example of client with mutual tls

[Masber]

Hi,

I am trying to create a hyper client with mutual tls and using rustls to handle the certificates, the certificates are self signed, I can get the communication working but I am missing the part where I specify the client cert... my work is based on this example https://github.com/rustls/hyper-rustls/blob/main/examples/client.rs

Maybe the solution is there but I could not find it...

this is my example

        let mut http_connector = hyper::client::HttpConnector::new();
        http_connector.enforce_http(false);
        let socks_http_connector = SocksConnector {
            proxy_addr: std::env::var("SOCKS5").unwrap().parse::<Uri>().unwrap(), // scheme is required by HttpConnector
            auth: None,
            connector: http_connector.clone(),
        };

        // Get CA root cert
        let mut ca_root_cert_pem_decoded: &[u8] = &base64::decode(
            shasta_k8s_secrets["certificate-authority-data"]
                .as_str()
                .unwrap(),
        )?;

        let ca_root_cert = rustls_pemfile::certs(&mut ca_root_cert_pem_decoded)?;

        // Import CA cert into rustls ROOT certificate store
        let mut root_cert_store = tokio_rustls::rustls::RootCertStore::empty();

        root_cert_store.add_parsable_certificates(&ca_root_cert);

        // Create HTTPS connector
        let rustls_config = tokio_rustls::rustls::ClientConfig::builder()
            .with_safe_defaults()
            .with_root_certificates(root_cert_store)
            .with_no_client_auth();

        let rustls_config = std::sync::Arc::new(rustls_config);

        let args = (socks_http_connector, rustls_config);
        let https_socks_http_connector = hyper_rustls::HttpsConnector::from(args);

        let https_connector_test = hyper_rustls::HttpsConnectorBuilder::new().with_tls_config(config)

        // Create HTTPS client
        let hyper_client = hyper::Client::builder().build(https_socks_http_connector);

        let service = tower::ServiceBuilder::new()
            .layer(config.base_uri_layer())
            .service(hyper_client);

        kube::Client::new(service, config.default_namespace)

And I am getting an unauthorized error

Err(
    Api(
        ErrorResponse {
            status: "Failure",
            message: "pods is forbidden: User \"system:anonymous\" cannot list resource \"pods\" in API group \"\" in the namespace \"cicd\"",
            reason: "Forbidden",
            code: 403,
        },
    ),
)

I am assuming this is because I have not injected the client cert into the request. I am looking for some guidance on how to do the client authentication

thank you very much

[cpu]

Hi again 👋

Your example has:

        // Create HTTPS connector
        let rustls_config = tokio_rustls::rustls::ClientConfig::builder()
            .with_safe_defaults()
            .with_root_certificates(root_cert_store)
            .with_no_client_auth();

To have your client offer a client certificate during the handshake for mTLS you will want to replace with_no_client_auth() portion with a call to with_single_cert(...): https://docs.rs/rustls/latest/rustls/struct.ConfigBuilder.html#method.with_single_cert

You can use rustls_pemfile to load a Certificate and PrivateKey from PEM files to have the required arguments in-hand. The Rustls' tlsclient-mio example program over in the main Rustls repo is a pretty good example to reference: https://github.com/rustls/rustls/blob/0018e7586c2dc689eb9e1ba8e0283c0f24b9fe8c/examples/src/bin/tlsclient-mio.rs#L414-L426

Hope those are helpful pointers :-)

[Masber]

Yes, got it working...

thank you very much again :D

and have a nice weekend!

[cpu]

Glad to hear it!