Make tls features additive #383
Conversation
|
Turns out, |
| Native, | ||
| /// Use `openssl` | ||
| #[cfg(feature = "rustls-tls")] | ||
| Rustls, |
| /// Creates a TLS backend. | ||
| /// This function only works when exactly one backend | ||
| /// was configured, otherwise it will panic. This function | ||
| /// is only intended to use in tests. |
There was a problem hiding this comment.
This seems to be used in examples as a main interface contrary to this comment.
| return Tls::Native; | ||
| #[cfg(feature = "rustls-tls")] | ||
| return Tls::Rustls; | ||
| unreachable!() |
There was a problem hiding this comment.
Because this is an interface for Client construction, this effectively pushes a compile time error to a runtime error?
| @@ -72,8 +67,8 @@ impl Client { | |||
| /// | |||
| /// If you already have a [`Config`] then use [`Client::try_from`](Self::try_from) | |||
| /// instead | |||
| pub async fn try_default() -> Result<Self> { | |||
| let client_config = Config::infer().await?; | |||
| pub async fn try_default(tls: Tls) -> Result<Self> { | |||
There was a problem hiding this comment.
Having an argument to try_default makes it no longer a default.
|
This is an interesting one, thanks for doing this. I like the way this factors out tls into its own module, it was starting to grow infect a lot of other files. I am a bit on the fence of the |
|
One point here: having this be a non-additive feature gave us a guarantee that you only got one of the TLS stacks into the dependency trees if it built. In an additive mode, we run the risk of multiple kube uses in various |
|
Regarding
Well, I don't consider it to be a risk :) The situation when several TLS stacks are being pulled is not OK, but it still works. |
|
To be honest, I don't really see the point of the current selection mechanism. Of the two provided backends, Rustls is generally Better (supports more modern features like HTTP/2, is more consistent across platforms, and is arguably more trustworthy because more of it is auditable and Rust). If we want to have an escape hatch for when that might not work (which I'd kind of agree with), then IMO that should be something more open-ended, like Hyper's
IMO, this is really a con of the current approach. Library crates that depend on |
|
Anyway, this PR is blocked on the |
Yes, I agree, and hope that we can move towards rustls as a general rust default in the future, but due to bugs like #153, it's not* really viable to drop openssl. Also a bit hesitant to be the first mover on such a change. @MikailBag : While Closing for now, but feel free to re-open to discuss further. |
Yeah, we're already using it internally in let connector = ServiceBuilder::new().layer(timeout).service(https); // Connect
let client: HyperClient<_, Body> = HyperClient::builder().build(connector);In the future, after figuring out how to let users compose layers nicely, we can optionally let users use custom |
Changes: create an enum with available TLS backends. Library user explicitly chooses it and passes it to kube.
Draft: I haven't updated reqwest & websocket creation code yet.