Affected Version
25.0.0
Description
druid-kubernetes-overlord-extension does not support TLSv1.3
I believe this is because the use of v5.12.2 of the fabric8io/kubernetes-client library
I had the minimum required TLS version of my kubernetes API server set to TLSv1.3 and was getting the below failures:
2023-02-02T20:02:00,218 ERROR [TaskQueue-Manager] org.apache.druid.indexing.overlord.TaskQueue - Failed to manage: {class=org.apache.druid.indexing.overlord.TaskQueue, exceptionType=class io.fabric8.kubernetes.client.KubernetesClientException, exceptionMessage=Operation: [list] for kind: [Pod] with name: [null] in namespace: [druid1] failed., restartDelay=30000}
io.fabric8.kubernetes.client.KubernetesClientException: Operation: [list] for kind: [Pod] with name: [null] in namespace: [druid1] failed.
...
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
I set java JVM options and fabric8io/kubernetes-client options to enable TLSv1.3:
java opts:
-Djdk.tls.client.protocols=TLSv1.3
fabric8io opts:
KUBERNETES_TLS_VERSIONS=TLSv1.3
I then received the following error:
2023-02-03T16:05:46,011 ERROR [TaskQueue-Manager] org.apache.druid.indexing.overlord.TaskQueue - Failed to manage: {class=org.apache.druid.indexing.overlord.TaskQueue, exceptionType=class io.fabric8.kubernetes.client.KubernetesClientException, exceptionMessage=Operation: [list] for kind: [Pod] with name: [null] in namespace: [druid1] failed., restartDelay=30000}
62
io.fabric8.kubernetes.client.KubernetesClientException: Operation: [list] for kind: [Pod] with name: [null] in namespace: [druid1] failed.
...
Caused by: java.net.UnknownServiceException: Unable to find acceptable protocols. isFallback=false, modes=[ConnectionSpec(cipherSuites=[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_256_CCM_8_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_3], supportsTlsExtensions=true), ConnectionSpec()], supported protocols=[TLSv1.2]
It is entirely possibly my hypothesis about fabric8io/kubernetes-client is wrong and the issue is in the java version or some java options I did not set. I am not a java expert at all.
Workaround
I set my kube-apiserver configuration to allow minimum TLS version 1.2 and everything worked.
CC @churromorales
Affected Version
25.0.0Description
druid-kubernetes-overlord-extensiondoes not support TLSv1.3I believe this is because the use of v5.12.2 of the fabric8io/kubernetes-client library
I had the minimum required TLS version of my kubernetes API server set to TLSv1.3 and was getting the below failures:
I set java JVM options and fabric8io/kubernetes-client options to enable TLSv1.3:
java opts:
fabric8io opts:
I then received the following error:
It is entirely possibly my hypothesis about fabric8io/kubernetes-client is wrong and the issue is in the java version or some java options I did not set. I am not a java expert at all.
Workaround
I set my kube-apiserver configuration to allow minimum TLS version 1.2 and everything worked.
CC @churromorales