replace BoringSSL with OpenSSL #191
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
docs build is timing out, we should probably just make that longer: https://github.com/olix0r/kubert/actions/runs/6540496051/job/17760488340 |
|
CI failure for the incluster client tests with OpenSSL on k8s v1.26 is due to a timeout: https://github.com/olix0r/kubert/actions/runs/6540496054 --- looks like it just happened to hit one of the tests that was introduced in this PR 🙃 Should hopefully work on rerun although we may need to bump those timeouts. |
olix0r
reviewed
Oct 20, 2023
olix0r
reviewed
Oct 20, 2023
olix0r
reviewed
Oct 20, 2023
Co-authored-by: Oliver Gould <ver@buoyant.io>
Co-authored-by: Oliver Gould <ver@buoyant.io>
this feels less flaky in case module structure changes.
olix0r
approved these changes
Oct 20, 2023
|
Most recent CI failure looks like a transient network connectivity issue while downloading deps: https://github.com/olix0r/kubert/actions/runs/6590434165/job/17907015902 Mind restarting it for me? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Depends on #190
Currently, Kubert has the option to use either Rustls or BoringSSL as the TLS implementation. However, the BoringSSL feature is incomplete, as it only configures Kubert's server to use BoringSSL, while the client will still use "whatever
kube-clientis configured to use". This means that you don't really get all-BoringSSL. Meanwhile, using BoringSSL on the client-side is quite fraught without upstream support inkube-client.Therefore, this branch rips out the
boring-tlsfeature and replaces it with anopenssl-tlsfeature. Now, we can ensure that the client and server use the same TLS implementation, becausekube-clientalready supports OpenSSL. In addition, I've added new tests for the TLS server, and changed the CI client tests to run with both TLS clients.Closes #188