feat(tls): automatically reload tls certs #3752
Conversation
There was a problem hiding this comment.
Pull request overview
This PR implements automatic TLS certificate reloading for zot without requiring server restarts, addressing issue #3747. The implementation uses Go's tls.Config.GetCertificate callback to check for certificate file changes on each TLS handshake and reload certificates when modifications are detected.
Changes:
- Added a new
CertReloadertype that monitors TLS certificate files and reloads them when modified - Integrated certificate reloader into the HTTP server's TLS configuration
- Added comprehensive unit tests and blackbox integration tests for certificate reload functionality
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| pkg/api/tlscert.go | New file implementing the CertReloader with automatic certificate monitoring and reloading |
| pkg/api/tlscert_test.go | Comprehensive unit tests for CertReloader covering reload, concurrency, and edge cases |
| pkg/api/controller.go | Integration of CertReloader into TLS server setup with GetCertificate callback |
| test/blackbox/tls_cert_reload.bats | End-to-end integration tests validating certificate reload in running server |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3752 +/- ##
==========================================
- Coverage 91.60% 91.52% -0.09%
==========================================
Files 189 190 +1
Lines 26932 27059 +127
==========================================
+ Hits 24672 24766 +94
- Misses 1460 1482 +22
- Partials 800 811 +11 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@copilot open a new pull request to apply changes based on the comments in this thread |
- Add logging when certificate reload fails using log.Logger - Implement fsnotify for efficient file system monitoring instead of polling on every handshake - Add reloadMu to prevent concurrent reload operations and race conditions - Add time-based cache (1 second) for fallback polling to reduce file system calls - Watch certificate directories for better reliability with atomic file updates - Graceful fallback to periodic checking if fsnotify fails to initialize Co-authored-by: rchincha <[email protected]>
rchincha
force-pushed
the
issue-3747
branch
2 times, most recently
from
805d0bf to
b94f3ba
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Fixes issue project-zot#3747 Currently, zot requires a restart whenever tls certs change, which can occur whenever there are tls cert rotation etc. This PR checks if the tls certs have be modified and if so reloads them without restarting zot. Signed-off-by: Ramkumar Chinchani <[email protected]>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| // Close CertReloader to prevent resource leaks | ||
| if c.CertReloader != nil { | ||
| _ = c.CertReloader.Close() |
There was a problem hiding this comment.
If this is closed in StopBackgroundTasks() doesn't it need to start in StartBackgroundTasks() for simetry?
There are tests which call Run() and Shutdown() multiple times on the same object, I think I fixed the background tasks issues when I refactored the HTPasswdWatcher, but let's not risk it.
| // This method is safe to call multiple times. | ||
| func (cr *CertReloader) Close() error { | ||
| var err error | ||
| cr.closeOnce.Do(func() { |
There was a problem hiding this comment.
Does this work? If I remember correctly, we have tests calling Run() multiple times on the same controller. That would mean starting the watcher multiple times. This code closes it just once.
2 participants
Fixes issue #3747
Currently, zot requires a restart whenever tls certs change, which can occur whenever there are tls cert rotation etc.
This PR checks if the tls certs have be modified and if so reloads them without restarting zot.
What type of PR is this?
Which issue does this PR fix:
What does this PR do / Why do we need it:
If an issue # is not available please add repro steps and logs showing the issue:
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades?
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.