Skip to content

feat(kernel): richer TLS Go options — CA bundle + independent hostname skip#400

Draft
mani-mathur-arch wants to merge 1 commit into
mani/sea-kernel-consolidatedfrom
mani/sea-kernel-richer-tls
Draft

feat(kernel): richer TLS Go options — CA bundle + independent hostname skip#400
mani-mathur-arch wants to merge 1 commit into
mani/sea-kernel-consolidatedfrom
mani/sea-kernel-richer-tls

Conversation

@mani-mathur-arch

Copy link
Copy Markdown
Collaborator

What

Exposes two kernel-only TLS options via an experimental-option idiom — no kernel change (both C-ABI setters already exist on kernel main):

  • WithKernelTrustedCerts(pem []byte)kernel_session_config_set_tls_trusted_certs: adds a PEM CA bundle to the kernel's trust store on top of the system roots (corporate re-signing proxy / on-prem CA). Required rather than relying on SSL_CERT_FILE, which the kernel's rustls stack ignores.
  • WithKernelSkipHostnameVerify()kernel_session_config_set_tls_skip_hostname_verification: skips only the certificate hostname check while keeping chain validation (finer-grained than the blanket WithSkipTLSHostVerify).

Closes PECOBLR-3651.

Design

  • Knobs live on a non-exported config.KernelExperimentalConfig off config.Config (NOT UserConfig), so they stay off the stable DSN/exported surface — same treatment as TLSConfig, mirroring Node's non-exported InternalConnectionOptions.
  • The default (Thrift) backend rejects a non-nil block loudly at connect, so a caller who sets one and forgets WithUseKernel learns the option had no effect rather than connecting with a weaker-than-intended trust store.
  • OpenSession forwards each to the kernel C ABI via a new byte-buffer helper (cBytes, mirroring cStr). A reflective guard (TestKernelExperimentalFieldsClassified) fails if a new experimental field isn't classified forwarded/rejected.

Scope

Bundle 1b only (the no-kernel-dependency part of the richer-TLS work). Deliberately out of scope, and confirmed absent from kernel main so correctly deferred:

  • mTLS client cert/key (set_tls_client_certificate) — needs a kernel C-ABI setter → PECOBLR-3652 (K5).
  • CloudFetch enable/disable (set_cloudfetch_enabled) → PECOBLR-3653 (K3).

Testing

  • Default CGO_ENABLED=0: build + vet + go test ./... — 24 pkg ok, 0 fail.
  • Tagged CGO_ENABLED=1 -tags databricks_kernel (linked against a locally-built kernel .a): build + vet + test — 24 pkg ok, 0 fail. New TestSetKernelTLS drives the real cgo setters; untagged kernel_experimental_test.go covers the option→config wiring, the classification guard, and DeepCopy.
  • Isaac Review: clean (0 critical / 0 major / 0 minor).

Stacking / merge order

Stacked on #399 (mani/sea-kernel-consolidated). PECOBLR-3650 (kernel logging → driver log-level) is stacked on top of this. No KERNEL_REV change here.

This pull request and its description were written by Isaac.


This PR was created with GitHub MCP.

…e skip

Expose the two kernel-only TLS knobs whose C-ABI setters already exist on
kernel main (no kernel change needed), via an experimental-option idiom:

  - WithKernelTrustedCerts(pem) -> kernel_session_config_set_tls_trusted_certs,
    adding a PEM CA bundle on top of the system roots. Required because the
    kernel's rustls stack ignores SSL_CERT_FILE, so a custom CA (corporate
    re-signing proxy / on-prem CA) must be handed over explicitly.
  - WithKernelSkipHostnameVerify() -> set_tls_skip_hostname_verification,
    skipping only the hostname check while keeping chain validation
    (finer-grained than the blanket WithSkipTLSHostVerify).

The knobs live on a non-exported config.KernelExperimentalConfig off
config.Config (not UserConfig), so they stay off the stable DSN surface
(mirroring Node's InternalConnectionOptions / Python's underscore kwargs).
The Thrift path rejects a non-nil block loudly at connect rather than
silently ignoring it, so a caller who forgets WithUseKernel learns the
option had no effect. OpenSession forwards each to the kernel C ABI via a
byte-buffer helper (cBytes); a reflective guard
(TestKernelExperimentalFieldsClassified) keeps a new field from slipping
either path unclassified.

mTLS client cert/key (needs an absent kernel C-ABI setter, K5) and the
CloudFetch on/off toggle (K3) are deliberately out of scope here — they are
tracked separately (PECOBLR-3652 / PECOBLR-3653).

Closes PECOBLR-3651.

Co-authored-by: Isaac
Signed-off-by: Mani Kaustubh Mathur <mani.mathur@databricks.com>
@mani-mathur-arch mani-mathur-arch force-pushed the mani/sea-kernel-consolidated branch from d0c999e to 2caa354 Compare July 14, 2026 18:53
@mani-mathur-arch mani-mathur-arch force-pushed the mani/sea-kernel-richer-tls branch from 89c9b36 to b147d0e Compare July 14, 2026 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant