Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(rustls): Upgrade tokio-rustls to 0.26 #3557

Merged
merged 2 commits into from
Jan 22, 2025
Merged

build(rustls): Upgrade tokio-rustls to 0.26 #3557

merged 2 commits into from
Jan 22, 2025

Conversation

sfleen
Copy link
Collaborator

@sfleen sfleen commented Jan 22, 2025

This is a retry of #3419, which was reverted by #3553.

This includes a fix that caused the control plane to never be ready due to a reduction in the set of supported signature algorithms. See 01e0782 for details.

@sfleen sfleen requested a review from a team as a code owner January 22, 2025 16:09
@codecov Codecov
Copy link

codecov bot commented Jan 22, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 88.37209% with 5 lines in your changes missing coverage. Please review.

Project coverage is 66.79%. Comparing base (96124bc) to head (ebfe880).
Report is 745 commits behind head on main.

Files with missing lines Patch % Lines
linkerd/app/outbound/src/tls/logical/tests.rs 84.61% 2 Missing ⚠️
linkerd/meshtls/rustls/src/creds/verify.rs 77.77% 2 Missing ⚠️
linkerd/meshtls/rustls/src/creds/store.rs 90.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3557      +/-   ##
==========================================
- Coverage   67.68%   66.79%   -0.89%     
==========================================
  Files         332      388      +56     
  Lines       15158    18157    +2999     
==========================================
+ Hits        10259    12128    +1869     
- Misses       4899     6029    +1130
Files with missing lines Coverage Δ
linkerd/meshtls/rustls/src/client.rs 63.26% <100.00%> (ø)
linkerd/meshtls/rustls/src/creds.rs 83.33% <100.00%> (+2.25%) ⬆️
linkerd/meshtls/rustls/src/creds/receiver.rs 54.54% <ø> (ø)
linkerd/meshtls/rustls/src/server.rs 83.33% <100.00%> (+3.03%) ⬆️
linkerd/meshtls/rustls/src/creds/store.rs 90.62% <90.00%> (-1.80%) ⬇️
linkerd/app/outbound/src/tls/logical/tests.rs 93.33% <84.61%> (ø)
linkerd/meshtls/rustls/src/creds/verify.rs 80.00% <77.77%> (-7.50%) ⬇️

... and 170 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update de25333...ebfe880. Read the comment docs.

@sfleen
Expand the set of supported signature algorithms
ebfe880 
During the rustls upgrade, it accidentally limited the set of supported signature algorithms to ECDSA256 signatures. This would cause the identity control plane proxy to reject all certify requests with BadSignature if an RSA certificate was used instead of ECDSA.

This updates the set of supported algorithms to most of the full set of what rustls+ring supports, minus a few legacy algorithms.

Tested by deploying to a local cluster and verifying the control plane comes up correctly and app-level networking works as expected.

Signed-off-by: Scott Fleener <[email protected]>
@olix0r olix0r self-assigned this Jan 22, 2025
@olix0r
Copy link
Member

olix0r commented Jan 22, 2025

Before merging, I suggest you manually test this proxy version against the linkerd2 bin/tests...

@sfleen
Copy link
Collaborator Author

sfleen commented Jan 22, 2025

Before merging, I suggest you manually test this proxy version against the linkerd2 bin/tests...

Yep, tested it locally and it works.

@sfleen sfleen merged commit 4f0775d into linkerd:main Jan 22, 2025
19 checks passed
@sfleen sfleen deleted the rustls branch January 22, 2025 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olix0r olix0r olix0r approved these changes

Assignees

@olix0r olix0r

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sfleen @olix0r