[PR] Support raw data for SSL certs, pkeys, and CA

[kopf-archiver]

A pull request by nolar at 2019-11-19 22:47:45+00:00
Original URL: zalando-incubator/kopf#244
Merged by nolar at 2019-11-20 01:11:44+00:00

Issue : follow-up for #226, extra fix for #242

Description

In #226, custom authentication was added, with CA/SSL-cert/SSL-pkey accepted both as path and data — similar to how it is stored in the ~/.kube/config.

However, data fields were ignored and not handled in any way.

This PR should fix this.

Types of Changes

• Bug fix (non-breaking change which fixes an issue)

---

Commented by dneuhaeuser-zalando at 2019-11-19 23:15:59+00:00
 

As I already wrote in the other PR tests would be good. Also I'm suspicious of the temporary file handling. You're not cleaning them up, so I guess they leak and you eventually run out of memory/disk space, right?

---

Commented by nolar at 2019-11-20 00:56:24+00:00
 

dneuhaeuser-zalando Indeed, they will be leaking. I've taken that from the pykube-ng's code. Kubernetes client does the same (1, 2), just cleans the files at exit. SO, the approach is as secure, as anything else in this field.

I have now fixed it to also purge it — just not atexit, but on the garbage collection of an API session, which probably prevents the leakages for long-running operators. I.e., the files are kept as long as they are actually used, not as long as the operator runs.

And there are now few tests. But they do not cover everything — I didn't find how to extract a parsed client certificate or even its existence from an SSLContext object. It is more or less testable with CAs.