005 filter api to expose client and server tls info #73
Conversation
Signed-off-by: Tom Bentley <[email protected]>
Signed-off-by: Tom Bentley <[email protected]>
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
Signed-off-by: Tom Bentley <[email protected]>
|
@robobario updated, if you wanted to take another pass. |
|
@k-wall @SamBarker please can you take a look at this. I'm very aware that we've already implemented half of it. It would be good to keep this repo aligned with (or at least not behind) what's actually implemented. |
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
proposals/005-filter-api-to-expose-client-and-server-tls-info.md
Outdated
Show resolved
Hide resolved
| import java.security.cert.X509Certificate; | ||
| import java.util.Optional; | ||
|
|
||
| public interface ServerTlsContext { |
There was a problem hiding this comment.
I was wondering about changing server to broker here but then remembered we want to retain the idea we can proxy controllers as well so we are back to the usual upstream vs server argument.
I still think upstream is clearer and entirely unambiguous where as server is not.
| import java.security.cert.X509Certificate; | ||
| import java.util.Optional; | ||
|
|
||
| public interface ClientTlsContext { |
There was a problem hiding this comment.
While I have fewer issues with calling this ClientTlsContext than I do with ServerTlsContext I think this is better named DownstreamTlsContext.
| /** | ||
| * @return the TLS server certificate was presented by the Kafka server to the proxy during TLS handshake. | ||
| */ | ||
| X509Certificate serverCertificate(); |
There was a problem hiding this comment.
Upstream clearly conveys that it is the remote certificate and avoids needing to talk about Kafka server which is not normal parlance when discussing Kafka.
| /** | |
| * @return the TLS server certificate was presented by the Kafka server to the proxy during TLS handshake. | |
| */ | |
| X509Certificate serverCertificate(); | |
| /** | |
| * @return the TLS server certificate was presented by the remote Kafka process to the proxy during TLS handshake. | |
| */ | |
| X509Certificate upstreamCertificate(); |
Signed-off-by: Tom Bentley <[email protected]>
4 participants
It's been suggested to break #71 into separate proposals to simplify review etc. This PR adds a "proposal" for exposing the client and server TLS information to filters.