Skip to content

chore(policy-controller): Use the aws-lc-rs TLS backend #14300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sfleen merged 3 commits into from
Aug 5, 2025
Merged

chore(policy-controller): Use the aws-lc-rs TLS backend #14300

sfleen merged 3 commits into from
Aug 5, 2025

Conversation

@sfleen
Copy link
Contributor

@sfleen sfleen commented Jul 30, 2025
edited
Loading

Attempt 2 of #14264 (after it was reverted in #14299), this also includes an additional fix for the cross compilation in CI.

Note that this doesn't change the existing use of rustls, simply a change in backend from ring to aws-lc-rs.

ring is still included in the dependency tree because of gateway-api feature flags (or lack thereof), but it is unused.

@sfleen sfleen requested a review from a team as a code owner July 30, 2025 18:10
@sfleen sfleen force-pushed the rustls-unrevert branch 2 times, most recently from 2544cfc to 6843b20 Compare August 1, 2025 18:18
@sfleen
fix(ci): Install cross compilation toolchain
9d315c1 
aws-lc-sys requires a cross compiling toolchain as well as some specific build flags when compiling for a non-native arch. Ideally, this would be in the dev container, but for now we can add them to the docker image.

Signed-off-by: Scott Fleener <[email protected]>
olix0r
olix0r reviewed Aug 4, 2025
View reviewed changes
Copy link
Member

@olix0r olix0r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The subject of this PR is probably a little misleading -- the default behavior was previously to use rustls-tls and that isn't changing.

It's probably clearer as:

chore(policy-controller): use the aws-lc-rs TLS backend

since this is the relevant change in behavior. The details about feature flagging can be moved into the body.

Additionally, it's worth noting that, due to the gateway-api dependency, we continue to enable the ring backend in addition to the aws-lc backend, though it is not used.

@sfleen sfleen changed the title fix(tls): Include rustls as optional TLS backend: Attempt 2 chore(policy-controller): Use the aws-lc-rs TLS backend Aug 5, 2025
@sfleen sfleen merged commit b4fbdf7 into main Aug 5, 2025
99 of 106 checks passed
@sfleen sfleen deleted the rustls-unrevert branch August 5, 2025 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olix0r olix0r olix0r approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sfleen @olix0r