java client is not taking the updated ca.crt/token and error out

[suryag10]

Describe the bug
updated ca.crt/token are not considered by the java k8s client and errors out
java.util.concurrent.ExecutionException: io.kubernetes.client.openapi.ApiException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

Client Version
17.0.2

Kubernetes Version
1.21.12

Java Version
openjdk 17.0.12 2024-07-16 LTS

To Reproduce
update the k8s ca.crt and token with the new certificates.

Expected behavior
Java client should consider the latest ca.crt and token and K8S API access should succeed

Server (please complete the following information):

• OS: Linux
• Environment : Container
• Cloud : Vanilla K8S

[suryag10]

Any Help here?

[brendandburns]

Yeah, the current auth code doesn't reload certificates if the files change. It would be a fairly significant effort to do so, but if you wanted to take it on, we'd be happy to review the design/PRs.

[suryag10]

Thanks @brendandburns , Will check if i can submit the PR for the same.

[Hakky54]

Yeah, the current auth code doesn't reload certificates if the files change. It would be a fairly significant effort to do so, but if you wanted to take it on, we'd be happy to review the design/PRs.

I have a library which makes it easy to reload the ssl while listening for file changes. See here https://github.com/Hakky54/sslcontext-kickstart?tab=readme-ov-file#support-for-reloading-ssl-at-runtime

I can also initiate a PR if you want

[suryag10]

@Hakky54 Sure, can you please provide the patch? I will also check from my side.

[Hakky54]

Hi @suryag10 and @brendandburns I added my PR for adding this feature to kubernetes-client, see here: #3927
Can you guys maybe have a look at it and check whether this solution will work for you

[brendandburns]

I would rather that we fixed this via the isExpired method on the Authenticator class (or we refactored authenticator to accommodate any changes needed for reloading).

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[Hakky54]

I dropped a new comment couple of days ago on the PR which I created before, not quite sure whether someone noticed it, but I copy it here.

I have the feeling that there is no progress yet with a different implementation for reloading ssl. Would you like to reconsider this PR #3927 for this feature request?

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten