Add runtime TLS diagnostics for gRPC and HTTPS

[xiangfu0]

Log once at runtime which JSSE provider/protocol and enabled protocols are active for HTTPS and gRPC TLS contexts.

Also warn when non-JDK SSL providers are configured, which can conflict with Platform-FIPS-JDK deployments.

[Copilot]

Pull request overview

This PR adds runtime TLS diagnostics logging to help identify SSL/TLS configuration issues, particularly for Platform-FIPS-JDK deployments. It introduces centralized diagnostic utilities that warn when non-JDK SSL providers are configured and logs once per context which JSSE provider, protocol, and enabled protocols are active.

Changes:

• Introduced centralized TLS diagnostic utilities in TlsUtils for logging SSL provider/protocol information and warning about non-JDK providers
• Added diagnostic logging at gRPC server/client and HTTPS initialization points
• Replaced inline SSL provider warning in BrokerGrpcServer with centralized diagnostic utilities

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
pinot-common/src/main/java/org/apache/pinot/common/utils/tls/TlsUtils.java	Core implementation of TLS diagnostic utilities including once-per-context logging and FIPS deployment warnings
pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java	Adds diagnostic logging for gRPC query server TLS context
pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/BaseGrpcQueryClient.java	Adds diagnostic logging for gRPC query client TLS context
pinot-broker/src/main/java/org/apache/pinot/broker/grpc/BrokerGrpcServer.java	Replaces inline warning with centralized diagnostic utilities

[Copilot]

The empty catch block swallows all exceptions without logging. If SslProvider.valueOf() throws an exception due to an invalid configuration, this silent failure makes debugging difficult. Consider logging at debug level to help trace configuration issues while still letting the existing code handle the error.

Suggested change

	// If config is invalid, let existing code fail where it parses/builds the context.
	// If config is invalid, let existing code fail where it parses/builds the context.
	LOGGER.debug("TLS config for '{}' has invalid sslProvider value '{}'; skipping provider warning. "
	+ "The TLS context builder will handle this configuration error.", contextName, configured, e);

[Copilot]

Using string concatenation with hardcoded delimiters to create a composite key is fragile and can lead to collisions if any component contains the delimiter character. Consider using a record class or a composite key object to ensure uniqueness and improve maintainability.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 25.45455% with 41 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.15%. Comparing base (d54ec21) to head (1e0d7f6).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
...va/org/apache/pinot/common/utils/tls/TlsUtils.java	28.57%	27 Missing and 8 partials ⚠️
...org/apache/pinot/broker/grpc/BrokerGrpcServer.java	0.00%	2 Missing ⚠️
...e/pinot/common/utils/grpc/BaseGrpcQueryClient.java	0.00%	2 Missing ⚠️
...che/pinot/core/transport/grpc/GrpcQueryServer.java	0.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #17559      +/-   ##
============================================
- Coverage     63.18%   63.15%   -0.03%     
+ Complexity     1477     1476       -1     
============================================
  Files          3172     3172              
  Lines        189773   189826      +53     
  Branches      29041    29052      +11     
============================================
- Hits         119913   119894      -19     
- Misses        60547    60613      +66     
- Partials       9313     9319       +6     

Flag	Coverage Δ
custom-integration1	100.00% <ø> (ø)
integration	100.00% <ø> (ø)
integration1	100.00% <ø> (ø)
integration2	0.00% <ø> (ø)
java-11	63.13% <25.45%> (+0.01%)	⬆️
java-21	63.11% <25.45%> (-0.05%)	⬇️
temurin	63.15% <25.45%> (-0.03%)	⬇️
unittests	63.15% <25.45%> (-0.03%)	⬇️
unittests1	55.52% <26.41%> (-0.02%)	⬇️
unittests2	34.00% <1.81%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.