[PR] Enable Dynamic Reloading of TLS Certificates and Keys [skywalking-banyandb]

Sat, 05 Apr 2025 19:02:21 -0700 


onkar717 opened a new pull request, #642:
URL: https://github.com/apache/skywalking-banyandb/pull/642

   ### Feature Description
   
   BanyanDB currently supports TLS for encrypted communication between clients 
and the server. However, it lacks the capability to automatically reload 
updated TLS certificates and keys without requiring a server restart. This 
feature implements dynamic reloading of TLS materials, enhancing operational 
flexibility and security.
   
   ### Testing
   
   rm -rf test-certs && mkdir test-certs && cd test-certs
   
   #### Step 1: Generate initial cert/key pair
   openssl req -x509 -newkey rsa:2048 -keyout key1.pem -out cert1.pem -days 365 
-nodes -subj "/CN=localhost"
   cp cert1.pem cert.pem && cp key1.pem key.pem 
   
   #### Step 2: Start the server with TLS
   ./banyand/build/bin/dev/banyand-server standalone \
       --tls=true \
       --cert-file=test-certs/cert.pem \
       --key-file=test-certs/key.pem \
       --http-tls=true \
       --http-cert-file=test-certs/cert.pem \
       --http-key-file=test-certs/key.pem \
       --http-grpc-cert-file=test-certs/cert.pem
   
   #### Step 3: Verify the initial certificate
   echo "Port 17912:" && echo | openssl s_client -connect localhost:17912 
2>/dev/null | openssl x509 -noout -subject
   echo "Port 17913:" && echo | openssl s_client -connect localhost:17913 
2>/dev/null | openssl x509 -noout -subject
   
   #### Step 4: Update cert/key pair
   openssl req -x509 -newkey rsa:2048 -keyout key2.pem -out cert2.pem -days 365 
-nodes -subj "/CN=localhost-new"
   cp cert2.pem cert.pem && cp key2.pem key.pem
   
   #### Step 5: Check if the new certificate is used without restarting
   echo "Port 17912:" && echo | openssl s_client -connect localhost:17912 
2>/dev/null | openssl x509 -noout -subject
   echo "Port 17913:" && echo | openssl s_client -connect localhost:17913 
2>/dev/null | openssl x509 -noout -subject
    
   
   ### Checklist
   
   - [ ]  Implemented dynamic reloading of TLS certificates and keys.
   - [ ]   Added integration tests to verify reload behavior.
   - [ ]   Manually tested via openssl s_client.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to