From 573cb958d7fa92d89eba3443208ac6708e0ae23a Mon Sep 17 00:00:00 2001
From: Michael Ruoss <michael@michaelruoss.ch>
Date: Sat, 23 Dec 2023 20:43:10 +0100
Subject: [PATCH] use cacertfile instead of cacerts option

---
 CHANGELOG.md                        |  4 +++
 lib/flame_k8s_backend.ex            |  4 +--
 lib/flame_k8s_backend/k8s_client.ex | 45 +++++++++--------------------
 3 files changed, 20 insertions(+), 33 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1a6aa2e..73f3845 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 <!-- ### Added | Changed | Deprecated | Removed | Fixed | Security -->
 
+### Changed
+
+- Use `:cacertfile` insead of `:cacerts` in `:transport_options` and let the OTP process the certificate - [#8](https://github.com/mruoss/flame_k8s_backend/pull/8)
+
 <!--------------------- Don't add new entries after this line --------------------->
 
 ## [0.3.0] - 2023-12-19
diff --git a/lib/flame_k8s_backend.ex b/lib/flame_k8s_backend.ex
index 3b882b6..8b1f86d 100644
--- a/lib/flame_k8s_backend.ex
+++ b/lib/flame_k8s_backend.ex
@@ -202,7 +202,7 @@ defmodule FLAMEK8sBackend do
       |> FLAME.Parent.new(self(), __MODULE__)
       |> FLAME.Parent.encode()
 
-    {:ok, req} = K8sClient.connect()
+    req = K8sClient.connect()
 
     case K8sClient.get_pod(req, System.get_env("POD_NAMESPACE"), System.get_env("POD_NAME")) do
       {:ok, base_pod} ->
@@ -247,7 +247,7 @@ defmodule FLAMEK8sBackend do
   @impl true
   def system_shutdown() do
     # This is not very nice but I don't have the opts on the runner
-    {:ok, req} = K8sClient.connect()
+    req = K8sClient.connect()
     namespace = System.get_env("POD_NAMESPACE")
     name = System.get_env("POD_NAME")
     K8sClient.delete_pod!(req, namespace, name)
diff --git a/lib/flame_k8s_backend/k8s_client.ex b/lib/flame_k8s_backend/k8s_client.ex
index 0adeda4..9490876 100644
--- a/lib/flame_k8s_backend/k8s_client.ex
+++ b/lib/flame_k8s_backend/k8s_client.ex
@@ -10,27 +10,22 @@ defmodule FLAMEK8sBackend.K8sClient do
     token_path = Path.join(@sa_token_path, "token")
     apiserver_host = System.get_env("KUBERNETES_SERVICE_HOST")
     apiserver_port = System.get_env("KUBERNETES_SERVICE_PORT_HTTPS")
-
-    with {:ok, token} <- File.read(token_path),
-         {:ok, ca_cert_raw} <- File.read(ca_cert_path),
-         {:ok, ca_cert} <- cert_from_pem(ca_cert_raw) do
-      req =
-        Req.new(
-          base_url: "https://#{apiserver_host}:#{apiserver_port}",
-          headers: [{:Authorization, "Bearer #{token}"}],
-          connect_options: [
-            transport_opts: [
-              cacerts: [ca_cert],
-              customize_hostname_check: [match_fun: &check_ips_as_dns_id/2]
-            ]
+    token = File.read!(token_path)
+
+    req =
+      Req.new(
+        base_url: "https://#{apiserver_host}:#{apiserver_port}",
+        headers: [{:Authorization, "Bearer #{token}"}],
+        connect_options: [
+          transport_opts: [
+            cacertfile: String.to_charlist(ca_cert_path),
+            customize_hostname_check: [match_fun: &check_ips_as_dns_id/2]
           ]
-        )
-        |> Req.Request.append_response_steps(verify_2xs: &verify_2xs/1)
+        ]
+      )
+      |> Req.Request.append_response_steps(verify_2xs: &verify_2xs/1)
 
-      {:ok, req}
-    else
-      error -> error
-    end
+    req
   end
 
   def get_pod!(req, namespace, name) do
@@ -67,18 +62,6 @@ defmodule FLAMEK8sBackend.K8sClient do
     end
   end
 
-  defp cert_from_pem(cert_data) do
-    cert_data
-    |> :public_key.pem_decode()
-    |> Enum.find_value(fn
-      {:Certificate, data, _} ->
-        {:ok, data}
-
-      _ ->
-        {:error, "Certificate data is missing"}
-    end)
-  end
-
   defp verify_2xs({request, response}) do
     if response.status in 200..299 do
       {request, response}