change tls default to v1.3

discovery-kubernetes-api/src/main/resources/reference.conf

@@ -18,7 +18,7 @@ pekko.discovery {
     api-service-port-env-name = "KUBERNETES_SERVICE_PORT"
 
     # the TLS version to use when connecting to the API server
-    tls-version = "TLSv1.2"
+    tls-version = "TLSv1.3"
 
     # Namespace discovery path
     #
@@ -50,3 +50,15 @@ pekko.discovery {
     http-request-accept-encoding = ""
   }
 }
+
+pekko.remote.artery {
+  # the default transport
+  transport = tls-tcp
+
+  ssl.config-ssl-engine {
+    # must match the TLS version used in the Kubernetes discovery config above
+    protocol = "TLSv1.3"
+    # the algorithms to use for the TLS connection (must be appropriate for the TLS version)
+    enabled-algorithms = [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384" ]
+  }
+}

discovery-kubernetes-api/src/main/scala/org/apache/pekko/discovery/kubernetes/KubernetesApiServiceDiscovery.scala

@@ -143,7 +143,16 @@ class KubernetesApiServiceDiscovery(settings: Settings)(
         podRequest(apiToken, podNamespace, labelSelector),
         s"Unable to form request; check Kubernetes environment (expecting env vars ${settings.apiServiceHostEnvName}, ${settings.apiServicePortEnvName})")
 
-      response <- http.singleRequest(request, clientSslContext).map(decodeResponse)
+      response <- {
+        val f = http.singleRequest(request, clientSslContext)
+        f.onComplete {
+          case scala.util.Failure(exception) =>
+            log.error(exception, s"Lookup failed to communicate with Kubernetes API server (${request.uri}).")
+          case scala.util.Success(_) =>
+            log.info(s"Lookup successfully communicated with Kubernetes API server (${request.uri}).")
+        }
+        f.map(decodeResponse)
+      }
 
       entity <- response.entity.toStrict(resolveTimeout)
 

discovery-kubernetes-api/src/test/scala/org/apache/pekko/discovery/kubernetes/SettingsSpec.scala

@@ -26,25 +26,25 @@ import org.scalatest.wordspec.AnyWordSpec
 class SettingsSpec extends AnyWordSpec with Matchers {
 
   "Settings" should {
-    "default tls-version to v1.2" in {
+    "default tls-version to v1.3" in {
       val system = ActorSystem("test")
       try {
         val settings = Settings(system)
-        settings.tlsVersion shouldBe "TLSv1.2"
+        settings.tlsVersion shouldBe "TLSv1.3"
       } finally {
         system.terminate()
       }
     }
     "support tls-version override" in {
       val config = ConfigFactory.parseString("""
         pekko.discovery.kubernetes-api {
-          tls-version = "TLSv1.3"
+          tls-version = "TLSv1.2"
         }
       """)
       val system = ActorSystem("test", config)
       try {
         val settings = Settings(system)
-        settings.tlsVersion shouldBe "TLSv1.3"
+        settings.tlsVersion shouldBe "TLSv1.2"
       } finally {
         system.terminate()
       }

integration-test/kubernetes-api-java/pom.xml

@@ -135,7 +135,7 @@
             <image>
               <name>integration-test-kubernetes-api:1.3.3.7</name>
               <build>
-                <from>eclipse-temurin:8-jre-alpine</from>
+                <from>eclipse-temurin:17-jre-alpine</from>
                 <ports>
                   <port>8080</port>
                   <port>7626</port>

lease-kubernetes/src/main/resources/reference.conf

@@ -46,10 +46,22 @@ pekko.coordination.lease.kubernetes {
     secure-api-server = true
 
     # the TLS version to use when connecting to the API server
-    tls-version = "TLSv1.2"
+    tls-version = "TLSv1.3"
 
     # The amount of time to wait for a lease to be acquired or released. This includes all requests to the API
     # server that are required. If this timeout is hit then the lease *may* be taken due to the response being lost
     # on the way back from the API server but will be reported as not taken and can be safely retried.
     lease-operation-timeout = 5s
 }
+
+pekko.remote.artery {
+  # the default transport
+  transport = tls-tcp
+
+  ssl.config-ssl-engine {
+    # must match the TLS version used in the Kubernetes lease config above
+    protocol = "TLSv1.3"
+    # the algorithms to use for the TLS connection (must be appropriate for the TLS version)
+    enabled-algorithms = [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384" ]
+  }
+}

lease-kubernetes/src/main/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettings.scala

@@ -81,5 +81,5 @@ private[pekko] class KubernetesSettings(
     val namespacePath: String,
     val apiServerRequestTimeout: FiniteDuration,
     val secure: Boolean = true,
-    val tlsVersion: String = "TLSv1.2",
+    val tlsVersion: String = "TLSv1.3",
     val bodyReadTimeout: FiniteDuration = 1.second)

lease-kubernetes/src/test/scala/org/apache/pekko/coordination/lease/kubernetes/KubernetesSettingsSpec.scala

@@ -41,11 +41,11 @@ class KubernetesSettingsSpec extends AnyWordSpec with Matchers {
            api-server-request-timeout=4s
         """.stripMargin).apiServerRequestTimeout shouldEqual 4.seconds
     }
-    "default tls-version to v1.2" in {
-      conf("").tlsVersion shouldEqual "TLSv1.2"
+    "default tls-version to v1.3" in {
+      conf("").tlsVersion shouldEqual "TLSv1.3"
     }
     "support tls-version override" in {
-      conf("tls-version=TLSv1.3").tlsVersion shouldEqual "TLSv1.3"
+      conf("tls-version=TLSv1.2").tlsVersion shouldEqual "TLSv1.2"
     }
     "not allow server request timeout greater than operation timeout" in {
       intercept[IllegalArgumentException] {