What happened (please include outputs or screenshots):

When I callconfig.load_kube_config() it bombs out loading the config when i have an OIDC auth method that talks to a host using a publicly signed cert

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='my.hostname.com', port=443): Max retries exceeded with url: /auth/idp/k8sIdp/.well-known/openid-configuration (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4149)')))

What you expected to happen:

No error should occur, the config works with every other client that I use it with, including kubectl.

How to reproduce it (as minimally and precisely as possible):

- name: username  user:    auth-provider:      config:        client-id: kubernetes        client-secret: ''        id-token: <redacted>        idp-certificate-authority-data: ""        idp-issuer-url: https://my.hostname.com/auth/idp/k8sIdp        refresh-token: <redacted>      name: oidc

Anything else we need to know?:

The problem is in this method:

The code finds that theidp-certificate-authority-data key exists, and tries to use it even though it is empty.... but furthermore, even if you were to remove that line, that would cause it to fall down to disable the ssl check!! This should not happen. It should fall back to using the system default public CA bundle.

If I setidp-certificate-authority: /etc/ssl/certs/ca-certificates.crt then it works, but that is brittle since not every system will have the same setup and it should just fall back to system defaults anyway.

Environment:

• Kubernetes version (kubectl version):
  Client Version: v1.32.1
  Kustomize Version: v5.5.0
  Server Version: v1.31.3

• OS (e.g., MacOS 10.13.6): Docker image python:3.11

• Python version (python --version): Python 3.11.11

• Python client version (pip list | grep kubernetes): 32.0.0