onkar717 commented on code in PR #642: URL: https://github.com/apache/skywalking-banyandb/pull/642#discussion_r2036443703
########## pkg/tls/reloader.go: ########## @@ -0,0 +1,210 @@ +// Licensed to Apache Software Foundation (ASF) under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Apache Software Foundation (ASF) licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Package tls provides common TLS utilities for HTTP and gRPC servers . +package tls + +import ( + "crypto/tls" + "sync" + + "github.com/fsnotify/fsnotify" + "github.com/pkg/errors" + "google.golang.org/grpc/credentials" + + "github.com/apache/skywalking-banyandb/pkg/logger" +) + +// Config contains TLS configuration options. +type Config struct { + CertFile string + KeyFile string + Enabled bool +} + +// Reloader manages dynamic reloading of TLS certificates and keys for servers. +type Reloader struct { + watcher *fsnotify.Watcher + cert *tls.Certificate + log *logger.Logger + certFile string + keyFile string + mu sync.RWMutex +} + +// NewReloader creates a new TLSReloader instance. +func NewReloader(certFile, keyFile string, log *logger.Logger) (*Reloader, error) { + if certFile == "" || keyFile == "" { + return nil, errors.New("certFile and keyFile must be provided") + } + if log == nil { + return nil, errors.New("logger must not be nil") + } + + watcher, err := fsnotify.NewWatcher() + if err != nil { + return nil, errors.Wrap(err, "failed to create fsnotify watcher") + } + + cert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + watcher.Close() + return nil, errors.Wrap(err, "failed to load initial TLS certificate") + } + + log.Info().Str("certFile", certFile).Str("keyFile", keyFile).Msg("Successfully loaded initial TLS certificates") + + tr := &Reloader{ + certFile: certFile, + keyFile: keyFile, + cert: &cert, + log: log, + watcher: watcher, + } + + return tr, nil +} + +// Start begins monitoring the TLS certificate and key files for changes. +func (r *Reloader) Start() error { + r.log.Info().Str("certFile", r.certFile).Str("keyFile", r.keyFile).Msg("Starting TLS file monitoring") + + // Add files to the watcher + err := r.watcher.Add(r.certFile) + if err != nil { + return errors.Wrapf(err, "failed to watch cert file: %s", r.certFile) + } + + err = r.watcher.Add(r.keyFile) + if err != nil { + return errors.Wrapf(err, "failed to watch key file: %s", r.keyFile) + } + + // Start the file watching loop in a goroutine + go r.watchFiles() + + return nil +} + +// watchFiles monitors the certificate and key files for changes and reloads credentials. +func (r *Reloader) watchFiles() { + r.log.Info().Msg("TLS file watcher loop started") + for { + select { + case event, ok := <-r.watcher.Events: + if !ok { + r.log.Warn().Msg("Watcher events channel closed unexpectedly") + return + } + + // Log the event for debugging + r.log.Debug().Str("file", event.Name).Str("op", event.Op.String()).Msg("Detected file event") + + // We need to watch for Remove operations because certificate rotation tools often Review Comment: ok -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
