From 9d9d10b1d0aa330688c799f77eab260f537433f4 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Sun, 22 Jun 2025 13:28:23 +0100 Subject: [PATCH 1/7] change tls default to v1.3 scalafmt --- discovery-kubernetes-api/src/main/resources/reference.conf | 2 +- lease-kubernetes/src/main/resources/reference.conf | 2 +- .../coordination/lease/kubernetes/KubernetesSettings.scala | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/discovery-kubernetes-api/src/main/resources/reference.conf b/discovery-kubernetes-api/src/main/resources/reference.conf index c5934bb4..e6450a67 100644 --- a/discovery-kubernetes-api/src/main/resources/reference.conf +++ b/discovery-kubernetes-api/src/main/resources/reference.conf @@ -18,7 +18,7 @@ pekko.discovery { api-service-port-env-name = "KUBERNETES_SERVICE_PORT" # the TLS version to use when connecting to the API server - tls-version = "TLSv1.2" + tls-version = "TLSv1.3" # Namespace discovery path # diff --git a/lease-kubernetes/src/main/resources/reference.conf b/lease-kubernetes/src/main/resources/reference.conf index fb36f4ba..7095f91e 100644 --- a/lease-kubernetes/src/main/resources/reference.conf +++ b/lease-kubernetes/src/main/resources/reference.conf @@ -46,7 +46,7 @@ pekko.coordination.lease.kubernetes { secure-api-server = true # the TLS version to use when connecting to the API server - tls-version = "TLSv1.2" + tls-version = "TLSv1.3" # The amount of time to wait for a lease to be acquired or released. This includes all requests to the API # server that are required. If this timeout is hit then the lease *may* be taken due to the response being lost diff --git a/lease-kubernetes/src/main/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettings.scala b/lease-kubernetes/src/main/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettings.scala index 74c956b4..c22309be 100644 --- a/lease-kubernetes/src/main/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettings.scala +++ b/lease-kubernetes/src/main/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettings.scala @@ -81,5 +81,5 @@ private[pekko] class KubernetesSettings( val namespacePath: String, val apiServerRequestTimeout: FiniteDuration, val secure: Boolean = true, - val tlsVersion: String = "TLSv1.2", + val tlsVersion: String = "TLSv1.3", val bodyReadTimeout: FiniteDuration = 1.second) From f3ffe34f07901c8c2d6057d144a1493698f9588e Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 24 Jun 2025 10:52:13 +0100 Subject: [PATCH 2/7] try to get pekko-remote TLSActor to use TLSv1.3 to match --- .../src/main/resources/reference.conf | 12 ++++++++++++ lease-kubernetes/src/main/resources/reference.conf | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/discovery-kubernetes-api/src/main/resources/reference.conf b/discovery-kubernetes-api/src/main/resources/reference.conf index e6450a67..1e4a8b5d 100644 --- a/discovery-kubernetes-api/src/main/resources/reference.conf +++ b/discovery-kubernetes-api/src/main/resources/reference.conf @@ -50,3 +50,15 @@ pekko.discovery { http-request-accept-encoding = "" } } + +pekko.remote.artery { + # the default transport + transport = tls-tcp + + ssl.config-ssl-engine { + # must match the TLS version used in the Kubernetes discovery config above + protocol = "TLSv1.3" + # the algorithms to use for the TLS connection (must be appropriate for the TLS version) + enabled-algorithms = [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384" ] + } +} \ No newline at end of file diff --git a/lease-kubernetes/src/main/resources/reference.conf b/lease-kubernetes/src/main/resources/reference.conf index 7095f91e..0ee9adff 100644 --- a/lease-kubernetes/src/main/resources/reference.conf +++ b/lease-kubernetes/src/main/resources/reference.conf @@ -53,3 +53,15 @@ pekko.coordination.lease.kubernetes { # on the way back from the API server but will be reported as not taken and can be safely retried. lease-operation-timeout = 5s } + +pekko.remote.artery { + # the default transport + transport = tls-tcp + + ssl.config-ssl-engine { + # must match the TLS version used in the Kubernetes lease config above + protocol = "TLSv1.3" + # the algorithms to use for the TLS connection (must be appropriate for the TLS version) + enabled-algorithms = [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384" ] + } +} From b69e95a50e477f713c4631ab796cc2bf614a445b Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 24 Jun 2025 11:01:56 +0100 Subject: [PATCH 3/7] debug --- .../src/main/resources/reference.conf | 2 +- .../kubernetes/KubernetesApiServiceDiscovery.scala | 11 ++++++++++- .../pekko/discovery/kubernetes/SettingsSpec.scala | 8 ++++---- .../lease/kubernetes/KubernetesSettingsSpec.scala | 6 +++--- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/discovery-kubernetes-api/src/main/resources/reference.conf b/discovery-kubernetes-api/src/main/resources/reference.conf index 1e4a8b5d..9a9b0231 100644 --- a/discovery-kubernetes-api/src/main/resources/reference.conf +++ b/discovery-kubernetes-api/src/main/resources/reference.conf @@ -61,4 +61,4 @@ pekko.remote.artery { # the algorithms to use for the TLS connection (must be appropriate for the TLS version) enabled-algorithms = [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384" ] } -} \ No newline at end of file +} diff --git a/discovery-kubernetes-api/src/main/scala/org/apache/pekko/discovery/kubernetes/KubernetesApiServiceDiscovery.scala b/discovery-kubernetes-api/src/main/scala/org/apache/pekko/discovery/kubernetes/KubernetesApiServiceDiscovery.scala index 0bace9b5..1dae25c7 100644 --- a/discovery-kubernetes-api/src/main/scala/org/apache/pekko/discovery/kubernetes/KubernetesApiServiceDiscovery.scala +++ b/discovery-kubernetes-api/src/main/scala/org/apache/pekko/discovery/kubernetes/KubernetesApiServiceDiscovery.scala @@ -143,7 +143,16 @@ class KubernetesApiServiceDiscovery(settings: Settings)( podRequest(apiToken, podNamespace, labelSelector), s"Unable to form request; check Kubernetes environment (expecting env vars ${settings.apiServiceHostEnvName}, ${settings.apiServicePortEnvName})") - response <- http.singleRequest(request, clientSslContext).map(decodeResponse) + response <- { + val f = http.singleRequest(request, clientSslContext) + f.onComplete { + case scala.util.Failure(exception) => + log.error(exception, "Lookup failed to communicate with Kubernetes API server.") + case scala.util.Success(_) => + log.info("Lookup successfully communicated with Kubernetes API server.") + } + f.map(decodeResponse) + } entity <- response.entity.toStrict(resolveTimeout) diff --git a/discovery-kubernetes-api/src/test/scala/org/apache/pekko/discovery/kubernetes/SettingsSpec.scala b/discovery-kubernetes-api/src/test/scala/org/apache/pekko/discovery/kubernetes/SettingsSpec.scala index 24d8c055..cbfa1346 100644 --- a/discovery-kubernetes-api/src/test/scala/org/apache/pekko/discovery/kubernetes/SettingsSpec.scala +++ b/discovery-kubernetes-api/src/test/scala/org/apache/pekko/discovery/kubernetes/SettingsSpec.scala @@ -26,11 +26,11 @@ import org.scalatest.wordspec.AnyWordSpec class SettingsSpec extends AnyWordSpec with Matchers { "Settings" should { - "default tls-version to v1.2" in { + "default tls-version to v1.3" in { val system = ActorSystem("test") try { val settings = Settings(system) - settings.tlsVersion shouldBe "TLSv1.2" + settings.tlsVersion shouldBe "TLSv1.3" } finally { system.terminate() } @@ -38,13 +38,13 @@ class SettingsSpec extends AnyWordSpec with Matchers { "support tls-version override" in { val config = ConfigFactory.parseString(""" pekko.discovery.kubernetes-api { - tls-version = "TLSv1.3" + tls-version = "TLSv1.2" } """) val system = ActorSystem("test", config) try { val settings = Settings(system) - settings.tlsVersion shouldBe "TLSv1.3" + settings.tlsVersion shouldBe "TLSv1.2" } finally { system.terminate() } diff --git a/lease-kubernetes/src/test/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettingsSpec.scala b/lease-kubernetes/src/test/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettingsSpec.scala index 9a8d853c..a3cba3fe 100644 --- a/lease-kubernetes/src/test/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettingsSpec.scala +++ b/lease-kubernetes/src/test/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettingsSpec.scala @@ -41,11 +41,11 @@ class KubernetesSettingsSpec extends AnyWordSpec with Matchers { api-server-request-timeout=4s """.stripMargin).apiServerRequestTimeout shouldEqual 4.seconds } - "default tls-version to v1.2" in { - conf("").tlsVersion shouldEqual "TLSv1.2" + "default tls-version to v1.3" in { + conf("").tlsVersion shouldEqual "TLSv1.3" } "support tls-version override" in { - conf("tls-version=TLSv1.3").tlsVersion shouldEqual "TLSv1.3" + conf("tls-version=TLSv1.2").tlsVersion shouldEqual "TLSv1.2" } "not allow server request timeout greater than operation timeout" in { intercept[IllegalArgumentException] { From 6b6a1414e6c6d1104ab77c1189b20462aec72187 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 24 Jun 2025 20:48:56 +0100 Subject: [PATCH 4/7] Update KubernetesApiServiceDiscovery.scala --- .../discovery/kubernetes/KubernetesApiServiceDiscovery.scala | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/discovery-kubernetes-api/src/main/scala/org/apache/pekko/discovery/kubernetes/KubernetesApiServiceDiscovery.scala b/discovery-kubernetes-api/src/main/scala/org/apache/pekko/discovery/kubernetes/KubernetesApiServiceDiscovery.scala index 1dae25c7..0469ec1a 100644 --- a/discovery-kubernetes-api/src/main/scala/org/apache/pekko/discovery/kubernetes/KubernetesApiServiceDiscovery.scala +++ b/discovery-kubernetes-api/src/main/scala/org/apache/pekko/discovery/kubernetes/KubernetesApiServiceDiscovery.scala @@ -147,9 +147,9 @@ class KubernetesApiServiceDiscovery(settings: Settings)( val f = http.singleRequest(request, clientSslContext) f.onComplete { case scala.util.Failure(exception) => - log.error(exception, "Lookup failed to communicate with Kubernetes API server.") + log.error(exception, s"Lookup failed to communicate with Kubernetes API server (${request.uri}).") case scala.util.Success(_) => - log.info("Lookup successfully communicated with Kubernetes API server.") + log.info(s"Lookup successfully communicated with Kubernetes API server (${request.uri}).") } f.map(decodeResponse) } From 3b134bffdc97b92058d8cf73fd6e218eb09f125c Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 24 Jun 2025 21:03:06 +0100 Subject: [PATCH 5/7] Update pom.xml --- integration-test/kubernetes-api-java/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-test/kubernetes-api-java/pom.xml b/integration-test/kubernetes-api-java/pom.xml index 2d90063f..473a402d 100644 --- a/integration-test/kubernetes-api-java/pom.xml +++ b/integration-test/kubernetes-api-java/pom.xml @@ -145,7 +145,7 @@ /bin/sh -c - java -jar /maven/integration-test-kubernetes-api-java-allinone.jar + java -Djavax.net.debug=all -jar /maven/integration-test-kubernetes-api-java-allinone.jar From 041b89afaff687e1969ce1020cc00d235131fb2d Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 24 Jun 2025 21:26:10 +0100 Subject: [PATCH 6/7] Update pom.xml --- integration-test/kubernetes-api-java/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-test/kubernetes-api-java/pom.xml b/integration-test/kubernetes-api-java/pom.xml index 473a402d..675eb3e3 100644 --- a/integration-test/kubernetes-api-java/pom.xml +++ b/integration-test/kubernetes-api-java/pom.xml @@ -135,7 +135,7 @@ integration-test-kubernetes-api:1.3.3.7 - eclipse-temurin:8-jre-alpine + eclipse-temurin:17-jre-alpine 8080 7626 From 52dacc3708dd82676bfd84557808c0e794646118 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 24 Jun 2025 21:41:43 +0100 Subject: [PATCH 7/7] Update pom.xml --- integration-test/kubernetes-api-java/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-test/kubernetes-api-java/pom.xml b/integration-test/kubernetes-api-java/pom.xml index 675eb3e3..a830707e 100644 --- a/integration-test/kubernetes-api-java/pom.xml +++ b/integration-test/kubernetes-api-java/pom.xml @@ -145,7 +145,7 @@ /bin/sh -c - java -Djavax.net.debug=all -jar /maven/integration-test-kubernetes-api-java-allinone.jar + java -jar /maven/integration-test-kubernetes-api-java-allinone.jar