project-codeflare · openshift-merge-bot · May 23, 2024 · Mar 22, 2024 · May 13, 2024 · May 15, 2024
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -17,7 +17,7 @@ auth.login()
 # log out with auth.logout()
 ```
 Setting `skip_tls=True` allows interaction with an HTTPS server bypassing the server certificate checks although this is not secure.<br>
-You can pass a custom certificate to `TokenAuthentication` by using `ca_cert_path="/path/to/cert"` when authenticating provided `skip_tls=False`.
+You can pass a custom certificate to `TokenAuthentication` by using `ca_cert_path="/path/to/cert"` when authenticating provided `skip_tls=False`. Alternatively you can set the environment variable `CF_SDK_CA_CERT_PATH` to the path of your custom certificate.
 
 ## Method 2 Kubernetes Config File Authentication (Default location)
 If a user has authenticated to their cluster by alternate means e.g. run a login command like `oc login --token=<token> --server=<server>` their kubernetes config file should have updated.<br>

diff --git a/src/codeflare_sdk/cluster/auth.py b/src/codeflare_sdk/cluster/auth.py
@@ -32,6 +32,8 @@
 global config_path
 config_path = None
 
+WORKBENCH_CA_CERT_PATH = "/etc/pki/tls/custom-certs/ca-bundle.crt"
+
 
 class Authentication(metaclass=abc.ABCMeta):
     """
@@ -91,7 +93,17 @@ def __init__(
         self.token = token
         self.server = server
         self.skip_tls = skip_tls
-        self.ca_cert_path = ca_cert_path
+        self.ca_cert_path = self._gen_ca_cert_path(ca_cert_path)
+
+    def _gen_ca_cert_path(self, ca_cert_path: str):
+        if ca_cert_path is not None:
+            return ca_cert_path
+        elif "CF_SDK_CA_CERT_PATH" in os.environ:
+            return os.environ.get("CF_SDK_CA_CERT_PATH")
+        elif os.path.exists(WORKBENCH_CA_CERT_PATH):
+            return WORKBENCH_CA_CERT_PATH
+        else:
+            return None
 
     def login(self) -> str:
         """
@@ -106,10 +118,20 @@ def login(self) -> str:
             configuration.api_key_prefix["authorization"] = "Bearer"
             configuration.host = self.server
             configuration.api_key["authorization"] = self.token
-            if self.skip_tls == False and self.ca_cert_path == None:
+
+            if not self.skip_tls:
+                if self.ca_cert_path is None:
+                    configuration.ssl_ca_cert = None
+                elif os.path.isfile(self.ca_cert_path):
+                    print(
+                        f"Authenticated with certificate located at {self.ca_cert_path}"
+                    )
+                    configuration.ssl_ca_cert = self.ca_cert_path
+                else:
+                    raise FileNotFoundError(
+                        f"Certificate file not found at {self.ca_cert_path}"
+                    )
                 configuration.verify_ssl = True
-            elif self.skip_tls == False:
-                configuration.ssl_ca_cert = self.ca_cert_path
             else:
                 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
                 print("Insecure request warnings have been disabled")

diff --git a/tests/auth-test.crt b/tests/auth-test.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOTCCAiGgAwIBAgIUENjaZDrvhc5uV3j7GI8deZJwc+YwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA1MTMxMTE1NDZaFw0yNTA1
+MTMxMTE1NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDEYYk81jvPijZXXeI9cByf5EIbOVaBTH7I51J9EKG5
+Y/KRXI43WgvVEiZ3jP8LJnSD79WhBiL6TgadQZje5ndroRYDM9vyqz1OUZapnOO+
+yzl01y/qSsH8Kn88eLAzkE9HSu4QN9PuJtySyksjDFQJ6kjyE8ZHUSorur0FlLLf
+IToFgTuaIPDYjvFRchOCfZ7sV/MF7LxqFfFnaWOYvH41ZdvqJiRcVsMi+mYs9/I/
+I72IMXwVnQDVnK8H84ntEmHNN6NoVuMKla0So4/wKcHJSCgS3axLI2Ka2aaaJo9K
+l2cn21NOyodF+DaSFy7qaGRXxoTQ2k9tUrSvxkBJvRmBAgMBAAGjITAfMB0GA1Ud
+DgQWBBRTK8mO5XMcmR+Xg/PVNFnvz4eubDANBgkqhkiG9w0BAQsFAAOCAQEAlZva
+6ws3zRff7u0tWT2JJaE1uPqsuAdHtVvEyAMp2QvYfyrgADTroUTaSU4p6ppX/t7v
+ynHhuzR6UOVkuY0/CH1P3UUGrEPNOXT8i2BDwL+j4y2K2aRN8zU0Nu/IVePBhu+4
+Jdt+3P7/MuwiCON5JukgxUYlQKhVhzFj7GOd2+Ca+fh8Siq3tkWDSN54+90fgylQ
++74Yfya1NVabpzLqP3Isqu2XQhEVaBFvj8Yu0h83e3D8LeQToC3mVMF4yy5BZ9Ty
+K66YGlGQgszWEUFPEdsB8Dj/iJMhkWXuyc3u/w0s3t7rXeMYYgr+xrEeK+g0oyB5
+xeZuMjd567Znmu5oMw==
+-----END CERTIFICATE-----
diff --git a/tests/unit_test.py b/tests/unit_test.py
@@ -131,19 +131,24 @@ def test_token_auth_creation():
         assert token_auth.skip_tls == True
         assert token_auth.ca_cert_path == None
 
+        os.environ["CF_SDK_CA_CERT_PATH"] = f"/etc/pki/tls/custom-certs/ca-bundle.crt"
         token_auth = TokenAuthentication(token="token", server="server", skip_tls=False)
         assert token_auth.token == "token"
         assert token_auth.server == "server"
         assert token_auth.skip_tls == False
-        assert token_auth.ca_cert_path == None
+        assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt"
+        os.environ.pop("CF_SDK_CA_CERT_PATH")
 
         token_auth = TokenAuthentication(
-            token="token", server="server", skip_tls=False, ca_cert_path="path/to/cert"
+            token="token",
+            server="server",
+            skip_tls=False,
+            ca_cert_path=f"{parent}/tests/auth-test.crt",
         )
         assert token_auth.token == "token"
         assert token_auth.server == "server"
         assert token_auth.skip_tls == False
-        assert token_auth.ca_cert_path == "path/to/cert"
+        assert token_auth.ca_cert_path == f"{parent}/tests/auth-test.crt"
 
     except Exception:
         assert 0 == 1
@@ -174,7 +179,15 @@ def test_token_auth_login_tls(mocker):
         token="testtoken",
         server="testserver:6443",
         skip_tls=False,
-        ca_cert_path="path/to/cert",
+        ca_cert_path=f"{parent}/tests/auth-test.crt",
+    )
+    assert token_auth.login() == ("Logged into testserver:6443")
+
+    os.environ["CF_SDK_CA_CERT_PATH"] = f"{parent}/tests/auth-test.crt"
+    token_auth = TokenAuthentication(
+        token="testtoken",
+        server="testserver:6443",
+        skip_tls=False,
     )
     assert token_auth.login() == ("Logged into testserver:6443")
 
@@ -301,7 +314,16 @@ def get_local_queue(group, version, namespace, plural):
                     "namespace": "ns",
                 },
                 "spec": {"clusterQueue": "cluster-queue"},
-            }
+            },
+            {
+                "apiVersion": "kueue.x-k8s.io/v1beta1",
+                "kind": "LocalQueue",
+                "metadata": {
+                    "name": "team-a-queue",
+                    "namespace": "ns",
+                },
+                "spec": {"clusterQueue": "team-a-queue"},
+            },
         ],
         "kind": "LocalQueueList",
         "metadata": {"continue": "", "resourceVersion": "2266811"},