Skip to content

Update certificate validation to use custom trust store for .NET 5.0+ #1653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 27, 2025
Merged

Update certificate validation to use custom trust store for .NET 5.0+ #1653

merged 5 commits into from
Aug 27, 2025
+66 −6

Conversation

tg123
Copy link
Member

@tg123 tg123 commented Aug 26, 2025

No description provided.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 26, 2025
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 26, 2025
@tg123 tg123 requested a review from Copilot August 26, 2025 21:39
Copilot
Copilot AI reviewed Aug 26, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates certificate validation to use .NET 5.0+ custom trust store functionality for more secure certificate validation against Kubernetes clusters. The changes ensure that only explicitly trusted CA certificates are used for validation, rather than allowing unknown certificate authorities.

  • Replaces legacy ExtraStore and AllowUnknownCertificateAuthority with modern CustomTrustStore and CustomRootTrust
  • Adds platform compatibility check with explicit exception for unsupported platforms
  • Introduces comprehensive test coverage for certificate validation rejection scenarios

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
src/KubernetesClient/Kubernetes.ConfigInit.cs Updates certificate validation logic to use .NET 5.0+ custom trust store
tests/KubernetesClient.Tests/CertificateValidationTests.cs Adds test to verify rejection of certificates from untrusted CAs

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

tests/KubernetesClient.Tests/CertificateValidationTests.cs
req.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true));
req.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, true));

return req.Create(issuerCA, DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(90), new byte[] { 1, 2, 3, 4 });
Copy link
Preview

Copilot AI Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The serial number byte array { 1, 2, 3, 4 } is a magic value. Consider defining it as a named constant or generating a proper serial number to make the test more maintainable.

Copilot uses AI. Check for mistakes.

@brendandburns @Copilot
Update src/KubernetesClient/Kubernetes.ConfigInit.cs
33b5ef2 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@brendandburns
Copy link
Contributor

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 27, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, tg123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [brendandburns,tg123]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 27, 2025
@tg123 @Copilot
Update tests/KubernetesClient.Tests/CertificateValidationTests.cs
f21f787 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@brendandburns
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 27, 2025
@k8s-ci-robot k8s-ci-robot merged commit 1f8e5da into kubernetes-client:master Aug 27, 2025
15 of 24 checks passed
This was referenced Aug 28, 2025
Merged
Merged
Open
Open
This was referenced Sep 17, 2025
Open
Open
Open
Open
Open
Open
Open
This was referenced Sep 17, 2025
Open
Merged
Merged
Merged
Merged
Open
Open
Open
Closed
Closed
Open
Open
Open
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@brendandburns brendandburns Awaiting requested review from brendandburns

Assignees

@brendandburns brendandburns

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tg123 @brendandburns @k8s-ci-robot