From 55cfd5a6bf1fea2e70c169f4dada4f99f760c899 Mon Sep 17 00:00:00 2001
From: Gary Frederick <imthaghost@protonmail.com>
Date: Thu, 21 Apr 2022 13:53:40 -0700
Subject: [PATCH 1/7] add false value to kubernetes_ca_cert framework path |
 remove check that required kubernetes_ca_cert to exist if token_reviewer_jwt
 is false

---
 path_config.go | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/path_config.go b/path_config.go
index 460e9af8..53dce775 100644
--- a/path_config.go
+++ b/path_config.go
@@ -37,6 +37,7 @@ func pathConfig(b *kubeAuthBackend) *framework.Path {
 				DisplayAttrs: &framework.DisplayAttributes{
 					Name: "Kubernetes CA Certificate",
 				},
+				Required: false,
 			},
 			"token_reviewer_jwt": {
 				Type: framework.TypeString,
@@ -141,10 +142,6 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 		}
 	}
 
-	if disableLocalJWT && caCert == "" {
-		return logical.ErrorResponse("kubernetes_ca_cert must be given when disable_local_ca_jwt is true"), nil
-	}
-
 	config := &kubeConfig{
 		PublicKeys:           make([]interface{}, len(pemList)),
 		PEMKeys:              pemList,
@@ -181,7 +178,7 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 
 		b.httpClient.Transport.(*http.Transport).TLSClientConfig = tlsConfig
 	}
-
+	
 	var err error
 	for i, pem := range pemList {
 		config.PublicKeys[i], err = parsePublicKeyPEM([]byte(pem))

From 2793deac51f53dd69308748ef42dfbaa07d5530f Mon Sep 17 00:00:00 2001
From: Gary Frederick <imthaghost@protonmail.com>
Date: Thu, 21 Apr 2022 13:54:40 -0700
Subject: [PATCH 2/7] format

---
 path_config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/path_config.go b/path_config.go
index 53dce775..94ce2721 100644
--- a/path_config.go
+++ b/path_config.go
@@ -178,7 +178,7 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 
 		b.httpClient.Transport.(*http.Transport).TLSClientConfig = tlsConfig
 	}
-	
+
 	var err error
 	for i, pem := range pemList {
 		config.PublicKeys[i], err = parsePublicKeyPEM([]byte(pem))

From 3de105f7651b7acef2f2b84c209cce2fc1596e9c Mon Sep 17 00:00:00 2001
From: Gary Frederick <imthaghost@protonmail.com>
Date: Thu, 21 Apr 2022 13:59:35 -0700
Subject: [PATCH 3/7] adjust framework path so pem_keys are marked as
 non-required

---
 path_config.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/path_config.go b/path_config.go
index 94ce2721..f02086a0 100644
--- a/path_config.go
+++ b/path_config.go
@@ -57,7 +57,9 @@ extracted. Not every installation of Kubernetes exposes these keys.`,
 				DisplayAttrs: &framework.DisplayAttributes{
 					Name: "Service account verification keys",
 				},
+				Required: false,
 			},
+
 			"issuer": {
 				Type:       framework.TypeString,
 				Deprecated: true,

From 0027a145e05f0c43ae4f26f6bc1820b43cd71bcc Mon Sep 17 00:00:00 2001
From: Gary Frederick <imthaghost@protonmail.com>
Date: Fri, 22 Apr 2022 15:21:40 -0700
Subject: [PATCH 4/7] use the system pool and add the localCACert | test for
 default path

---
 path_config.go      | 10 ++++----
 path_config_test.go | 56 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 4 deletions(-)

diff --git a/path_config.go b/path_config.go
index f02086a0..9d12bc5a 100644
--- a/path_config.go
+++ b/path_config.go
@@ -33,7 +33,7 @@ func pathConfig(b *kubeAuthBackend) *framework.Path {
 
 			"kubernetes_ca_cert": {
 				Type:        framework.TypeString,
-				Description: "PEM encoded CA cert for use by the TLS client used to talk with the API.",
+				Description: "Optional PEM encoded CA cert for use by the TLS client used to talk with the API.",
 				DisplayAttrs: &framework.DisplayAttributes{
 					Name: "Kubernetes CA Certificate",
 				},
@@ -59,7 +59,6 @@ extracted. Not every installation of Kubernetes exposes these keys.`,
 				},
 				Required: false,
 			},
-
 			"issuer": {
 				Type:       framework.TypeString,
 				Deprecated: true,
@@ -160,11 +159,11 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 
 	// Determine if we load the local CA cert or the CA cert provided
 	// by the kubernetes_ca_cert path into the backend's HTTP client
-	certPool := x509.NewCertPool()
 	tlsConfig := &tls.Config{
 		MinVersion: tls.VersionTLS12,
 	}
 	if disableLocalJWT || len(caCert) > 0 {
+		certPool := x509.NewCertPool()
 		certPool.AppendCertsFromPEM([]byte(config.CACert))
 		tlsConfig.RootCAs = certPool
 
@@ -174,7 +173,10 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 		if err != nil {
 			return nil, err
 		}
-
+		certPool, err := x509.SystemCertPool()
+		if err != nil {
+			certPool = x509.NewCertPool()
+		}
 		certPool.AppendCertsFromPEM([]byte(localCACert))
 		tlsConfig.RootCAs = certPool
 
diff --git a/path_config_test.go b/path_config_test.go
index 20afab63..e8b1e57c 100644
--- a/path_config_test.go
+++ b/path_config_test.go
@@ -535,6 +535,62 @@ func TestConfig_LocalJWTRenewal(t *testing.T) {
 	}
 }
 
+func TestConfig_SystemCaJWT(t *testing.T) {
+	testCases := map[string]struct {
+		config              map[string]interface{}
+		setupInClusterFiles bool
+		expected            *kubeConfig
+	}{
+		"no CA or JWT, default to system": {
+			config: map[string]interface{}{
+				"kubernetes_host": "host",
+			},
+			setupInClusterFiles: true,
+			expected: &kubeConfig{
+				PublicKeys:           []interface{}{},
+				PEMKeys:              []string{},
+				Host:                 "host",
+				CACert:               testLocalCACert,
+				TokenReviewerJWT:     testLocalJWT,
+				DisableISSValidation: true,
+				DisableLocalCAJwt:    true,
+			},
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			b, storage := getBackend(t)
+
+			if tc.setupInClusterFiles {
+				cleanup := setupLocalFiles(t, b)
+				defer cleanup()
+			}
+
+			req := &logical.Request{
+				Operation: logical.CreateOperation,
+				Path:      configPath,
+				Storage:   storage,
+				Data:      tc.config,
+			}
+
+			resp, err := b.HandleRequest(context.Background(), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("err:%s resp:%#v\n", err, resp)
+			}
+
+			conf, err := b.(*kubeAuthBackend).loadConfig(context.Background(), storage)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if !reflect.DeepEqual(tc.expected, conf) {
+				t.Fatalf("expected did not match actual: expected %#v\n got %#v\n", tc.expected, conf)
+			}
+		})
+	}
+}
+
 var testLocalCACert string = `-----BEGIN CERTIFICATE-----
 MIIDVDCCAjwCCQDFiyFY1M6afTANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJV
 UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEgMB4GA1UE

From 36f8e8f074ec494def136c0b46e9ced60cd71604 Mon Sep 17 00:00:00 2001
From: Gary Frederick <imthaghost@protonmail.com>
Date: Tue, 26 Apr 2022 11:41:09 -0700
Subject: [PATCH 5/7] update test path

---
 path_config_test.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/path_config_test.go b/path_config_test.go
index e8b1e57c..1b8f2fd4 100644
--- a/path_config_test.go
+++ b/path_config_test.go
@@ -535,17 +535,21 @@ func TestConfig_LocalJWTRenewal(t *testing.T) {
 	}
 }
 
-func TestConfig_SystemCaJWT(t *testing.T) {
+func TestConfig_SystemCa(t *testing.T) {
 	testCases := map[string]struct {
 		config              map[string]interface{}
 		setupInClusterFiles bool
 		expected            *kubeConfig
 	}{
-		"no CA or JWT, default to system": {
+		"no CA default to system": {
 			config: map[string]interface{}{
 				"kubernetes_host": "host",
+				"disable_local_ca_jwt": true,
+				"kubernetes_ca_cert":    "",
+
 			},
 			setupInClusterFiles: true,
+
 			expected: &kubeConfig{
 				PublicKeys:           []interface{}{},
 				PEMKeys:              []string{},

From 486bee38c949b5c17c3516d5078890f39dcb604f Mon Sep 17 00:00:00 2001
From: Gary Frederick <imthaghost@protonmail.com>
Date: Tue, 26 Apr 2022 11:45:29 -0700
Subject: [PATCH 6/7] format

---
 path_config_test.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/path_config_test.go b/path_config_test.go
index 1b8f2fd4..f5d5f249 100644
--- a/path_config_test.go
+++ b/path_config_test.go
@@ -543,10 +543,9 @@ func TestConfig_SystemCa(t *testing.T) {
 	}{
 		"no CA default to system": {
 			config: map[string]interface{}{
-				"kubernetes_host": "host",
+				"kubernetes_host":      "host",
 				"disable_local_ca_jwt": true,
-				"kubernetes_ca_cert":    "",
-
+				"kubernetes_ca_cert":   "",
 			},
 			setupInClusterFiles: true,
 

From a0dfafee6502d974689c2ce60a30265583d37d1f Mon Sep 17 00:00:00 2001
From: Gary Frederick <imthaghost@protonmail.com>
Date: Tue, 26 Apr 2022 11:48:07 -0700
Subject: [PATCH 7/7] disable_local_ca_jwt to false

---
 path_config_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/path_config_test.go b/path_config_test.go
index f5d5f249..6e34140d 100644
--- a/path_config_test.go
+++ b/path_config_test.go
@@ -544,7 +544,7 @@ func TestConfig_SystemCa(t *testing.T) {
 		"no CA default to system": {
 			config: map[string]interface{}{
 				"kubernetes_host":      "host",
-				"disable_local_ca_jwt": true,
+				"disable_local_ca_jwt": false,
 				"kubernetes_ca_cert":   "",
 			},
 			setupInClusterFiles: true,
@@ -556,7 +556,7 @@ func TestConfig_SystemCa(t *testing.T) {
 				CACert:               testLocalCACert,
 				TokenReviewerJWT:     testLocalJWT,
 				DisableISSValidation: true,
-				DisableLocalCAJwt:    true,
+				DisableLocalCAJwt:    false,
 			},
 		},
 	}