[GitHub] [flink-kubernetes-operator] SteNicholas commented on a diff in pull request #364: [FLINK-28272] Handle TLS Certificate Renewal in Webhook

Tue, 06 Sep 2022 19:09:01 -0700 


SteNicholas commented on code in PR #364:
URL: 
https://github.com/apache/flink-kubernetes-operator/pull/364#discussion_r964316216


##########
flink-kubernetes-webhook/src/main/java/org/apache/flink/kubernetes/operator/admission/FlinkOperatorWebhook.java:
##########
@@ -138,19 +134,35 @@ private static SslContext createSslContext() throws 
Exception {
             return null;
         }
 
-        String keystorePassword = 
EnvUtils.getRequired(EnvUtils.ENV_WEBHOOK_KEYSTORE_PASSWORD);
         String keystoreType = 
EnvUtils.getRequired(EnvUtils.ENV_WEBHOOK_KEYSTORE_TYPE);
-        KeyStore keyStore = KeyStore.getInstance(keystoreType);
-        try (InputStream keyStoreFile =
-                Files.newInputStream(new 
File(keystorePathOpt.get()).toPath())) {
-            keyStore.load(keyStoreFile, keystorePassword.toCharArray());
-        }
-        final KeyManagerFactory kmf =
-                
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-        kmf.init(keyStore, keystorePassword.toCharArray());
+        String keystorePassword = 
EnvUtils.getRequired(EnvUtils.ENV_WEBHOOK_KEYSTORE_PASSWORD);
+        ReloadableSslContext reloadableSslContext =
+                new ReloadableSslContext(keystorePathOpt.get(), keystoreType, 
keystorePassword);
+        stopFsWatchService();
+        final String realKeystoreFileName =
+                
Path.of(keystorePathOpt.get()).toRealPath().getFileName().toString();
+        LOG.info("Keystore path is resolved to real filename: " + 
realKeystoreFileName);
+        fsWatchService =
+                new 
FsWatchService(Path.of(keystorePathOpt.get()).getParent().toString()) {
+                    @Override
+                    protected void onFileOrDirectoryModified(Path 
relativePath) {
+                        try {
+                            LOG.info("Reloading SSL context because of 
certificate change");
+                            reloadableSslContext.reload();
+                            LOG.info("SSL context reloaded successfully");
+                        } catch (Exception e) {
+                            LOG.error("SSL context reload received exception: 
" + e);
+                        }
+                    }
+                };
+        fsWatchService.start();
+        return reloadableSslContext;
+    }
 
-        return SslContextBuilder.forServer(kmf)
-                .ciphers(Http2SecurityUtil.CIPHERS, 
SupportedCipherSuiteFilter.INSTANCE)
-                .build();
+    private static void stopFsWatchService() throws InterruptedException {
+        if (fsWatchService != null) {
+            fsWatchService.interrupt();
+            fsWatchService.join();

Review Comment:
   Should `fsWatchService` be set to `null`?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to