Re: [PR] cluster-bootstrap support TLS requests in client calls [pekko-management]

Tue, 18 Nov 2025 09:28:19 -0800 


Copilot commented on code in PR #426:
URL: https://github.com/apache/pekko-management/pull/426#discussion_r2539090182


##########
management-cluster-bootstrap/src/main/resources/reference.conf:
##########
@@ -134,6 +134,13 @@ pekko.management {
 
       # Max amount of jitter to be added on retries
       probe-interval-jitter = 0.2
+
+      http-client {
+        # set this to your HTTPS certificate path if you want to setup a HTTPS 
trust store
+        ca-path = ""
+        # the TLS version to use when connecting to the API server

Review Comment:
   The comment "the TLS version to use when connecting to the API server" is 
misleading in this context. This configuration is for connecting to cluster 
bootstrap contact points (other Pekko Management endpoints), not a Kubernetes 
API server. Consider updating to: "the TLS version to use when connecting to 
contact points"
   ```suggestion
           # the TLS version to use when connecting to contact points
   ```



##########
management-cluster-bootstrap/src/test/scala/org/apache/pekko/management/cluster/bootstrap/internal/HttpContactPointBootstrapSpec.scala:
##########
@@ -13,17 +13,82 @@
 
 package org.apache.pekko.management.cluster.bootstrap.internal
 
+import java.nio.file.NoSuchFileException
+
 import org.apache.pekko
-import pekko.actor.ActorPath
+import pekko.actor.{ ActorPath, ActorSystem }
+import pekko.event.Logging
+import pekko.management.cluster.bootstrap.ClusterBootstrapSettings
 import pekko.http.scaladsl.model.Uri.Host
+import com.typesafe.config.ConfigFactory
 import org.scalatest.matchers.should.Matchers
 import org.scalatest.wordspec.AnyWordSpec
 
 class HttpContactPointBootstrapSpec extends AnyWordSpec with Matchers {
+
   "HttpContactPointBootstrap" should {
     "use a safe name when connecting over IPv6" in {
       val name = 
HttpContactPointBootstrap.name(Host("[fe80::1013:2070:258a:c662]"), 443)
       ActorPath.isValidPathElement(name) should be(true)
     }
+    "generate SSLContext with default config" in {
+      val sys = ActorSystem("HttpContactPointBootstrapSpec")
+      val log = Logging(sys, classOf[HttpContactPointBootstrapSpec])
+      try {
+        val settings = new ClusterBootstrapSettings(sys.settings.config, log)
+        HttpContactPointBootstrap.generateSSLContext(settings) should not be 
null
+      } finally {
+        sys.terminate()
+      }
+    }
+    "generate SSLContext with cert" in {
+      val sys = ActorSystem("HttpContactPointBootstrapSpec")
+      val log = Logging(sys, classOf[HttpContactPointBootstrapSpec])
+      try {
+        val cfg = ConfigFactory.parseString("""
+          pekko.management.cluster.bootstrap.contact-point.http-client {
+            ca-path = "management-cluster-bootstrap/src/test/files/ca.crt"
+          }""").withFallback(sys.settings.config)
+        val settings = new ClusterBootstrapSettings(cfg, log)
+        HttpContactPointBootstrap.generateSSLContext(settings) should not be 
null
+      } finally {
+        sys.terminate()
+      }
+    }
+    "fail to generate SSLContext with missing cert" in {
+      val sys = ActorSystem("HttpContactPointBootstrapSpec")
+      val log = Logging(sys, classOf[HttpContactPointBootstrapSpec])
+      try {
+        val cfg = ConfigFactory.parseString("""
+          pekko.management.cluster.bootstrap.contact-point.http-client {
+            ca-path = 
"management-cluster-bootstrap/src/test/files/non-existent.crt"
+          }""").withFallback(sys.settings.config)
+        val settings = new ClusterBootstrapSettings(cfg, log)
+        intercept[NoSuchFileException] {
+          HttpContactPointBootstrap.generateSSLContext(settings)
+        }
+      } finally {
+        sys.terminate()
+      }
+    }
+    "fail to generate SSLContext with bad tls-version" in {
+      val sys = ActorSystem("HttpContactPointBootstrapSpec")
+      val log = Logging(sys, classOf[HttpContactPointBootstrapSpec])
+      try {
+        val cfg = ConfigFactory.parseString("""
+          pekko.management.cluster.bootstrap.contact-point.http-client {
+            ca-path = "management-cluster-bootstrap/src/test/files/ca.crt"
+            tls-version = "BAD_VERSION"
+          }""").withFallback(sys.settings.config)
+        val settings = new ClusterBootstrapSettings(cfg, log)
+        val nsae = intercept[java.security.NoSuchAlgorithmException] {
+          HttpContactPointBootstrap.generateSSLContext(settings)
+        }
+        nsae.getMessage.contains("BAD_VERSION") should be(true)

Review Comment:
   The variable name `nsae` is ambiguous. Consider using a more descriptive 
name like `exception` or `noSuchAlgorithmException` for better readability.
   ```suggestion
           val noSuchAlgorithmException = 
intercept[java.security.NoSuchAlgorithmException] {
             HttpContactPointBootstrap.generateSSLContext(settings)
           }
           noSuchAlgorithmException.getMessage.contains("BAD_VERSION") should 
be(true)
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to