balassai opened a new pull request, #28160: URL: https://github.com/apache/flink/pull/28160
## What is the purpose of the change `security.ssl.protocol` previously only accepted a single TLS protocol version (e.g. `"TLSv1.2"`), and the documentation explicitly stated it did not support a comma-separated list. This change removes that restriction, allowing operators to configure multiple TLS protocol versions (e.g. `"TLSv1.2,TLSv1.3"`) so that clusters can support both older and newer clients/peers simultaneously. ## Brief change log - Updated the `SecurityOptions.SSL_PROTOCOL` config option description to document comma-separated list support - In `PekkoUtils`, the Pekko/Netty SSL config now always sets `protocol = TLS` (the generic TLS context), and the individual protocol versions are passed as the `enabled-protocols` list - Added `CustomSSLEngineProvider#createServerSSLEngine` and `createClientSSLEngine` overrides that apply the `enabled-protocols` list directly to the `SSLEngine`, ensuring only the configured protocol versions are active - Updated generated documentation HTML for `security.ssl.protocol` in both `security_configuration.html` and `security_ssl_section.html` ## Verifying this change This change added tests and can be verified as follows: - Added `PekkoUtilsTest#getConfigSingleSslProtocolUsesGenericTlsContext`: verifies that a single protocol value still results in `protocol = TLS` and the correct `enabled-protocols` list - Added `PekkoUtilsTest#getConfigCommaSeparatedSslProtocolsAreAllEnabled`: verifies that a comma-separated value like `"TLSv1.2,TLSv1.3"` correctly populates both entries in `enabled-protocols` ## Does this pull request potentially affect one of the following parts: - Dependencies (does it add or upgrade a dependency): no - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: no - The serializers: no - The runtime per-record code paths (performance sensitive): no - Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: yes — affects how the RPC layer negotiates TLS - The S3 file system connector: no ## Documentation - Does this pull request introduce a new feature? yes - If yes, how is the feature documented? docs (generated HTML for the configuration reference was updated), JavaDocs (the `SecurityOptions.SSL_PROTOCOL` description was updated) --- ##### Was generative AI tooling used to co-author this PR? No -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
