hanahmily commented on code in PR #642:
URL:
https://github.com/apache/skywalking-banyandb/pull/642#discussion_r2037538952
##########
banyand/liaison/http/server.go:
##########
@@ -31,7 +32,7 @@ import (
"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
"github.com/pkg/errors"
"go.uber.org/multierr"
- "google.golang.org/grpc"
+ gmux "google.golang.org/grpc"
Review Comment:
Why do you give an alias to the package?
##########
pkg/tls/reloader.go:
##########
@@ -0,0 +1,200 @@
+// Licensed to Apache Software Foundation (ASF) under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Apache Software Foundation (ASF) licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Package tls provides common TLS utilities for HTTP and gRPC servers.
+package tls
+
+import (
+ "crypto/tls"
+ "sync"
+
+ "github.com/fsnotify/fsnotify"
+ "github.com/pkg/errors"
+ "google.golang.org/grpc/credentials"
+
+ "github.com/apache/skywalking-banyandb/pkg/logger"
+)
+
+// Config contains TLS configuration options.
+type Config struct {
+ CertFile string
+ KeyFile string
+ Enabled bool
+}
+
+// Reloader manages dynamic reloading of TLS certificates and keys for servers.
+type Reloader struct {
+ watcher *fsnotify.Watcher
+ cert *tls.Certificate
+ log *logger.Logger
+ certFile string
+ keyFile string
+ mu sync.RWMutex
+}
+
+// NewReloader creates a new TLSReloader instance.
+func NewReloader(certFile, keyFile string, log *logger.Logger) (*Reloader,
error) {
+ if certFile == "" || keyFile == "" {
+ return nil, errors.New("certFile and keyFile must be provided")
+ }
+ if log == nil {
+ return nil, errors.New("logger must not be nil")
+ }
+
+ watcher, err := fsnotify.NewWatcher()
+ if err != nil {
+ return nil, errors.Wrap(err, "failed to create fsnotify
watcher")
+ }
+
+ cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ if err != nil {
+ watcher.Close()
+ return nil, errors.Wrap(err, "failed to load initial TLS
certificate")
+ }
+
+ log.Info().Str("certFile", certFile).Str("keyFile",
keyFile).Msg("Successfully loaded initial TLS certificates")
+
+ tr := &Reloader{
+ certFile: certFile,
+ keyFile: keyFile,
+ cert: &cert,
+ log: log,
+ watcher: watcher,
+ }
+
+ return tr, nil
+}
+
+// Start begins monitoring the TLS certificate and key files for changes.
+func (r *Reloader) Start() error {
+ r.log.Info().Str("certFile", r.certFile).Str("keyFile",
r.keyFile).Msg("Starting TLS file monitoring")
+
+ err := r.watcher.Add(r.certFile)
+ if err != nil {
+ return errors.Wrapf(err, "failed to watch cert file: %s",
r.certFile)
+ }
+
+ err = r.watcher.Add(r.keyFile)
+ if err != nil {
+ return errors.Wrapf(err, "failed to watch key file: %s",
r.keyFile)
+ }
+
+ go r.watchFiles()
+
+ return nil
+}
+
+func (r *Reloader) watchFiles() {
+ r.log.Info().Msg("TLS file watcher loop started")
+ for {
+ select {
+ case event, ok := <-r.watcher.Events:
+ if !ok {
+ r.log.Warn().Msg("Watcher events channel closed
unexpectedly")
Review Comment:
```suggestion
r.log.Info().Msg("Watcher events channel
closed")
```
##########
pkg/tls/reloader.go:
##########
@@ -0,0 +1,200 @@
+// Licensed to Apache Software Foundation (ASF) under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Apache Software Foundation (ASF) licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Package tls provides common TLS utilities for HTTP and gRPC servers.
+package tls
+
+import (
+ "crypto/tls"
+ "sync"
+
+ "github.com/fsnotify/fsnotify"
+ "github.com/pkg/errors"
+ "google.golang.org/grpc/credentials"
+
+ "github.com/apache/skywalking-banyandb/pkg/logger"
+)
+
+// Config contains TLS configuration options.
+type Config struct {
+ CertFile string
+ KeyFile string
+ Enabled bool
+}
+
+// Reloader manages dynamic reloading of TLS certificates and keys for servers.
+type Reloader struct {
+ watcher *fsnotify.Watcher
+ cert *tls.Certificate
+ log *logger.Logger
+ certFile string
+ keyFile string
+ mu sync.RWMutex
+}
+
+// NewReloader creates a new TLSReloader instance.
+func NewReloader(certFile, keyFile string, log *logger.Logger) (*Reloader,
error) {
+ if certFile == "" || keyFile == "" {
+ return nil, errors.New("certFile and keyFile must be provided")
+ }
+ if log == nil {
+ return nil, errors.New("logger must not be nil")
+ }
+
+ watcher, err := fsnotify.NewWatcher()
+ if err != nil {
+ return nil, errors.Wrap(err, "failed to create fsnotify
watcher")
+ }
+
+ cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ if err != nil {
+ watcher.Close()
+ return nil, errors.Wrap(err, "failed to load initial TLS
certificate")
+ }
+
+ log.Info().Str("certFile", certFile).Str("keyFile",
keyFile).Msg("Successfully loaded initial TLS certificates")
+
+ tr := &Reloader{
+ certFile: certFile,
+ keyFile: keyFile,
+ cert: &cert,
+ log: log,
+ watcher: watcher,
+ }
+
+ return tr, nil
+}
+
+// Start begins monitoring the TLS certificate and key files for changes.
+func (r *Reloader) Start() error {
+ r.log.Info().Str("certFile", r.certFile).Str("keyFile",
r.keyFile).Msg("Starting TLS file monitoring")
+
+ err := r.watcher.Add(r.certFile)
+ if err != nil {
+ return errors.Wrapf(err, "failed to watch cert file: %s",
r.certFile)
+ }
+
+ err = r.watcher.Add(r.keyFile)
+ if err != nil {
+ return errors.Wrapf(err, "failed to watch key file: %s",
r.keyFile)
+ }
+
+ go r.watchFiles()
+
+ return nil
+}
+
+func (r *Reloader) watchFiles() {
+ r.log.Info().Msg("TLS file watcher loop started")
+ for {
+ select {
+ case event, ok := <-r.watcher.Events:
+ if !ok {
+ r.log.Warn().Msg("Watcher events channel closed
unexpectedly")
+ return
+ }
+
+ r.log.Debug().Str("file", event.Name).Str("op",
event.Op.String()).Msg("Detected file event")
+
+ if event.Op&fsnotify.Remove == fsnotify.Remove {
+ r.log.Info().Str("file", event.Name).Msg("File
removed, re-adding to watcher")
+ if event.Name == r.certFile {
+ if err := r.watcher.Add(r.certFile);
err != nil {
+
r.log.Error().Err(err).Str("file", r.certFile).Msg("Failed to re-add cert file
to watcher")
+ } else {
+ r.log.Debug().Str("file",
r.certFile).Msg("Re-added cert file to watcher")
+ }
+ } else if event.Name == r.keyFile {
+ if err := r.watcher.Add(r.keyFile); err
!= nil {
+
r.log.Error().Err(err).Str("file", r.keyFile).Msg("Failed to re-add key file to
watcher")
+ } else {
+ r.log.Debug().Str("file",
r.keyFile).Msg("Re-added key file to watcher")
+ }
+ }
+ }
+
+ if event.Op&fsnotify.Write == fsnotify.Write ||
+ event.Op&fsnotify.Rename == fsnotify.Rename ||
+ event.Op&fsnotify.Create == fsnotify.Create {
+ r.log.Info().Str("file",
event.Name).Msg("Detected certificate change")
+ if err := r.reloadCertificate(); err != nil {
+ r.log.Error().Err(err).Str("file",
event.Name).Msg("Failed to reload TLS certificate")
+ } else {
+ r.log.Info().Str("file",
event.Name).Msg("Successfully updated TLS certificate")
+ }
+ }
+
+ case err, ok := <-r.watcher.Errors:
+ if !ok {
+ r.log.Warn().Msg("Watcher errors channel closed
unexpectedly")
+ return
+ }
+ r.log.Error().Err(err).Msg("Error in file watcher")
+ }
+ }
+}
+
+func (r *Reloader) reloadCertificate() error {
+ r.log.Debug().Msg("Attempting to reload TLS certificate")
+ newCert, err := tls.LoadX509KeyPair(r.certFile, r.keyFile)
+ if err != nil {
+ return errors.Wrap(err, "failed to reload TLS certificate")
+ }
+
+ r.mu.Lock()
+ r.cert = &newCert
+ r.mu.Unlock()
+
+ r.log.Debug().Msg("TLS certificate updated in memory")
+ return nil
+}
+
+// getCertificate returns the current TLS certificate for TLS Config's
GetCertificate callback.
+func (r *Reloader) getCertificate(*tls.ClientHelloInfo) (*tls.Certificate,
error) {
+ r.mu.RLock()
+ defer r.mu.RUnlock()
+ return r.cert, nil
+}
+
+// GetCertificateForTLS returns the current TLS certificate.
+func (r *Reloader) GetCertificateForTLS() *tls.Certificate {
+ r.mu.RLock()
+ defer r.mu.RUnlock()
+ return r.cert
+}
+
+// Stop gracefully stops the TLS reloader.
+func (r *Reloader) Stop() {
+ r.log.Info().Msg("Stopping TLS Reloader")
+ if err := r.watcher.Close(); err != nil {
+ r.log.Error().Err(err).Msg("Failed to close fsnotify watcher")
+ }
+}
+
+// GetTLSConfig returns a TLS config using this reloader's certificate.
+func (r *Reloader) GetTLSConfig() *tls.Config {
+ return &tls.Config{
+ GetCertificate: r.getCertificate,
+ MinVersion: tls.VersionTLS12,
+ NextProtos: []string{"h2"},
+ }
+}
+
+// GetGRPCTransportCredentials returns transport credentials for gRPC using
this reloader.
+func (r *Reloader) GetGRPCTransportCredentials()
credentials.TransportCredentials {
Review Comment:
No references as well
##########
pkg/tls/reloader.go:
##########
@@ -0,0 +1,200 @@
+// Licensed to Apache Software Foundation (ASF) under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Apache Software Foundation (ASF) licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Package tls provides common TLS utilities for HTTP and gRPC servers.
+package tls
+
+import (
+ "crypto/tls"
+ "sync"
+
+ "github.com/fsnotify/fsnotify"
+ "github.com/pkg/errors"
+ "google.golang.org/grpc/credentials"
+
+ "github.com/apache/skywalking-banyandb/pkg/logger"
+)
+
+// Config contains TLS configuration options.
+type Config struct {
+ CertFile string
+ KeyFile string
+ Enabled bool
+}
+
+// Reloader manages dynamic reloading of TLS certificates and keys for servers.
+type Reloader struct {
+ watcher *fsnotify.Watcher
+ cert *tls.Certificate
+ log *logger.Logger
+ certFile string
+ keyFile string
+ mu sync.RWMutex
+}
+
+// NewReloader creates a new TLSReloader instance.
+func NewReloader(certFile, keyFile string, log *logger.Logger) (*Reloader,
error) {
+ if certFile == "" || keyFile == "" {
+ return nil, errors.New("certFile and keyFile must be provided")
+ }
+ if log == nil {
+ return nil, errors.New("logger must not be nil")
+ }
+
+ watcher, err := fsnotify.NewWatcher()
+ if err != nil {
+ return nil, errors.Wrap(err, "failed to create fsnotify
watcher")
+ }
+
+ cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ if err != nil {
+ watcher.Close()
+ return nil, errors.Wrap(err, "failed to load initial TLS
certificate")
+ }
+
+ log.Info().Str("certFile", certFile).Str("keyFile",
keyFile).Msg("Successfully loaded initial TLS certificates")
+
+ tr := &Reloader{
+ certFile: certFile,
+ keyFile: keyFile,
+ cert: &cert,
+ log: log,
+ watcher: watcher,
+ }
+
+ return tr, nil
+}
+
+// Start begins monitoring the TLS certificate and key files for changes.
+func (r *Reloader) Start() error {
+ r.log.Info().Str("certFile", r.certFile).Str("keyFile",
r.keyFile).Msg("Starting TLS file monitoring")
+
+ err := r.watcher.Add(r.certFile)
+ if err != nil {
+ return errors.Wrapf(err, "failed to watch cert file: %s",
r.certFile)
+ }
+
+ err = r.watcher.Add(r.keyFile)
+ if err != nil {
+ return errors.Wrapf(err, "failed to watch key file: %s",
r.keyFile)
+ }
+
+ go r.watchFiles()
+
+ return nil
+}
+
+func (r *Reloader) watchFiles() {
+ r.log.Info().Msg("TLS file watcher loop started")
+ for {
+ select {
+ case event, ok := <-r.watcher.Events:
+ if !ok {
+ r.log.Warn().Msg("Watcher events channel closed
unexpectedly")
+ return
+ }
+
+ r.log.Debug().Str("file", event.Name).Str("op",
event.Op.String()).Msg("Detected file event")
+
+ if event.Op&fsnotify.Remove == fsnotify.Remove {
+ r.log.Info().Str("file", event.Name).Msg("File
removed, re-adding to watcher")
+ if event.Name == r.certFile {
+ if err := r.watcher.Add(r.certFile);
err != nil {
+
r.log.Error().Err(err).Str("file", r.certFile).Msg("Failed to re-add cert file
to watcher")
+ } else {
+ r.log.Debug().Str("file",
r.certFile).Msg("Re-added cert file to watcher")
+ }
+ } else if event.Name == r.keyFile {
+ if err := r.watcher.Add(r.keyFile); err
!= nil {
+
r.log.Error().Err(err).Str("file", r.keyFile).Msg("Failed to re-add key file to
watcher")
+ } else {
+ r.log.Debug().Str("file",
r.keyFile).Msg("Re-added key file to watcher")
+ }
+ }
+ }
+
+ if event.Op&fsnotify.Write == fsnotify.Write ||
+ event.Op&fsnotify.Rename == fsnotify.Rename ||
+ event.Op&fsnotify.Create == fsnotify.Create {
+ r.log.Info().Str("file",
event.Name).Msg("Detected certificate change")
+ if err := r.reloadCertificate(); err != nil {
+ r.log.Error().Err(err).Str("file",
event.Name).Msg("Failed to reload TLS certificate")
+ } else {
+ r.log.Info().Str("file",
event.Name).Msg("Successfully updated TLS certificate")
+ }
+ }
+
+ case err, ok := <-r.watcher.Errors:
+ if !ok {
+ r.log.Warn().Msg("Watcher errors channel closed
unexpectedly")
+ return
+ }
+ r.log.Error().Err(err).Msg("Error in file watcher")
+ }
+ }
+}
+
+func (r *Reloader) reloadCertificate() error {
Review Comment:
Why do you need to reload certs manually?
##########
pkg/tls/reloader_test.go:
##########
@@ -0,0 +1,246 @@
+// Licensed to Apache Software Foundation (ASF) under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Apache Software Foundation (ASF) licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package tls
+
+import (
+ "crypto/rand"
+ "crypto/rsa"
+ "crypto/x509"
+ "crypto/x509/pkix"
+ "encoding/pem"
+ "math/big"
+ "os"
+ "path/filepath"
+ "testing"
+ "time"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+
+ "github.com/apache/skywalking-banyandb/pkg/logger"
+)
+
+func generateSelfSignedCert(t *testing.T, commonName string) (certPEM, keyPEM
[]byte) {
+ t.Helper()
+
+ privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+ require.NoError(t, err)
+
+ template := x509.Certificate{
+ SerialNumber: big.NewInt(1),
+ Subject: pkix.Name{
+ CommonName: commonName,
+ },
+ DNSNames: []string{commonName},
+ NotBefore: time.Now(),
+ NotAfter: time.Now().Add(time.Hour * 24),
+ KeyUsage: x509.KeyUsageKeyEncipherment |
x509.KeyUsageDigitalSignature,
+ ExtKeyUsage:
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+ BasicConstraintsValid: true,
+ }
+
+ certDER, err := x509.CreateCertificate(rand.Reader, &template,
&template, &privateKey.PublicKey, privateKey)
+ require.NoError(t, err)
+
+ certPEM = pem.EncodeToMemory(&pem.Block{
+ Type: "CERTIFICATE",
+ Bytes: certDER,
+ })
+
+ keyPEM = pem.EncodeToMemory(&pem.Block{
+ Type: "RSA PRIVATE KEY",
+ Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
+ })
+
+ return certPEM, keyPEM
+}
+
+func TestReloader_CertificateRotation(t *testing.T) {
+ tempDir, err := os.MkdirTemp("", "tls-test-")
+ require.NoError(t, err)
+ defer os.RemoveAll(tempDir)
+
+ certFile := filepath.Join(tempDir, "cert.pem")
+ keyFile := filepath.Join(tempDir, "key.pem")
+
+ certPEM1, keyPEM1 := generateSelfSignedCert(t, "test1.local")
+ err = os.WriteFile(certFile, certPEM1, 0o600)
+ require.NoError(t, err)
+ err = os.WriteFile(keyFile, keyPEM1, 0o600)
+ require.NoError(t, err)
+
+ log := logger.GetLogger("tls-test")
+ reloader, err := NewReloader(certFile, keyFile, log)
+ require.NoError(t, err)
+
+ defer reloader.Stop()
+
+ initialCert, err := reloader.getCertificate(nil)
+ require.NoError(t, err)
+ leafCert, err := x509.ParseCertificate(initialCert.Certificate[0])
+ require.NoError(t, err)
+ assert.Equal(t, "test1.local", leafCert.Subject.CommonName)
+
+ certPEM2, keyPEM2 := generateSelfSignedCert(t, "test2.local")
+ err = os.WriteFile(certFile, certPEM2, 0o600)
+ require.NoError(t, err)
+ err = os.WriteFile(keyFile, keyPEM2, 0o600)
+ require.NoError(t, err)
+
+ err = reloader.reloadCertificate()
+ require.NoError(t, err)
+
+ updatedCert, err := reloader.getCertificate(nil)
+ require.NoError(t, err)
+ leafCert, err = x509.ParseCertificate(updatedCert.Certificate[0])
+ require.NoError(t, err)
+ assert.Equal(t, "test2.local", leafCert.Subject.CommonName)
+
+ tlsConfig := reloader.GetTLSConfig()
+ configCert, err := tlsConfig.GetCertificate(nil)
+ require.NoError(t, err)
+ leafCert, err = x509.ParseCertificate(configCert.Certificate[0])
+ require.NoError(t, err)
+ assert.Equal(t, "test2.local", leafCert.Subject.CommonName)
+}
+
+func TestReloader_FileOperations(t *testing.T) {
+ tempDir := t.TempDir()
+ certFile := filepath.Join(tempDir, "cert.pem")
+ keyFile := filepath.Join(tempDir, "key.pem")
+
+ // Create initial files
+ certPEM, keyPEM := generateSelfSignedCert(t, "initial.local")
+ require.NoError(t, os.WriteFile(certFile, certPEM, 0o600))
+ require.NoError(t, os.WriteFile(keyFile, keyPEM, 0o600))
+
+ // Create reloader
+ log := logger.GetLogger("tls-test")
+ reloader, err := NewReloader(certFile, keyFile, log)
+ require.NoError(t, err)
+ require.NoError(t, reloader.Start())
+ defer reloader.Stop()
+
+ // Test 1: Remove the old files and create new files
+ t.Run("Remove and create new files", func(t *testing.T) {
+ // Remove existing files
+ require.NoError(t, os.Remove(certFile))
+ require.NoError(t, os.Remove(keyFile))
+ time.Sleep(500 * time.Millisecond)
+
+ // Create new files with different content
+ certPEM, keyPEM = generateSelfSignedCert(t, "recreated.local")
+ require.NoError(t, os.WriteFile(certFile, certPEM, 0o600))
+ require.NoError(t, os.WriteFile(keyFile, keyPEM, 0o600))
+ time.Sleep(500 * time.Millisecond)
+
+ // Force reload after file changes
+ require.NoError(t, reloader.reloadCertificate())
+
+ cert, err := reloader.getCertificate(nil)
+ require.NoError(t, err)
+ leafCert, err := x509.ParseCertificate(cert.Certificate[0])
+ require.NoError(t, err)
+ assert.Equal(t, "recreated.local", leafCert.Subject.CommonName)
+ })
+
+ // Test 2: Create files after the reloader starts
+ t.Run("Create files after reloader starts", func(t *testing.T) {
Review Comment:
The loader is created in the parent test. You need to refactor the test case
entirely..
##########
pkg/tls/reloader.go:
##########
@@ -0,0 +1,200 @@
+// Licensed to Apache Software Foundation (ASF) under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Apache Software Foundation (ASF) licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Package tls provides common TLS utilities for HTTP and gRPC servers.
+package tls
+
+import (
+ "crypto/tls"
+ "sync"
+
+ "github.com/fsnotify/fsnotify"
+ "github.com/pkg/errors"
+ "google.golang.org/grpc/credentials"
+
+ "github.com/apache/skywalking-banyandb/pkg/logger"
+)
+
+// Config contains TLS configuration options.
+type Config struct {
+ CertFile string
+ KeyFile string
+ Enabled bool
+}
+
+// Reloader manages dynamic reloading of TLS certificates and keys for servers.
+type Reloader struct {
+ watcher *fsnotify.Watcher
+ cert *tls.Certificate
+ log *logger.Logger
+ certFile string
+ keyFile string
+ mu sync.RWMutex
+}
+
+// NewReloader creates a new TLSReloader instance.
+func NewReloader(certFile, keyFile string, log *logger.Logger) (*Reloader,
error) {
+ if certFile == "" || keyFile == "" {
+ return nil, errors.New("certFile and keyFile must be provided")
+ }
+ if log == nil {
+ return nil, errors.New("logger must not be nil")
+ }
+
+ watcher, err := fsnotify.NewWatcher()
+ if err != nil {
+ return nil, errors.Wrap(err, "failed to create fsnotify
watcher")
+ }
+
+ cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ if err != nil {
+ watcher.Close()
+ return nil, errors.Wrap(err, "failed to load initial TLS
certificate")
+ }
+
+ log.Info().Str("certFile", certFile).Str("keyFile",
keyFile).Msg("Successfully loaded initial TLS certificates")
+
+ tr := &Reloader{
+ certFile: certFile,
+ keyFile: keyFile,
+ cert: &cert,
+ log: log,
+ watcher: watcher,
+ }
+
+ return tr, nil
+}
+
+// Start begins monitoring the TLS certificate and key files for changes.
+func (r *Reloader) Start() error {
+ r.log.Info().Str("certFile", r.certFile).Str("keyFile",
r.keyFile).Msg("Starting TLS file monitoring")
+
+ err := r.watcher.Add(r.certFile)
+ if err != nil {
+ return errors.Wrapf(err, "failed to watch cert file: %s",
r.certFile)
+ }
+
+ err = r.watcher.Add(r.keyFile)
+ if err != nil {
+ return errors.Wrapf(err, "failed to watch key file: %s",
r.keyFile)
+ }
+
+ go r.watchFiles()
+
+ return nil
+}
+
+func (r *Reloader) watchFiles() {
+ r.log.Info().Msg("TLS file watcher loop started")
+ for {
+ select {
+ case event, ok := <-r.watcher.Events:
+ if !ok {
+ r.log.Warn().Msg("Watcher events channel closed
unexpectedly")
+ return
+ }
+
+ r.log.Debug().Str("file", event.Name).Str("op",
event.Op.String()).Msg("Detected file event")
+
+ if event.Op&fsnotify.Remove == fsnotify.Remove {
+ r.log.Info().Str("file", event.Name).Msg("File
removed, re-adding to watcher")
+ if event.Name == r.certFile {
+ if err := r.watcher.Add(r.certFile);
err != nil {
+
r.log.Error().Err(err).Str("file", r.certFile).Msg("Failed to re-add cert file
to watcher")
+ } else {
+ r.log.Debug().Str("file",
r.certFile).Msg("Re-added cert file to watcher")
+ }
+ } else if event.Name == r.keyFile {
+ if err := r.watcher.Add(r.keyFile); err
!= nil {
+
r.log.Error().Err(err).Str("file", r.keyFile).Msg("Failed to re-add key file to
watcher")
+ } else {
+ r.log.Debug().Str("file",
r.keyFile).Msg("Re-added key file to watcher")
+ }
+ }
+ }
+
+ if event.Op&fsnotify.Write == fsnotify.Write ||
+ event.Op&fsnotify.Rename == fsnotify.Rename ||
+ event.Op&fsnotify.Create == fsnotify.Create {
+ r.log.Info().Str("file",
event.Name).Msg("Detected certificate change")
+ if err := r.reloadCertificate(); err != nil {
+ r.log.Error().Err(err).Str("file",
event.Name).Msg("Failed to reload TLS certificate")
+ } else {
+ r.log.Info().Str("file",
event.Name).Msg("Successfully updated TLS certificate")
+ }
+ }
+
+ case err, ok := <-r.watcher.Errors:
+ if !ok {
+ r.log.Warn().Msg("Watcher errors channel closed
unexpectedly")
+ return
+ }
+ r.log.Error().Err(err).Msg("Error in file watcher")
+ }
+ }
+}
+
+func (r *Reloader) reloadCertificate() error {
+ r.log.Debug().Msg("Attempting to reload TLS certificate")
+ newCert, err := tls.LoadX509KeyPair(r.certFile, r.keyFile)
+ if err != nil {
+ return errors.Wrap(err, "failed to reload TLS certificate")
+ }
+
+ r.mu.Lock()
+ r.cert = &newCert
+ r.mu.Unlock()
+
+ r.log.Debug().Msg("TLS certificate updated in memory")
+ return nil
+}
+
+// getCertificate returns the current TLS certificate for TLS Config's
GetCertificate callback.
+func (r *Reloader) getCertificate(*tls.ClientHelloInfo) (*tls.Certificate,
error) {
+ r.mu.RLock()
+ defer r.mu.RUnlock()
+ return r.cert, nil
+}
+
+// GetCertificateForTLS returns the current TLS certificate.
+func (r *Reloader) GetCertificateForTLS() *tls.Certificate {
Review Comment:
No references
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
