-
-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change default TLS stack to rustls-tls
#1261
Conversation
Signed-off-by: clux <[email protected]>
Signed-off-by: clux <[email protected]>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #1261 +/- ##
==========================================
- Coverage 72.44% 72.30% -0.15%
==========================================
Files 75 75
Lines 6337 6347 +10
==========================================
- Hits 4591 4589 -2
- Misses 1746 1758 +12
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exciting!!
Need to update the README.md
By default openssl is used for TLS, but rustls is supported. To switch, turn off default-features, and enable the rustls-tls feature:
Signed-off-by: clux <[email protected]>
Signed-off-by: Eirik A <[email protected]>
…esent fixes #1275 Signed-off-by: clux <[email protected]>
Getting ready to push this in as it is getting close to release time. Some quick testing on no-tls feature against tls clusters now gives:
maybe that should be promoted to a harder error also, ill look later EDIT: ok this doesn't happen in all cases. on my k3d where auth layer is set we properly get a hard error:
this is testable with turning off rustls + refresh feature in examples/Cargo.toml (but keeping client) but am seeing it on a rancher cluster where the auth is just |
Signed-off-by: clux <[email protected]>
Signed-off-by: clux <[email protected]>
Motivation
Want to encourage the use of the more secure and robust TLS stack by default.
Based on feedback (see e.g. #1192) and personal experience have not seen or heard about any current issues.
The main blocker bug was resolved some months ago
This also allows us to not have a huge windows hack in our windows CI.
Solution
kube/rustls-tls
rustls-tls
As a clean-up while in the area, have also prevented erroneous
Client
construction on a TLS requiring cluster, when TLS stacks are disabled. That caused an ugly freezen in #1275