Skip to content

DGS-24022 SPIRE Trust Manager Only#707

Open
Dhiraj Suri (DhirajSuri27) wants to merge 5 commits into
masterfrom
DGS-24022_allow_SPIRE_LE
Open

DGS-24022 SPIRE Trust Manager Only#707
Dhiraj Suri (DhirajSuri27) wants to merge 5 commits into
masterfrom
DGS-24022_allow_SPIRE_LE

Conversation

@DhirajSuri27
Copy link
Copy Markdown
Member

@DhirajSuri27 Dhiraj Suri (DhirajSuri27) commented May 23, 2026
edited
Loading

Create a mode to run the server with SPIRE TrustManager-only and default KeyManager.

Confirmed that client TLS REQUESTED (instead of REQUIRED) works as expected,


Port 8085 is HTTPS,

dhirajsuri@FYL4F3V7V5 confluent-cloud-plugins % curl -u tenant1-key:nohash \
  -H "Content-Type: application/json" \
  https://localhost:8085/subjects -k
[]%

Existing port 8081 is HTTP,
dhirajsuri@FYL4F3V7V5 confluent-cloud-plugins % curl -u tenant1-key:nohash \
  -H "Content-Type: application/json" \
  http://localhost:8081/subjects
[]%


Port 8085 rejects stale TLS client cert,

dhirajsuri@FYL4F3V7V5 ~ %   curl -H "Authorization: Bearer token" \
       -H "target-sr-cluster: lsrc-dummy" \
       -H "Host: localhost" \
       --cert $CERT_PATH/svid.0.pem \
       --key $CERT_PATH/svid.0.key \
       --cacert /Users/dhirajsuri/rest-utils/core/src/test/resources/certs/cert1.pem \
       --resolve localhost:8085:127.0.0.1 \
       https://localhost:8085/config
curl: (56) LibreSSL SSL_read: LibreSSL/3.3.6: error:1404C416:SSL routines:ST_OK:sslv3 alert certificate unknown, errno 0

Port 8085 accepts correct TLS client cert and client is able to validate non-SPIRE server cert with a local CA file,

dhirajsuri@FYL4F3V7V5 ~ %   curl -H "Authorization: Bearer token" \
       -H "target-sr-cluster: lsrc-dummy" \
       -H "Host: localhost" \
       --cert $CERT_PATH/svid.0.pem \
       --key $CERT_PATH/svid.0.key \
       --cacert /Users/dhirajsuri/rest-utils/core/src/test/resources/certs/cert1.pem \
       --resolve localhost:8085:127.0.0.1 \
       https://localhost:8085/config
{"compatibilityLevel":"BACKWARD"}%

@DhirajSuri27 Dhiraj Suri (DhirajSuri27) requested a review from a team as a code owner May 23, 2026 01:09
Copilot AI review requested due to automatic review settings May 23, 2026 01:09
Copilot AI reviewed May 23, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new SPIRE “trust-manager-only” SSL mode so the server can continue using the configured keystore for its KeyManager while sourcing peer verification (TrustManager) from SPIRE.

Changes:

  • Introduces ssl.spire.trust.only.enabled config and exposes it via SslConfig.
  • Refactors SslFactory to select between: non-SPIRE, SPIRE full mode, and SPIRE trust-only mode (TrustManager override).
  • Adds unit tests covering SPIRE trust-only behavior and the “ignored when SPIRE disabled” case.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
core/src/main/java/io/confluent/rest/SslFactory.java Adds server-factory selection logic and a trust-only SPIRE path that overrides TrustManagers.
core/src/main/java/io/confluent/rest/SslConfig.java Exposes the new SPIRE trust-only config toggle.
core/src/main/java/io/confluent/rest/RestConfig.java Defines and documents the new ssl.spire.trust.only.enabled setting in the config definition.
core/src/test/java/io/confluent/rest/SslFactoryTest.java Adds tests for trust-only mode and SPIRE-disabled behavior; introduces new imports.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread core/src/main/java/io/confluent/rest/SslFactory.java Outdated
Comment on lines +200 to +210
private static SslContextFactory.Server createServerFactory(
SslConfig sslConfig, X509Source x509Source) {
if (!sslConfig.getIsSpireEnabled()) {
return new SslContextFactory.Server();
}
if (sslConfig.getIsSpireTrustOnlyEnabled()) {
return createSpireTrustOnlyServer(x509Source);
}
SslContextFactory.Server factory = new SslContextFactory.Server();
configureSpiffeSslContext(factory, x509Source);
return factory;
Comment thread core/src/main/java/io/confluent/rest/RestConfig.java Outdated
Comment on lines 210 to 212
@@ -211,6 +211,14 @@ public class RestConfig extends AbstractConfig {
"Whether to enable SPIRE SSL; once enabled, all keystore and truststore settings "
+ "are ignored because SPIRE will handle the certificate and key management";
Comment thread core/src/test/java/io/confluent/rest/SslFactoryTest.java Outdated
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.cert.CRL;
Comment thread core/src/test/java/io/confluent/rest/SslFactoryTest.java
Comment on lines +205 to +206
@Test
public void testSpireTrustOnlyUsesKeystoreKeyManagerAndSpireTrustManager() throws Exception {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DhirajSuri27