Martijn Visser created FLINK-40088:
--------------------------------------

             Summary: RestClientITCase.testHttpsConnectionWithDefaultCerts is 
flaky due to GitHub rate limiting (HTTP 429)
                 Key: FLINK-40088
                 URL: https://issues.apache.org/jira/browse/FLINK-40088
             Project: Flink
          Issue Type: Bug
          Components: Runtime / REST
            Reporter: Martijn Visser


RestClientITCase#testHttpsConnectionWithDefaultCerts 
(flink-end-to-end-tests-restclient) verifies that RestClient completes a TLS 
handshake against a public CA-signed endpoint using the default JDK truststore. 
It does so by fetching a JSON file from raw.githubusercontent.com and requiring 
the response to be valid JSON.

On GitHub Actions the runners share egress IPs, so GitHub periodically returns 
"429 Too Many Requests" as a plain-text body. RestClient then fails with:
{code:java}
org.apache.flink.runtime.rest.util.RestClientException: Response was not valid 
JSON, but plain-text: 429: Too Many Requests
      at 
org.apache.flink.runtime.rest.RestClientITCase.testHttpsConnectionWithDefaultCerts(RestClientITCase.java:61)
{code}
even though the TLS handshake - the thing under test - succeeded. Example: 
master run [https://github.com/apache/flink/actions/runs/28791132983] 
(2026-07-06, commit 9661ab549b, leg "Default (Java 17) / E2E (group 4)"). 

A 429 (or any HTTP error response) is produced in RestClient#readRawResponse 
only after a full HTTP response has been received, i.e. after a successful 
handshake. A genuine certificate/trust failure instead surfaces as an 
SSLException from Netty's SslHandler and never produces a RestClientException. 
The two cases are cleanly distinguishable.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to