Concatenate SSL CAs before encoding

Otherwise you can end up with `==` padding in the middle of the encoded secret data, which is invalid base64.
jupyterhub · Mar 28, 2024 · 2b95b13 · 2b95b13
1 parent 1174a00
commit 2b95b13
Showing 1 changed file with 3 additions and 8 deletions.
diff --git a/kubespawner/objects.py b/kubespawner/objects.py
@@ -1014,16 +1014,11 @@ def make_secret(
         encoded = base64.b64encode(file.read().encode("utf-8"))
         secret.data['ssl.crt'] = encoded.decode("utf-8")
 
-    with open(cert_paths['cafile']) as file:
-        encoded = base64.b64encode(file.read().encode("utf-8"))
+    with open(cert_paths['cafile']) as ca_file, open(hub_ca) as hub_ca_file:
+        cas = ca_file.read().strip("\n") + "\n" + hub_ca_file.read()
+        encoded = base64.b64encode(cas.encode("utf-8"))
         secret.data["notebooks-ca_trust.crt"] = encoded.decode("utf-8")
 
-    with open(hub_ca) as file:
-        encoded = base64.b64encode(file.read().encode("utf-8"))
-        secret.data["notebooks-ca_trust.crt"] = secret.data[
-            "notebooks-ca_trust.crt"
-        ] + encoded.decode("utf-8")
-
     return secret