Support for Hot TLS Certificate Rotation#373
Support for Hot TLS Certificate Rotation#373ukasus wants to merge 3 commits intospring-projects:mainfrom
Conversation
- Introduced `ReloadableX509KeyManager` and `ReloadableX509TrustManager` to wrap the dynamic gRPC SSL managers. - Refactored `GrpcServerSslConfiguration` to use the `addBundleUpdateHandler` method for a cleaner, event-driven approach. Signed-off-by: Ujjawal Sharma <ujjawal98kaushik@gmail.com>
|
Thanks for the patch. It seems grpc-java doesn't support live SSL context reload the way that Tomcat and Jetty do, so it would be good if they were to change that, but I'm not holding my breath. Consequently I see why you have to introduce reloadable extensions of |
dsyer
added
enhancement
…e managers - Added 'GrpcServerSslManagerResolver' to resolve the reloadable managers from sslBundles and bind them to the `addBundleUpdateHandler` handler. - Using set injection for setting managers in defaultGrpcServerFactory for all server factories. Signed-off-by: Ujjawal Sharma <ujjawal98kaushik@gmail.com>
|
Thanks @dsyer for your valuable time and feedback, refactored the code as per your inputs. |
|
Let's wait until #234 is merged into Spring Boot to push this through as the auto-configuration will go away in 1.1 once it moves to Spring Boot (i.e. this will be a PR in Spring Boot). |
|
Given the SSL code has now moved to Spring Boot I don't think we can easily migrate this PR, I'm going to close this one. Thanks anyway @ukasus! If we try again in Boot, I'm not sure that we want to adopt the I'm pretty sure in Tomcat there's some logic to ensure that rotated certs are only adopted for new connections, and connections that are already established continue to work as they are. |
5 participants
The following changes were made:
ReloadableX509KeyManagerandReloadableX509TrustManagerto wrap the dynamic gRPC SSL managers.addBundleUpdateHandlerhandler.Signed-off-by: Ujjawal Sharma ujjawal98kaushik@gmail.com
[resolves spring-projects/spring-boot#49833]