Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider changing default tls stack from openssl-tls to rustls-tls #1192

Closed
clux opened this issue Apr 8, 2023 · 4 comments · Fixed by #1261
Closed

Consider changing default tls stack from openssl-tls to rustls-tls #1192

clux opened this issue Apr 8, 2023 · 4 comments · Fixed by #1261
Labels
question Direction unclear; possibly a bug, possibly could be improved.

Comments

@clux
Copy link
Member

clux commented Apr 8, 2023

If the latest mass-closure of rustls issues does not come with any negative side-effects, we should consider finally moving over to rustls as a default.

Issue comparison

Feature Comparison

Based on above issues; moving now would give us default support for tls-server-name.
It could also potentially give us a much faster windows ci (experimentation pending) due to how long the openssl install takes.

Cross compilation

Minor point, but the standard glibc based x86_64 linux -> musl x86_64 cross compile technically becomes viable locally without build containers using cargo build --target x86_64-unknown-linux-musl (works in version-rs which is now using rustls-tls).

Questions

  1. Are there any features that are lacking on rustls over openssl that we should take into consideration?
  2. Anything else worth considering?
  3. If it all seems fine, and no issues are reported, how long do we wait?
@clux clux added the question Direction unclear; possibly a bug, possibly could be improved. label Apr 8, 2023
@clux clux mentioned this issue Apr 8, 2023
Closed
@goenning
Copy link
Contributor

FWIW I’m moving Aptakube to rustls on the next version. The app is being used in a large variety of environments, but always from outside the cluster.

I’ll report back how it goes🤞

@clux
Copy link
Member Author

clux commented Jun 16, 2023

Have started migration most my controllers to rustls as well this month given a bunch more openssl security vulnerabilities have started surfacing from security scanners, so will make another update next month on how that turned out.

@aviramha
Copy link
Contributor

aviramha commented Jul 5, 2023

https://github.com/metalbear-co/mirrord uses kube-rs + rustls and it works great. I think making it the default would be awesome :)

@goenning
Copy link
Contributor

goenning commented Jul 5, 2023

I forgot about this threqs, but I'm using rustls on Aptakube for the last 3 months and had zero issues reported 👍

@clux clux mentioned this issue Jul 20, 2023
Merged
@clux clux linked a pull request Jul 20, 2023 that will close this issue
Change default TLS stack to rustls-tls #1261
Merged
@clux clux closed this as completed in #1261 Sep 8, 2023
@github-project-automation github-project-automation bot moved this from Done to Defining in Kube Roadmap Sep 13, 2023
@clux clux moved this to Done in Kube Roadmap Sep 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Direction unclear; possibly a bug, possibly could be improved.
Projects
Kube Roadmap
Status: Defining
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Change default TLS stack to rustls-tls kube-rs/kube
3 participants
@goenning @clux @aviramha