-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support runtime reload for TLS resources #12277
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #12277 +/- ##
============================================
+ Coverage 61.47% 61.57% +0.10%
+ Complexity 1153 207 -946
============================================
Files 2417 2415 -2
Lines 131379 131350 -29
Branches 20266 20264 -2
============================================
+ Hits 80762 80885 +123
+ Misses 44715 44534 -181
- Partials 5902 5931 +29
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@zhtaoxiang We recently did the similar thing in the context of Kafka client.
It would be great if we can provide this feature as a generic solution and provide the util from the common package.
Let's file the issue and refer this 2 PRs.
This PR makes tls
keystore/truststore
swappable. If this is merged, there will be follow-up PRs to add the logic to reloadkeystore/truststore
.We make use of ssl-context library to make
keystore/truststore
swappable. Specifically, we create a SSLFactory with identity material and trust material swappable. Then we useKeyManagerFactory
,TrustManagerFactory
,SSLContext
held by the SSLFactory to create other security contexts. This makes it possible to replace thekeystore/truststore
without recreating those security conterxts by replacingKeyManagerFactory
andTrustManagerFactory
of the SSLFactory.