Martijn Visser created FLINK-40088:
--------------------------------------
Summary: RestClientITCase.testHttpsConnectionWithDefaultCerts is
flaky due to GitHub rate limiting (HTTP 429)
Key: FLINK-40088
URL: https://issues.apache.org/jira/browse/FLINK-40088
Project: Flink
Issue Type: Bug
Components: Runtime / REST
Reporter: Martijn Visser
RestClientITCase#testHttpsConnectionWithDefaultCerts
(flink-end-to-end-tests-restclient) verifies that RestClient completes a TLS
handshake against a public CA-signed endpoint using the default JDK truststore.
It does so by fetching a JSON file from raw.githubusercontent.com and requiring
the response to be valid JSON.
On GitHub Actions the runners share egress IPs, so GitHub periodically returns
"429 Too Many Requests" as a plain-text body. RestClient then fails with:
{code:java}
org.apache.flink.runtime.rest.util.RestClientException: Response was not valid
JSON, but plain-text: 429: Too Many Requests
at
org.apache.flink.runtime.rest.RestClientITCase.testHttpsConnectionWithDefaultCerts(RestClientITCase.java:61)
{code}
even though the TLS handshake - the thing under test - succeeded. Example:
master run [https://github.com/apache/flink/actions/runs/28791132983]
(2026-07-06, commit 9661ab549b, leg "Default (Java 17) / E2E (group 4)").
A 429 (or any HTTP error response) is produced in RestClient#readRawResponse
only after a full HTTP response has been received, i.e. after a successful
handshake. A genuine certificate/trust failure instead surfaces as an
SSLException from Netty's SslHandler and never produces a RestClientException.
The two cases are cleanly distinguishable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)