feat: add TLS certificate reloading on SIGHUP #26994
Conversation
Add TLS certificate reloading on SIGHUP. For httpd service certificates, the configuration is reloaded and certificate and key file locations are updated accordingly. For opentsdb service certificates, certificates and keys at the existing locations are reloaded. If reloading a certificate fails, the currently loaded certificate continues to be used. Also adds file permission checking for TLS certificates and private keys.
Rewrite some tests so that tricks are not used to get a hold of the TLS certificate in-use. Instead, an HTTP client is used to get the certificate presented by the http service.
pkg/tlsconfig/certconfig.go
Outdated
| // VerifyLoad verifies that the certificate at certPath and keyPath will load without error. | ||
| // If the certificate can be loaded, a function that will apply the certificate reload is | ||
| // returned. Otherwise, an error is returned. | ||
| func (cl *TLSCertLoader) VerifyLoad(certPath, keyPath string) (func() error, error) { |
There was a problem hiding this comment.
I'm not convinced VerifyLoad is the best name for this method. The name does make sense, because it is used on config reload to verify that that the new configuration and/or certificate will load properly before it is applied. The name is seems off, though, when you consider that it also returns a closure that will apply the change. Maybe something like PrepareReload would be a better name?
services/opentsdb/service.go
Outdated
| // VerifyReloadTLSCertificate verifies that the configured TLS certificate can be reloaded. | ||
| // If so, then a function that will apply the reloaded certificate is returned. If no reload | ||
| // action is necessary, then nil is returned for the reload function. | ||
| func (s *Service) VerifyReloadTLSCertificate() (func() error, error) { |
There was a problem hiding this comment.
Same thing as CertLoader.VerifyReload. Is this the best name for the method?
There was a problem hiding this comment.
MakeTlsCertLoaderFunc??? Just a suggestion.
davidby-influx
left a comment
davidby-influx
left a comment
There was a problem hiding this comment.
A few suggestions, questions, comments...
|
|
||
| cmd.Logger.Info("Signal received, initializing clean shutdown...") | ||
| if sig == syscall.SIGTERM && cmd.Server.LogQueriesOnTermination() { | ||
| if logQueries && cmd.Server.LogQueriesOnTermination() { |
There was a problem hiding this comment.
Do we need the logQueries variable? Is there a case where we get here with a signal on shutdownCh that is not a SIGTERM?
There was a problem hiding this comment.
shutdownCh will also get SIGINT (os.Interrupt) signals. We only log the queries on SIGTERM. Changes in the logic now that we are handling SIGHUP were easier (and clearer) by adding logQueries.
pkg/file/file.go
Outdated
|
|
||
| // VerifyFilePermissivenessF checks if permissions on f are as restrictive | ||
| // or more restrictive than maxPerms. if not, then an error is returned. | ||
| // For security reasons, there is no VerifyFilePermissiveness functino |
There was a problem hiding this comment.
Will be fixed in next commit.
pkg/file/file_test.go
Outdated
|
|
||
| f, err := os.Open(tmpFile) | ||
| require.NoError(t, err) | ||
| defer f.Close() |
There was a problem hiding this comment.
Wrap in a require.NoError?
There was a problem hiding this comment.
Will be fixed in next commit.
pkg/file/file_test.go
Outdated
|
|
||
| f, err := os.Open(tmpFile) | ||
| require.NoError(t, err) | ||
| defer f.Close() |
services/httpd/service_test.go
Outdated
| HTTPSEnabled: false, | ||
| } | ||
| applyFunc, err := s.VerifyReloadedConfig(newConfig) | ||
| require.Error(t, err) |
There was a problem hiding this comment.
This differs from usage elsewhere in this PR. Does require.ErrorContains imply require.Error? Or do you need to add require.Error to the other places?
There was a problem hiding this comment.
Unnecessary require.Error will be removed in next commit.
services/httpd/service_test.go
Outdated
| HTTPSPrivateKey: ss.KeyPath, | ||
| } | ||
| applyFunc, err := s.VerifyReloadedConfig(newConfig) | ||
| require.Error(t, err) |
services/httpd/service_test.go
Outdated
|
|
||
| // Open service to initialize certLoader | ||
| require.NoError(t, s.Open()) | ||
| defer s.Close() |
There was a problem hiding this comment.
Any possible error?
services/httpd/service_test.go
Outdated
|
|
||
| // Open service to initialize certLoader | ||
| require.NoError(t, s.Open()) | ||
| defer s.Close() |
There was a problem hiding this comment.
any possible error?
services/opentsdb/service.go
Outdated
| // VerifyReloadTLSCertificate verifies that the configured TLS certificate can be reloaded. | ||
| // If so, then a function that will apply the reloaded certificate is returned. If no reload | ||
| // action is necessary, then nil is returned for the reload function. | ||
| func (s *Service) VerifyReloadTLSCertificate() (func() error, error) { |
There was a problem hiding this comment.
MakeTlsCertLoaderFunc??? Just a suggestion.
- Correct race conditions present in httpd.Service. - Improve error messages. - Rename some methods for clarity. - Fix issues in tests. - Fix comments.
davidby-influx
left a comment
davidby-influx
left a comment
There was a problem hiding this comment.
LGTM.
I like the spelling corrections...
| config, err := cmd.ParseConfig(configPath) | ||
| if err != nil { | ||
| return fail(fmt.Errorf("error parsing config file: %s", err)) | ||
| return fail(fmt.Errorf("error parsing config file (%q): %s", configPath, err)) |
| if err := cl.setCertificate(loadedCert); err != nil { | ||
| // There shouldn't be a way to get here. | ||
| log.Error("error setting certificate after load") | ||
| log.Error("error setting certificate after load", zap.Error(err)) |
Add TLS certificate reloading on SIGHUP. For httpd service certificates, the configuration is reloaded and certificate and key file locations are updated accordingly. For opentsdb service certificates, certificates and keys at the existing locations are reloaded. If reloading a certificate fails, the currently loaded certificate continues to be used. Also adds file permission checking for TLS certificates and private keys. Clean cherry-pick of #26994 to 1.12. Closes: #27056 (cherry picked from commit 8c9b850)
Add TLS certificate reloading on SIGHUP. For httpd service certificates, the configuration is reloaded and certificate and key file locations are updated accordingly. For opentsdb service certificates, certificates and keys at the existing locations are reloaded. If reloading a certificate fails, the currently loaded certificate continues to be used. Also adds file permission checking for TLS certificates and private keys. Clean cherry-pick of #26994 to 1.12. Closes: #27056 (cherry picked from commit 8c9b850)
Add TLS certificate reloading on SIGHUP. For httpd service certificates, the configuration is reloaded and certificate and key file locations are updated accordingly. For opentsdb service certificates, certificates and keys at the existing locations are reloaded. If reloading a certificate fails, the currently loaded certificate continues to be used.
Also adds file permission checking for TLS certificates and private keys.