-
-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
client: Add feature flag for BoringSSL TLS #1301
base: main
Are you sure you want to change the base?
Conversation
## Motivation Curerently, `kube-client` supports using either Rustls or OpenSSL as the TLS backend. BoringSSL is an alterative TLS implementation, based on a fork of OpenSSL and maintained by Google. Rust bindings for BoringSSL are available in the `boring` crate. Some users of `kube-client` may wish to use BoringSSL as the TLS implementation, rather than OpenSSL or Rustls. This can potentially be implemented in downstream code, on top of `kube-client`'s config module, but it seemed nicer to just provide it in `kube-client`. ## Solution This commit adds support for BoringSSL as a third TLS option. The `boring` crate has a very similar API to the `openssl` crate, so the BoringSSL client code looks quite similar to the OpenSSL client code. I've also attempted to modify the CI configuration to also run tests with BoringSSL. However, I wasn't able to verify that this works without an actual CI run, so it's possible that the E2E test docker environment can't actually build BoringSSL and we'll have to add additional build deps there. I'm happy to follow up on that after a CI run has completed. Signed-off-by: Eliza Weisman <eliza@buoyant.io>
This commit adds some documentation describing how TLS implementations are selected. I figured this would be nice to add. Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #1301 +/- ##
=======================================
Coverage 72.31% 72.31%
=======================================
Files 75 75
Lines 6347 6347
=======================================
Hits 4590 4590
Misses 1757 1757
|
The Clippy failures on CI look unrelated, but it looks like there's a linker failure with |
Hey, thanks for this! I think the reasoning makes sense for it to be here.
|
@clux thanks for the quick feedback!
Ah, I didn't realize that we also selected a TLS implementation there. I'll make sure it's consistent.
Thanks for the link, that's helpful. However, after looking further, it seems like the linker issue isn't actually Musl-specific --- note that It's possible that the |
I wonder if sfackler/rust-openssl#1944 is related? |
Edit: nope, never mind, I was wrong about that --- with |
Motivation
Curerently,
kube-client
supports using either Rustls or OpenSSL as theTLS backend. BoringSSL is an alterative TLS implementation, based on a
fork of OpenSSL and maintained by Google. Rust bindings for BoringSSL
are available in the
boring
crate. Some users ofkube-client
maywish to use BoringSSL as the TLS implementation, rather than OpenSSL or
Rustls. This can potentially be implemented in downstream code, on top
of
kube-client
's config module, but this would require re-implementinga large amount of
kube-client
'sauth
module in user code. Therefore,it seemed nicer to just provide it in
kube-client
.Solution
This commit adds support for BoringSSL as a third TLS option. The
boring
crate has a very similar API to theopenssl
crate, so theBoringSSL client code looks quite similar to the OpenSSL client code.
I've also attempted to modify the CI configuration to also run tests
with BoringSSL. However, I wasn't able to verify that this works without
an actual CI run, so it's possible that the E2E test docker environment
can't actually build BoringSSL and we'll have to add additional build
deps there. I'm happy to follow up on that after a CI run has completed.