[ISSUE #8920] Refactor SSL context loading process to support multiple protocols dynamic loading #9483
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- 在 GrpcServer 和 RemotingProtocolServer 中添加文件监视服务,用于监控 TLS 证书和密钥的变化 - 实现证书和密钥变更时重新加载 SSL 上下文的逻辑 - 优化 ProxyAndTlsProtocolNegotiator 中的 SSL 上下文加载过程 - 添加日志记录,方便调试和监控 TLS 相关操作
- 重构 GrpcServer 中的证书监控逻辑,提取到独立的 GrpcCertKeyFileWatchListener 类中 - 优化证书变更处理流程,提高代码可读性和维护性 - 新增 GrpcServerTest 类,为 gRPC服务器和证书监控添加单元测试- 测试覆盖了各种证书变更场景,包括单独变更和组合变更 - 验证了证书变更时 SSLContext 的重新加载和错误处理 Signed-off-by: Async <raisinata@foxmail.com>
- 重构 GrpcServer 中的证书监控逻辑,提取到独立的 GrpcCertKeyFileWatchListener 类中 - 优化证书变更处理流程,提高代码可读性和维护性 - 新增 GrpcServerTest 类,为 gRPC服务器和证书监控添加单元测试- 测试覆盖了各种证书变更场景,包括单独变更和组合变更 - 验证了证书变更时 SSLContext 的重新加载和错误处理 Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
- 移除 FileWatchService,改用 TlsCertificateManager 统一管理 TLS证书 - 实现 TlsContextReloadListener 接口,响应 TLS 证书更新 - 优化 GrpcServer 和 RemotingProtocolServer 中的 TLS 证书更新逻辑 - 新增单元测试验证 TLS 证书更新功能 Signed-off-by: Async <raisinata@foxmail.com>
- 重构了多个测试类中的重复代码- 提高了测试的可读性和维护性 - 确保在测试中正确关闭资源 Signed-off-by: Async <raisinata@foxmail.com>
- 移除了不必要的导入项 - 显式导入了所有活动类,提高了代码的可读性和维护性 Signed-off-by: Async <raisinata@foxmail.com>
qianye1001
reviewed
Jun 17, 2025
| } | ||
| } | ||
|
|
||
| static class GrpcTlsReloadHandler implements TlsCertificateManager.TlsContextReloadListener { |
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
lizhimins
reviewed
Jun 18, 2025
| } | ||
| } | ||
|
|
||
| public static TlsCertificateManager getInstance() { |
There was a problem hiding this comment.
avoid using a singleton? use Dependency Injection instead
lizhimins
reviewed
Jun 18, 2025
| sslContext = loadSslContext(); | ||
| try { | ||
| loadSslContext(); | ||
| log.info("SSLContext created for proxy server"); |
There was a problem hiding this comment.
SSLContext / SslContext 需要保持一致,保持日志的严谨性
lizhimins
reviewed
Jun 18, 2025
| try { | ||
| loadSslContext(); | ||
| log.info("SSLContext created for proxy server"); | ||
| } catch (IOException | CertificateException e) { |
There was a problem hiding this comment.
Here I want to crash directly if an exception is thrown during SSLContext initialization
lizhimins
reviewed
Jun 18, 2025
| @@ -231,7 +245,7 @@ protected void handleHAProxyTLV(HAProxyTLV tlv, Attributes.Builder builder) { | |||
| return; | |||
| } | |||
| Attributes.Key<String> key = AttributeKeys.valueOf( | |||
| HAProxyConstants.PROXY_PROTOCOL_TLV_PREFIX + String.format("%02x", tlv.typeByteValue())); | |||
| HAProxyConstants.PROXY_PROTOCOL_TLV_PREFIX + String.format("%02x", tlv.typeByteValue())); | |||
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #9483 +/- ##
=============================================
- Coverage 48.15% 47.98% -0.17%
+ Complexity 12017 11984 -33
=============================================
Files 1308 1309 +1
Lines 92174 92351 +177
Branches 11790 11814 +24
=============================================
- Hits 44382 44314 -68
- Misses 42302 42526 +224
- Partials 5490 5511 +21 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
lizhimins
reviewed
Jun 19, 2025
| //import static org.mockito.Mockito.when; | ||
| // | ||
| //@ExtendWith(MockitoExtension.class) | ||
| //public class GrpcServerTest { |
- 将 TlsCertificateManager 实例化移至 ProxyStartup 类 - 更新 GrpcServer 和 RemotingProtocolServer 类以使用 TlsCertificateManager - 移除冗余的 TLS 证书管理相关测试用例 - 优化 TLS 上下文重载逻辑 Signed-off-by: Async <raisinata@foxmail.com>
- 将 cert file changed 日志信息改为更通用的 File changed - 保持代码风格一致性,提高日志的可读性和维护性 Signed-off-by: Async <raisinata@foxmail.com>
- 增加对 TlsCertificateManager 各种方法的单元测试 - 涉及到的测试场景包括: - 构造函数 - 启动和关闭 - 注册和注销监听器 - 文件变更通知(证书、密钥、未知文件等) - 多个监听器的情况 - 监听器抛出异常的情况 - 增加对内部 CertKeyFileWatchListener 的测试 Signed-off-by: Async <raisinata@foxmail.com>
EnableAsync
force-pushed
the
feat/cert-update-online
branch
from
7c4e38f to
6b5c4a5
Compare
-移除了未使用的 import 语句 - 替换了 import static语句,使其更加有序 - 删除了未使用的静态方法断言(verify、times、never) - 重置了 mock 对象以避免测试之间的干扰 Signed-off-by: Async <raisinata@foxmail.com>
lizhimins
reviewed
Jun 26, 2025
| } else { | ||
| String tlsCertPath = ConfigurationManager.getProxyConfig().getTlsCertPath(); | ||
| String tlsKeyPath = ConfigurationManager.getProxyConfig().getTlsKeyPath(); | ||
| try (InputStream serverKeyInputStream = Files.newInputStream( |
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
Signed-off-by: Async <raisinata@foxmail.com>
WJ66880
pushed a commit
to WJ66880/rocketmq
that referenced
this pull request
Jul 1, 2025
…ultiple protocols dynamic loading (apache#9483) * feat(proxy): 添加 gRPC 和 Remoting 服务器的 TLS 证书热更新支持 - 在 GrpcServer 和 RemotingProtocolServer 中添加文件监视服务,用于监控 TLS 证书和密钥的变化 - 实现证书和密钥变更时重新加载 SSL 上下文的逻辑 - 优化 ProxyAndTlsProtocolNegotiator 中的 SSL 上下文加载过程 - 添加日志记录,方便调试和监控 TLS 相关操作 * refactor(proxy): 重构 gRPC 证书监控逻辑并添加单元测试 - 重构 GrpcServer 中的证书监控逻辑,提取到独立的 GrpcCertKeyFileWatchListener 类中 - 优化证书变更处理流程,提高代码可读性和维护性 - 新增 GrpcServerTest 类,为 gRPC服务器和证书监控添加单元测试- 测试覆盖了各种证书变更场景,包括单独变更和组合变更 - 验证了证书变更时 SSLContext 的重新加载和错误处理 Signed-off-by: Async <raisinata@foxmail.com> * refactor(proxy): 重构 gRPC 证书监控逻辑并添加单元测试 - 重构 GrpcServer 中的证书监控逻辑,提取到独立的 GrpcCertKeyFileWatchListener 类中 - 优化证书变更处理流程,提高代码可读性和维护性 - 新增 GrpcServerTest 类,为 gRPC服务器和证书监控添加单元测试- 测试覆盖了各种证书变更场景,包括单独变更和组合变更 - 验证了证书变更时 SSLContext 的重新加载和错误处理 Signed-off-by: Async <raisinata@foxmail.com> * fix: code format Signed-off-by: Async <raisinata@foxmail.com> * test: add test cases Signed-off-by: Async <raisinata@foxmail.com> * fix: code format Signed-off-by: Async <raisinata@foxmail.com> * refactor(proxy): 重构 TLS证书更新逻辑 - 移除 FileWatchService,改用 TlsCertificateManager 统一管理 TLS证书 - 实现 TlsContextReloadListener 接口,响应 TLS 证书更新 - 优化 GrpcServer 和 RemotingProtocolServer 中的 TLS 证书更新逻辑 - 新增单元测试验证 TLS 证书更新功能 Signed-off-by: Async <raisinata@foxmail.com> * test(proxy): 优化 TLS 相关测试用例 - 重构了多个测试类中的重复代码- 提高了测试的可读性和维护性 - 确保在测试中正确关闭资源 Signed-off-by: Async <raisinata@foxmail.com> * refactor(proxy): 优化代码导入结构 - 移除了不必要的导入项 - 显式导入了所有活动类,提高了代码的可读性和维护性 Signed-off-by: Async <raisinata@foxmail.com> * update * fix: no static Signed-off-by: Async <raisinata@foxmail.com> * fix: add SingletonHolder for TlsCertificateManager Signed-off-by: Async <raisinata@foxmail.com> * refactor * refactor(proxy): 重构 TLS证书管理 - 将 TlsCertificateManager 实例化移至 ProxyStartup 类 - 更新 GrpcServer 和 RemotingProtocolServer 类以使用 TlsCertificateManager - 移除冗余的 TLS 证书管理相关测试用例 - 优化 TLS 上下文重载逻辑 Signed-off-by: Async <raisinata@foxmail.com> * refactor(proxy): 优化日志信息内容 - 将 cert file changed 日志信息改为更通用的 File changed - 保持代码风格一致性,提高日志的可读性和维护性 Signed-off-by: Async <raisinata@foxmail.com> * test(proxy): 重构并增强 TlsCertificateManager 测试用例- 重新设计测试用例,使用临时文件模拟证书和密钥 - 增加对 TlsCertificateManager 各种方法的单元测试 - 涉及到的测试场景包括: - 构造函数 - 启动和关闭 - 注册和注销监听器 - 文件变更通知(证书、密钥、未知文件等) - 多个监听器的情况 - 监听器抛出异常的情况 - 增加对内部 CertKeyFileWatchListener 的测试 Signed-off-by: Async <raisinata@foxmail.com> * refactor * test(proxy): 优化 TlsCertificateManager 单元测试 -移除了未使用的 import 语句 - 替换了 import static语句,使其更加有序 - 删除了未使用的静态方法断言(verify、times、never) - 重置了 mock 对象以避免测试之间的干扰 Signed-off-by: Async <raisinata@foxmail.com> * fix format Signed-off-by: Async <raisinata@foxmail.com> * fix format Signed-off-by: Async <raisinata@foxmail.com> * fix format Signed-off-by: Async <raisinata@foxmail.com> * fix format Signed-off-by: Async <raisinata@foxmail.com> * fix format Signed-off-by: Async <raisinata@foxmail.com> * fix format Signed-off-by: Async <raisinata@foxmail.com> * fix format Signed-off-by: Async <raisinata@foxmail.com> * fix format Signed-off-by: Async <raisinata@foxmail.com> --------- Signed-off-by: Async <raisinata@foxmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which Issue(s) This PR Fixes
Fixes #8920
Brief Description
This PR adds functionality to dynamically reload TLS certificates without requiring a server restart. The implementation monitors certificate and key files for changes and automatically updates the TLS configuration when both files are modified.
Key changes:
This feature improves system availability by allowing certificate updates with zero downtime, which is particularly valuable for production environments with automatic certificate renewal processes.
How Did You Test This Change?
I've implemented comprehensive tests to validate the dynamic TLS certificate update feature. The tests cover several key aspects:
These tests ensure the system can update TLS certificates without requiring a service restart, improving system availability during certificate renewals.