
                 let https =
                     hyper_openssl::HttpsConnector::new().map_err(Error::CreateOpensslHttpsConnector)?;

diff --git a/kube-client/src/client/auth/oidc.rs b/kube-client/src/client/auth/oidc.rs
@@ -313,13 +313,19 @@ impl Refresher {
             .install_default()
             .unwrap();
 
-        #[cfg(feature = "rustls-tls")]
+        #[cfg(all(feature = "rustls-tls", not(feature = "webpki-roots")))]
         let https = hyper_rustls::HttpsConnectorBuilder::new()
             .with_native_roots()
             .map_err(|_| errors::RefreshInitError::NoValidNativeRootCA)?
             .https_only()
             .enable_http1()
             .build();
+        #[cfg(all(feature = "rustls-tls", feature = "webpki-roots"))]
+        let https = hyper_rustls::HttpsConnectorBuilder::new()
+            .with_webpki_roots()
+            .https_only()
+            .enable_http1()
+            .build();
         #[cfg(all(not(feature = "rustls-tls"), feature = "openssl-tls"))]
         let https = hyper_openssl::HttpsConnector::new()?;