Implementation of the internal TLS registry #39825
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
quarkus-bot
bot
added
the
area/dependencies
cescoffier
force-pushed
the
tls-registry
branch
2 times, most recently
from
f38cd33 to
9004850
Compare
cescoffier
force-pushed
the
tls-registry
branch
from
9004850 to
26eeba8
Compare
quarkus-bot
bot
added
area/core
area/keycloak
area/kubernetes
area/mailer
area/oidc
area/tracing
area/testing
area/vertx
area/grpc
|
I'll start looking at this tomorrow |
|
80% of the file changes are related to new tests added. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
🙈 The PR is closed and the preview is expired. |
cescoffier
force-pushed
the
tls-registry
branch
from
77e4969 to
c0e5767
Compare
quarkus-bot
bot
added
the
area/devtools
geoand
reviewed
Apr 25, 2024
extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/supports/Channels.java
Outdated
Show resolved
Hide resolved
extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/supports/Channels.java
Outdated
Show resolved
Hide resolved
extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/supports/Channels.java
Outdated
Show resolved
Hide resolved
...ain/java/io/quarkus/keycloak/admin/client/reactive/KeycloakAdminClientReactiveProcessor.java
Outdated
Show resolved
Hide resolved
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
geoand
reviewed
May 21, 2024
extensions/tls-registry/runtime/src/main/resources/META-INF/quarkus-extension.yaml
Show resolved
Hide resolved
geoand
reviewed
May 21, 2024
|
Yes, it is also blocking everything else (mTLS, Mailer, ACME...) |
|
+1 on merging |
This comment has been minimized.
This comment has been minimized.
This commit replaces the build-time property 'quarkus.tls.trust-all' with a new TLS registry. The previous implementation was potentially problematic, as it could lead to security issues in a production environment. Please note, this is a breaking change for extensions that use the now-deleted `TlsConfig.java`. However, from a user perspective, the change is seamless. The 'quarkus.tls.trust-all' configuration property has simply transitioned from a build-time to a runtime configuration.
This comment has been minimized.
This comment has been minimized.
…S registry This commit transitions the configuration of the primary and management HTTP servers from `quarkus.http.ssl....` to `quarkus.tls.keystore/truststore/...`. This change provides a more streamlined and intuitive configuration process. The previous approach is still supported. Additionally, the update introduces support for named configurations, which can be selected using the `quarkus.http.tls-configuration-name` property.
This commit transitions the configuration of the Quarkus (Vert.x based) gRPC client from `quarkus.grpc.clients.<name>.tls....` to `quarkus.tls.keystore/truststore/...`. This change provides a more streamlined and intuitive configuration process. The previous approach is still supported. Additionally, the update introduces support for named configurations, which can be selected using the `quarkus.grpc.clients.<name>.tls-configuration-name` property. Note that this change only updates the Quarkus (Vert.x based) gRPC client. The plain gRPC client (using grpc-java) do not use the TLS registry.
It covers the TLS registry, HTTP configuration and gRPC.
Status for workflow
|
Status for workflow
|
|
Merged to unblock the rest of the work. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR provides a centralized TLS configuration mechanism.
It also replaces the build-time property 'quarkus.tls.trust-all' with a new TLS registry. The previous implementation was potentially problematic, as it could lead to security issues in a production environment.
Please note this is a breaking change for extensions that use the now-deleted
TlsConfig.java. However, from a user perspective, the change is seamless. The 'quarkus.tls.trust-all' configuration property has transitioned from a build-time to a runtime configuration.It also allows configuring the primary and management HTTP server using the TLS registry.
This PR transitions the configuration of the primary and management HTTP servers from
quarkus.http.ssl....toquarkus.tls.keystore/truststore/.... This change provides a more streamlined and intuitive configuration process. The previous approach is still supported.Additionally, the update introduces support for named configurations, which can be selected using the
quarkus.http.tls-configuration-nameproperty.Same has been done for gRPC clients.
In subsequent PRs, I will address the rest client, malier, redis, reactive DB clients...