Skip to content

kbs-client: Add native-tls feature#1387

Merged
fitzthum merged 1 commit into
confidential-containers:mainfrom
iroykaufman:kbs-client-native-tls
Jun 8, 2026
Merged

kbs-client: Add native-tls feature#1387
fitzthum merged 1 commit into
confidential-containers:mainfrom
iroykaufman:kbs-client-native-tls

Conversation

@iroykaufman

Copy link
Copy Markdown
Contributor

This PR introduces an option to use native-tls with kbs-client.
This can be beneficial for projects that want to use kbs-client as a dependency for API calls to KBS, but still want to use native-tls.

@iroykaufman iroykaufman requested a review from a team as a code owner May 27, 2026 14:40
@iroykaufman iroykaufman marked this pull request as draft May 27, 2026 19:14
@iroykaufman iroykaufman force-pushed the kbs-client-native-tls branch from f91c557 to c7480a4 Compare May 27, 2026 19:24

@Xynnn007 Xynnn007 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @iroykaufman Do you have any scenarios where only openssl can work, while default tls cannot?

Historically, we bring in rust-tls because at that time openssl cannot be statically compiled. But now it supports, thus we can consider to fully turn to openssl if possible.

@iroykaufman

Copy link
Copy Markdown
Contributor Author

hey @iroykaufman Do you have any scenarios where only openssl can work, while default tls cannot?

Historically, we bring in rust-tls because at that time openssl cannot be statically compiled. But now it supports, thus we can consider to fully turn to openssl if possible.

OpenSSL supports FIPS and PQC, so it can be beneficial to use OpenSSL instead of rust-tls because of those standards.

@iroykaufman iroykaufman force-pushed the kbs-client-native-tls branch 2 times, most recently from ece8779 to ed6a14d Compare May 28, 2026 08:02
@Xynnn007

Copy link
Copy Markdown
Member

OpenSSL supports FIPS and PQC, so it can be beneficial to use OpenSSL instead of rust-tls because of those standards.

Sounds good. In future we might consider fully embrace openssl.

@iroykaufman iroykaufman force-pushed the kbs-client-native-tls branch 2 times, most recently from 73611e4 to dd12f33 Compare May 28, 2026 08:57
@mythi

mythi commented May 28, 2026

Copy link
Copy Markdown
Contributor

this looks similar to what I recently evaluated with the question: can I build everything with the same crypto implementation/configuration. this work makes sense but it looks the PR topic is a bit off (more than just kbs-client)?

@iroykaufman

Copy link
Copy Markdown
Contributor Author

this looks similar to what I recently evaluated with the question: can I build everything with the same crypto implementation/configuration. this work makes sense but it looks the PR topic is a bit off (more than just kbs-client)?

My understanding is that we cannot build everything using native-tls/openssl because tonic lacks support for it. I chose this PR topic because it adds the native-tls feature for the kbs-client.

@Jakob-Naucke

Copy link
Copy Markdown
Member

this work makes sense but it looks the PR topic is a bit off (more than just kbs-client)?

It's because reqwest is set to use default-tls (becomes rustls) at workspace level and features are only additive to that (i.e. you can't use a crate from workspace but then not use a feature defined at that level AFAICT, and I didn't want to start tracking versions below workspace level).

kbs/Cargo.toml should also probably set a TLS implementation for reqwest, we'll do that before moving out of draft.

But I don't think there's a non-hacky way to set a TLS implementation at workspace level.

@iroykaufman iroykaufman force-pushed the kbs-client-native-tls branch from dd12f33 to 6863538 Compare May 28, 2026 14:17
@mythi

mythi commented May 28, 2026

Copy link
Copy Markdown
Contributor

this looks similar to what I recently evaluated with the question: can I build everything with the same crypto implementation/configuration. this work makes sense but it looks the PR topic is a bit off (more than just kbs-client)?

My understanding is that we cannot build everything using native-tls/openssl because tonic lacks support for it. I chose this PR topic because it adds the native-tls feature for the kbs-client.

Oh sorry, I only took a quick look and it looked like there's changes beyond what kbs-client needs. These are all for just kbs-client but the overall goal is to have native-tls used as much as possible, right?

@Jakob-Naucke

Copy link
Copy Markdown
Member

Oh sorry, I only took a quick look and it looked like there's changes beyond what kbs-client needs. These are all for just kbs-client but the overall goal is to have native-tls used as much as possible, right?

Our immediate focus for now was kbs-client but if desired it shouldn't be much work to extend to other crates. What we didn't know before raising was

In future we might consider fully embrace openssl.

, so I don't know if going all-native-tls is too drastic for now/breaks other things.

BTW the CI failures seem unrelated but I haven't been contributing for a while so I could be wrong

@Xynnn007

Copy link
Copy Markdown
Member

@Jakob-Naucke

Oh sorry, I only took a quick look and it looked like there's changes beyond what kbs-client needs. These are all for just kbs-client but the overall goal is to have native-tls used as much as possible, right?

Our immediate focus for now was kbs-client but if desired it shouldn't be much work to extend to other crates. What we didn't know before raising was

In future we might consider fully embrace openssl.

, so I don't know if going all-native-tls is too drastic for now/breaks other things.

Let's start with the kbs-client crate. I think it's acceptable. Going fully to native-tls might be our target but NOT this PR's responsibility. We will take a try in later PRs.

I think @mythi cares about, is that it looks like the PR have touched some codes that might not be related to the PR's target. I did not take much look on the PR as it's still draft. And I'd like to offer help when it gets ready.

BTW the CI failures seem unrelated but I haven't been contributing for a while so I could be wrong

I have retriggered the CI. The CI is not always to be happy, and we're working on those issues.

@iroykaufman iroykaufman marked this pull request as ready for review May 29, 2026 08:41
Comment thread kbs/test/Makefile

@Xynnn007 Xynnn007 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one nit. Also a rebase is needed

default = ["reqwest/default-tls"]

native-tls = ["reqwest/native-tls", "kbs_protocol/openssl"]

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add another feature named default-tls = ["reqwest/default-tls"] and default= ["default-tls"] ? I think a crate-level feature controls tls suites makes sense, wdyt?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a good idea. It also allows us to use --no-default-features with default-tls.

Co-authored-by: Jakob Naucke <jnaucke@redhat.com>
Signed-off-by: Roy Kaufman <rkaufman@redhat.com>
@iroykaufman iroykaufman force-pushed the kbs-client-native-tls branch from 6863538 to 95b4a81 Compare June 3, 2026 05:25

@Xynnn007 Xynnn007 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks! @iroykaufman @Jakob-Naucke

@Xynnn007 Xynnn007 requested a review from mythi June 3, 2026 05:49

@fitzthum fitzthum left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

can have a bigger discussion about our crypto backends but this PR seems fine

@fitzthum fitzthum merged commit e65897a into confidential-containers:main Jun 8, 2026
48 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants