Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove trailing . for internal domain names #400

Open
david-yu opened this issue Jan 18, 2025 · 1 comment
Open

Remove trailing . for internal domain names #400

david-yu opened this issue Jan 18, 2025 · 1 comment

Comments

@david-yu
Copy link
Contributor

david-yu commented Jan 18, 2025
edited
Loading

Currently for internal only domain names we have a trailing .. This is called out here: https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/helpers.go#L141.

    advertised_kafka_api:
        - address: redpanda-0.redpanda.panda.svc.cluster.local.
          port: 9093
          name: internal

When using the Kafka Java client with TLS and SNI host names users get the following error

Caused by: java.lang.IllegalArgumentException: Server name value of host_name cannot have the trailing dot
	at java.base/javax.net.ssl.SNIHostName.checkHostName(SNIHostName.java:319)
	at java.base/javax.net.ssl.SNIHostName.<init>(SNIHostName.java:109)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:212)

We should change the internal domain names so that they are valid per http://www.ietf.org/rfc/rfc6066.txt

HostName" contains the fully qualified DNS hostname of the server, as
  understood by the client.  The encoded server name value of a hostname is
  represented as a byte string using ASCII encoding without a trailing dot.
  This allows the support of Internationalized Domain Names (IDN) through
  the use of A-labels (the ASCII-Compatible Encoding (ACE) form of a valid
  string of Internationalized Domain Names for Applications (IDNA)) defined
@chrisseto
Copy link
Contributor

Strictly speaking a trailing . is entirely valid though the exact handling can be a bit difficult depending on the implementation.

IIUC, a trailing . loosely means "match this domain exactly as is. Do NOT use search domains". In a Kubernetes cluster, redpanda-0.redpanda.panda will generally get matched to redpanda-0.redpanda.panda.svc.cluster.local. Adding a trailing dot would prevent that match.

There's a lot of interesting issues on this floating around the internet. Which I'm not going to link because github will connect them to each other.

Based off the slack thread that spawned this issue, it seems the particular limitation is SNI not working with trailing periods.

I'm not opposed to removing the trailing dot though we'll need to check how our TLS certs are configured. If they have trailing .'s as well, we'll need to be careful about removing it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@david-yu @chrisseto