optional feature to use aws-lc-rs rustls feature

[mcluseau]

Motivation

Fix #1562 .

Solution

Add a aws-lc-rs option feature and initialize the default CryptoProvider when building a kube::Client from a kube::Config.

[clux]

Thanks a lot for doing this. Looks very sensible. Quick comments. Needs DCO update anyway.

[clux]

minor suggestion

[clux]

All looks good to me, but the --all-features lib tests are complaining, not sure why all features is not calling the provider setup.

[mcluseau]

All looks good to me, but the --all-features lib tests are complaining, not sure why all features is not calling the provider setup.

oidc test is not using Client::try_from, so it's not getting the automatic aws-lc-rs (which is as I intended). I've added the manual setup.

[mcluseau]

upon inspection of the error in kube-client::api::tests::entry_create_missing_object, I realized rustls::crypto::CryptoProvider::install_default sets the value of a once_cell::sync::OnceCell, so it only fails if a value is already there. Which means it's not an error for this usecase. Commented about that, removed the error I created.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.4%. Comparing base (4f78137) to head (893ec15).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##            main   #1568     +/-   ##
=======================================
- Coverage   75.4%   75.4%   -0.0%     
=======================================
  Files         80      80             
  Lines       7290    7284      -6     
=======================================
- Hits        5495    5489      -6     
  Misses      1795    1795             

Files with missing lines	Coverage Δ
kube-client/src/client/auth/oidc.rs	56.5% <100.0%> (+0.3%)	⬆️
kube-client/src/client/builder.rs	59.3% <100.0%> (+1.1%)	⬆️

... and 4 files with indirect coverage changes

[mcluseau]

I've added OpenSSL to the allowed licenses, we should be ok on every test here :)

[clux]

I wouldn't worry about the deny failure, that should be from duplicate dependencies (transitively through the tree) and it's often flagging up things that's hard to do things about. The explicit license allow here I don't think is necessary.

[mcluseau]

OpenSSL appeared in aws-lc-rs-sys's Cargo.toml

error[rejected]: failed to satisfy license requirements
  ┌─ registry+https://github.com/rust-lang/crates.io-index#[email protected]:4:44
  │
4 │ license = "ISC AND (Apache-2.0 OR ISC) AND OpenSSL"
  │            ────────────────────────────────━━━━━━━
  │            │                               │
  │            │                               rejected: license is not explicitly allowed
  │            license expression retrieved via Cargo.toml `license`
  │
  ├ OpenSSL - OpenSSL License:
  ├   - FSF Free/Libre
  ├ aws-lc-sys v0.20.1

[clux]

OpenSSL appeared in aws-lc-rs-sys's Cargo.toml

ew, i see :(

yeah, then your change makes sense here then.

[mcluseau]

here we are, only the duplicate dep error you mentioned remains :)

[clux]

If you have time to make a ignore for it to make the branch green you could just list rustls-native-certs in the deny.toml and it should clean up :-)

[mcluseau]

applied, local test ok now!

$ grep deny justfile 
deny:
  cargo deny --workspace --all-features check bans licenses sources
[nwrk:~/git/gh/kube-rs/kube] fix-1562(+3/-2) ± cargo deny --workspace --all-features check bans licenses sources
warning[license-not-encountered]: license was not encountered
   ┌─ /home/nwrk/git/github/kube-rs/kube/deny.toml:30:6
   │
30 │     "Unicode-3.0",
   │      ━━━━━━━━━━━ unmatched license allowance

bans ok, licenses ok, sources ok

[clux]

TYVM!