druid-kubernetes-overlord-extension does not support TLSv1.3

[jwitko]

Affected Version

25.0.0

Description

druid-kubernetes-overlord-extension does not support TLSv1.3
I believe this is because the use of v5.12.2 of the fabric8io/kubernetes-client library

I had the minimum required TLS version of my kubernetes API server set to TLSv1.3 and was getting the below failures:

2023-02-02T20:02:00,218 ERROR [TaskQueue-Manager] org.apache.druid.indexing.overlord.TaskQueue - Failed to manage: {class=org.apache.druid.indexing.overlord.TaskQueue, exceptionType=class io.fabric8.kubernetes.client.KubernetesClientException, exceptionMessage=Operation: [list]  for kind: [Pod]  with name: [null]  in namespace: [druid1]  failed., restartDelay=30000}
io.fabric8.kubernetes.client.KubernetesClientException: Operation: [list]  for kind: [Pod]  with name: [null]  in namespace: [druid1]  failed.
...
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version

I set java JVM options and fabric8io/kubernetes-client options to enable TLSv1.3:
java opts:

-Djdk.tls.client.protocols=TLSv1.3

fabric8io opts:

KUBERNETES_TLS_VERSIONS=TLSv1.3

I then received the following error:

2023-02-03T16:05:46,011 ERROR [TaskQueue-Manager] org.apache.druid.indexing.overlord.TaskQueue - Failed to manage: {class=org.apache.druid.indexing.overlord.TaskQueue, exceptionType=class io.fabric8.kubernetes.client.KubernetesClientException, exceptionMessage=Operation: [list]  for kind: [Pod]  with name: [null]  in namespace: [druid1]  failed., restartDelay=30000}
62
io.fabric8.kubernetes.client.KubernetesClientException: Operation: [list]  for kind: [Pod]  with name: [null]  in namespace: [druid1]  failed.
...
Caused by: java.net.UnknownServiceException: Unable to find acceptable protocols. isFallback=false, modes=[ConnectionSpec(cipherSuites=[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_256_CCM_8_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_3], supportsTlsExtensions=true), ConnectionSpec()], supported protocols=[TLSv1.2]

It is entirely possibly my hypothesis about fabric8io/kubernetes-client is wrong and the issue is in the java version or some java options I did not set. I am not a java expert at all.

Workaround

I set my kube-apiserver configuration to allow minimum TLS version 1.2 and everything worked.

CC @churromorales

[github-actions]

This issue has been marked as stale due to 280 days of inactivity.
It will be closed in 4 weeks if no further activity occurs. If this issue is still
relevant, please simply write any comment. Even if closed, you can still revive the
issue at any time or discuss it on the dev@druid.apache.org list.
Thank you for your contributions.

[github-actions]

This issue has been closed due to lack of activity. If you think that
is incorrect, or the issue requires additional review, you can revive the issue at
any time.