diff --git a/docs/authentication.md b/docs/authentication.md
index 8812a6fc0..bb27f1716 100644
--- a/docs/authentication.md
+++ b/docs/authentication.md
@@ -17,7 +17,7 @@ auth.login()
# log out with auth.logout()
```
Setting `skip_tls=True` allows interaction with an HTTPS server bypassing the server certificate checks although this is not secure.
-You can pass a custom certificate to `TokenAuthentication` by using `ca_cert_path="/path/to/cert"` when authenticating provided `skip_tls=False`.
+You can pass a custom certificate to `TokenAuthentication` by using `ca_cert_path="/path/to/cert"` when authenticating provided `skip_tls=False`. Alternatively you can set the environment variable `CF_SDK_CA_CERT_PATH` to the path of your custom certificate.
## Method 2 Kubernetes Config File Authentication (Default location)
If a user has authenticated to their cluster by alternate means e.g. run a login command like `oc login --token= --server=` their kubernetes config file should have updated.
diff --git a/src/codeflare_sdk/cluster/auth.py b/src/codeflare_sdk/cluster/auth.py
index 36233a0ed..e22cd8283 100644
--- a/src/codeflare_sdk/cluster/auth.py
+++ b/src/codeflare_sdk/cluster/auth.py
@@ -81,7 +81,7 @@ def __init__(
token: str,
server: str,
skip_tls: bool = False,
- ca_cert_path: str = None,
+ ca_cert_path: str = "/etc/pki/tls/custom-certs/ca-bundle.crt",
):
"""
Initialize a TokenAuthentication object that requires a value for `token`, the API Token
@@ -106,10 +106,24 @@ def login(self) -> str:
configuration.api_key_prefix["authorization"] = "Bearer"
configuration.host = self.server
configuration.api_key["authorization"] = self.token
- if self.skip_tls == False and self.ca_cert_path == None:
+ ca_path_env = os.environ.get("CF_SDK_CA_CERT_PATH", self.ca_cert_path)
+
+ if self.skip_tls == False:
+ if ca_path_env != self.ca_cert_path:
+ self.ca_cert_path = ca_path_env
+
+ if self.ca_cert_path == None:
+ configuration.ssl_ca_cert = None
+ elif os.path.isfile(self.ca_cert_path):
+ print(
+ f"Authenticated with certificate located at {self.ca_cert_path}"
+ )
+ configuration.ssl_ca_cert = self.ca_cert_path
+ else:
+ raise FileNotFoundError(
+ f"Certificate file not found at {self.ca_cert_path}"
+ )
configuration.verify_ssl = True
- elif self.skip_tls == False:
- configuration.ssl_ca_cert = self.ca_cert_path
else:
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print("Insecure request warnings have been disabled")
diff --git a/tests/auth-test.crt b/tests/auth-test.crt
new file mode 100644
index 000000000..f470c6326
--- /dev/null
+++ b/tests/auth-test.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOTCCAiGgAwIBAgIUENjaZDrvhc5uV3j7GI8deZJwc+YwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA1MTMxMTE1NDZaFw0yNTA1
+MTMxMTE1NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDEYYk81jvPijZXXeI9cByf5EIbOVaBTH7I51J9EKG5
+Y/KRXI43WgvVEiZ3jP8LJnSD79WhBiL6TgadQZje5ndroRYDM9vyqz1OUZapnOO+
+yzl01y/qSsH8Kn88eLAzkE9HSu4QN9PuJtySyksjDFQJ6kjyE8ZHUSorur0FlLLf
+IToFgTuaIPDYjvFRchOCfZ7sV/MF7LxqFfFnaWOYvH41ZdvqJiRcVsMi+mYs9/I/
+I72IMXwVnQDVnK8H84ntEmHNN6NoVuMKla0So4/wKcHJSCgS3axLI2Ka2aaaJo9K
+l2cn21NOyodF+DaSFy7qaGRXxoTQ2k9tUrSvxkBJvRmBAgMBAAGjITAfMB0GA1Ud
+DgQWBBRTK8mO5XMcmR+Xg/PVNFnvz4eubDANBgkqhkiG9w0BAQsFAAOCAQEAlZva
+6ws3zRff7u0tWT2JJaE1uPqsuAdHtVvEyAMp2QvYfyrgADTroUTaSU4p6ppX/t7v
+ynHhuzR6UOVkuY0/CH1P3UUGrEPNOXT8i2BDwL+j4y2K2aRN8zU0Nu/IVePBhu+4
+Jdt+3P7/MuwiCON5JukgxUYlQKhVhzFj7GOd2+Ca+fh8Siq3tkWDSN54+90fgylQ
++74Yfya1NVabpzLqP3Isqu2XQhEVaBFvj8Yu0h83e3D8LeQToC3mVMF4yy5BZ9Ty
+K66YGlGQgszWEUFPEdsB8Dj/iJMhkWXuyc3u/w0s3t7rXeMYYgr+xrEeK+g0oyB5
+xeZuMjd567Znmu5oMw==
+-----END CERTIFICATE-----
diff --git a/tests/unit_test.py b/tests/unit_test.py
index 53c888889..4aa04d148 100644
--- a/tests/unit_test.py
+++ b/tests/unit_test.py
@@ -123,27 +123,30 @@ def test_token_auth_creation():
assert token_auth.token == "token"
assert token_auth.server == "server"
assert token_auth.skip_tls == False
- assert token_auth.ca_cert_path == None
+ assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt"
token_auth = TokenAuthentication(token="token", server="server", skip_tls=True)
assert token_auth.token == "token"
assert token_auth.server == "server"
assert token_auth.skip_tls == True
- assert token_auth.ca_cert_path == None
+ assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt"
token_auth = TokenAuthentication(token="token", server="server", skip_tls=False)
assert token_auth.token == "token"
assert token_auth.server == "server"
assert token_auth.skip_tls == False
- assert token_auth.ca_cert_path == None
+ assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt"
token_auth = TokenAuthentication(
- token="token", server="server", skip_tls=False, ca_cert_path="path/to/cert"
+ token="token",
+ server="server",
+ skip_tls=False,
+ ca_cert_path=f"{parent}/tests/auth-test.crt",
)
assert token_auth.token == "token"
assert token_auth.server == "server"
assert token_auth.skip_tls == False
- assert token_auth.ca_cert_path == "path/to/cert"
+ assert token_auth.ca_cert_path == f"{parent}/tests/auth-test.crt"
except Exception:
assert 0 == 1
@@ -174,7 +177,15 @@ def test_token_auth_login_tls(mocker):
token="testtoken",
server="testserver:6443",
skip_tls=False,
- ca_cert_path="path/to/cert",
+ ca_cert_path=f"{parent}/tests/auth-test.crt",
+ )
+ assert token_auth.login() == ("Logged into testserver:6443")
+
+ os.environ["CF_SDK_CA_CERT_PATH"] = f"{parent}/tests/auth-test.crt"
+ token_auth = TokenAuthentication(
+ token="testtoken",
+ server="testserver:6443",
+ skip_tls=False,
)
assert token_auth.login() == ("Logged into testserver:6443")