milvus

History

jiaqizho ca89df5512 enhance: support configurable TLS minimum version for object storage connections (#48000 ) Related to https://github.com/milvus-io/milvus/issues/44999 Currently Milvus doesn't allow users to control the TLS version used when connecting to object storage (MinIO/S3/Azure/GCP). Some environments require enforcing TLS 1.3 for compliance, but there's no way to set that today. This adds a new config option `minio.ssl.tlsMinVersion` that lets users specify the minimum TLS version ("1.0", "1.1", "1.2", "1.3", or "default"). It works across all supported storage backends including MinIO/S3, Azure Blob, and GCP native. The setting is plumbed through paramtable, proto StorageConfig, and all the places that create storage clients (compaction, datacoord, datanode, storagev2, etc.). For the GCP native backend, this also adds proper UseIAM/ADC support that was previously missing, since the TLS transport injection needed to handle both credential modes correctly. Also fixed the GCP MinIO-compatible path to reuse any custom transport (e.g. with TLS config) as the backend for the OAuth2 token wrapping, instead of always creating a new default transport. Unit tests cover the TLS version parsing, HTTP client construction, and version enforcement (proving a TLS 1.3 client correctly rejects a TLS 1.2-only server). Integration tests are included but gated behind environment variables. Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>	2026-03-04 19:45:21 +08:00
..
gcp.go	…
gcp_test.go	…

enhance: support configurable TLS minimum version for object storage connections (#48000 )

Related to https://github.com/milvus-io/milvus/issues/44999

Currently Milvus doesn't allow users to control the TLS version used
when connecting to object storage (MinIO/S3/Azure/GCP). Some
environments require enforcing TLS 1.3 for compliance, but there's no
way to set that today.

This adds a new config option `minio.ssl.tlsMinVersion` that lets users
specify the minimum TLS version ("1.0", "1.1", "1.2", "1.3", or
"default"). It works across all supported storage backends including
MinIO/S3, Azure Blob, and GCP native. The setting is plumbed through
paramtable, proto StorageConfig, and all the places that create storage
clients (compaction, datacoord, datanode, storagev2, etc.).

For the GCP native backend, this also adds proper UseIAM/ADC support
that was previously missing, since the TLS transport injection needed to
handle both credential modes correctly.

Also fixed the GCP MinIO-compatible path to reuse any custom transport
(e.g. with TLS config) as the backend for the OAuth2 token wrapping,
instead of always creating a new default transport.

Unit tests cover the TLS version parsing, HTTP client construction, and
version enforcement (proving a TLS 1.3 client correctly rejects a TLS
1.2-only server). Integration tests are included but gated behind
environment variables.

Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>

2026-03-04 19:45:21 +08:00

gcp.go

…

gcp_test.go

…