Watch for certificate files updates in ConfigReloader

programs/keeper/CMakeLists.txt

@@ -73,6 +73,7 @@ if (BUILD_STANDALONE_KEEPER)
         ${CMAKE_CURRENT_SOURCE_DIR}/../../src/Server/TCPServer.cpp
         ${CMAKE_CURRENT_SOURCE_DIR}/../../src/Server/NotFoundHandler.cpp
         ${CMAKE_CURRENT_SOURCE_DIR}/../../src/Server/ProtocolServerAdapter.cpp
+        ${CMAKE_CURRENT_SOURCE_DIR}/../../src/Server/CertificateReloader.cpp
         ${CMAKE_CURRENT_SOURCE_DIR}/../../src/Server/PrometheusRequestHandler.cpp
         ${CMAKE_CURRENT_SOURCE_DIR}/../../src/Server/PrometheusMetricsWriter.cpp
         ${CMAKE_CURRENT_SOURCE_DIR}/../../src/Server/waitServersToFinish.cpp

programs/keeper/Keeper.cpp

@@ -42,6 +42,7 @@
 #if USE_SSL
 #    include <Poco/Net/Context.h>
 #    include <Poco/Net/SecureServerSocket.h>
+#    include <Server/CertificateReloader.h>
 #endif
 
 #include <Server/ProtocolServerAdapter.h>
@@ -451,17 +452,29 @@ try
 
     zkutil::EventPtr unused_event = std::make_shared<Poco::Event>();
     zkutil::ZooKeeperNodeCache unused_cache([] { return nullptr; });
+
+    const std::string cert_path = config().getString("openSSL.server.certificateFile", "");
+    const std::string key_path = config().getString("openSSL.server.privateKeyFile", "");
+
+    std::vector<std::string> extra_paths = {include_from_path};
+    if (!cert_path.empty()) extra_paths.emplace_back(cert_path);
+    if (!key_path.empty()) extra_paths.emplace_back(key_path);
+
     /// ConfigReloader have to strict parameters which are redundant in our case
     auto main_config_reloader = std::make_unique<ConfigReloader>(
         config_path,
-        include_from_path,
+        extra_paths,
         config().getString("path", ""),
         std::move(unused_cache),
         unused_event,
         [&](ConfigurationPtr config, bool /* initial_loading */)
         {
             if (config->has("keeper_server"))
                 global_context->updateKeeperConfiguration(*config);
+
+#if USE_SSL
+            CertificateReloader::instance().tryLoad(*config);
+#endif
         },
         /* already_loaded = */ false);  /// Reload it right now (initial loading)
 

programs/server/Server.cpp

@@ -88,7 +88,6 @@
 #include <Server/PostgreSQLHandlerFactory.h>
 #include <Server/ProxyV1HandlerFactory.h>
 #include <Server/TLSHandlerFactory.h>
-#include <Server/CertificateReloader.h>
 #include <Server/ProtocolServerAdapter.h>
 #include <Server/HTTP/HTTPServer.h>
 #include <Interpreters/AsynchronousInsertQueue.h>
@@ -109,6 +108,7 @@
 
 #if USE_SSL
 #    include <Poco/Net/SecureServerSocket.h>
+#    include <Server/CertificateReloader.h>
 #endif
 
 #if USE_GRPC
@@ -1100,9 +1100,16 @@ try
         SensitiveDataMasker::setInstance(std::make_unique<SensitiveDataMasker>(config(), "query_masking_rules"));
     }
 
+    const std::string cert_path = config().getString("openSSL.server.certificateFile", "");
+    const std::string key_path = config().getString("openSSL.server.privateKeyFile", "");
+
+    std::vector<std::string> extra_paths = {include_from_path};
+    if (!cert_path.empty()) extra_paths.emplace_back(cert_path);
+    if (!key_path.empty()) extra_paths.emplace_back(key_path);
+
     auto main_config_reloader = std::make_unique<ConfigReloader>(
         config_path,
-        include_from_path,
+        extra_paths,
         config().getString("path", ""),
         std::move(main_config_zk_node_cache),
         main_config_zk_changed_event,

src/Access/UsersConfigAccessStorage.cpp

@@ -807,7 +807,7 @@ void UsersConfigAccessStorage::load(
     config_reloader.reset();
     config_reloader = std::make_unique<ConfigReloader>(
         users_config_path,
-        include_from_path,
+        std::vector{{include_from_path}},
         preprocessed_dir,
         zkutil::ZooKeeperNodeCache(get_zookeeper_function),
         std::make_shared<Poco::Event>(),

src/Common/Config/ConfigReloader.cpp

@@ -14,14 +14,15 @@ namespace DB
 {
 
 ConfigReloader::ConfigReloader(
-        const std::string & path_,
-        const std::string & include_from_path_,
+        std::string_view config_path_,
+        const std::vector<std::string>& extra_paths_,
         const std::string & preprocessed_dir_,
         zkutil::ZooKeeperNodeCache && zk_node_cache_,
         const zkutil::EventPtr & zk_changed_event_,
         Updater && updater_,
         bool already_loaded)
-    : path(path_), include_from_path(include_from_path_)
+    : config_path(config_path_)
+    , extra_paths(extra_paths_)
     , preprocessed_dir(preprocessed_dir_)
     , zk_node_cache(std::move(zk_node_cache_))
     , zk_changed_event(zk_changed_event_)
@@ -98,10 +99,10 @@ void ConfigReloader::reloadIfNewer(bool force, bool throw_on_error, bool fallbac
     FilesChangesTracker new_files = getNewFileList();
     if (force || need_reload_from_zk || new_files.isDifferOrNewerThan(files))
     {
-        ConfigProcessor config_processor(path);
+        ConfigProcessor config_processor(config_path);
         ConfigProcessor::LoadedConfig loaded_config;
 
-        LOG_DEBUG(log, "Loading config '{}'", path);
+        LOG_DEBUG(log, "Loading config '{}'", config_path);
 
         try
         {
@@ -118,15 +119,15 @@ void ConfigReloader::reloadIfNewer(bool force, bool throw_on_error, bool fallbac
             if (throw_on_error)
                 throw;
 
-            tryLogCurrentException(log, "ZooKeeper error when loading config from '" + path + "'");
+            tryLogCurrentException(log, "ZooKeeper error when loading config from '" + config_path + "'");
             return;
         }
         catch (...)
         {
             if (throw_on_error)
                 throw;
 
-            tryLogCurrentException(log, "Error loading config from '" + path + "'");
+            tryLogCurrentException(log, "Error loading config from '" + config_path + "'");
             return;
         }
         config_processor.savePreprocessedConfig(loaded_config, preprocessed_dir);
@@ -142,7 +143,7 @@ void ConfigReloader::reloadIfNewer(bool force, bool throw_on_error, bool fallbac
             need_reload_from_zk = false;
         }
 
-        LOG_DEBUG(log, "Loaded config '{}', performing update on configuration", path);
+        LOG_DEBUG(log, "Loaded config '{}', performing update on configuration", config_path);
 
         try
         {
@@ -152,11 +153,11 @@ void ConfigReloader::reloadIfNewer(bool force, bool throw_on_error, bool fallbac
         {
             if (throw_on_error)
                 throw;
-            tryLogCurrentException(log, "Error updating configuration from '" + path + "' config.");
+            tryLogCurrentException(log, "Error updating configuration from '" + config_path + "' config.");
             return;
         }
 
-        LOG_DEBUG(log, "Loaded config '{}', performed update on configuration", path);
+        LOG_DEBUG(log, "Loaded config '{}', performed update on configuration", config_path);
     }
 }
 
@@ -196,10 +197,11 @@ ConfigReloader::FilesChangesTracker ConfigReloader::getNewFileList() const
 {
     FilesChangesTracker file_list;
 
-    file_list.addIfExists(path);
-    file_list.addIfExists(include_from_path);
+    file_list.addIfExists(config_path);
+    for (const std::string& path : extra_paths)
+        file_list.addIfExists(path);
 
-    for (const auto & merge_path : ConfigProcessor::getConfigMergeFiles(path))
+    for (const auto & merge_path : ConfigProcessor::getConfigMergeFiles(config_path))
         file_list.addIfExists(merge_path);
 
     return file_list;

src/Common/Config/ConfigReloader.h

@@ -22,23 +22,21 @@ class Context;
 /** Every two seconds checks configuration files for update.
   * If configuration is changed, then config will be reloaded by ConfigProcessor
   *  and the reloaded config will be applied via Updater functor.
-  * It doesn't take into account changes of --config-file, <users_config> and <include_from> parameters.
+  * It doesn't take into account changes of --config-file and <users_config>.
   */
 class ConfigReloader
 {
 public:
     using Updater = std::function<void(ConfigurationPtr, bool)>;
 
-    /** include_from_path is usually /etc/metrika.xml (i.e. value of <include_from> tag)
-      */
     ConfigReloader(
-            const std::string & path,
-            const std::string & include_from_path,
-            const std::string & preprocessed_dir,
-            zkutil::ZooKeeperNodeCache && zk_node_cache,
-            const zkutil::EventPtr & zk_changed_event,
-            Updater && updater,
-            bool already_loaded);
+        std::string_view path_,
+        const std::vector<std::string>& extra_paths_,
+        const std::string & preprocessed_dir,
+        zkutil::ZooKeeperNodeCache && zk_node_cache,
+        const zkutil::EventPtr & zk_changed_event,
+        Updater && updater,
+        bool already_loaded);
 
     ~ConfigReloader();
 
@@ -73,8 +71,9 @@ class ConfigReloader
 
     Poco::Logger * log = &Poco::Logger::get("ConfigReloader");
 
-    std::string path;
-    std::string include_from_path;
+    std::string config_path;
+    std::vector<std::string> extra_paths;
+
     std::string preprocessed_dir;
     FilesChangesTracker files;
     zkutil::ZooKeeperNodeCache zk_node_cache;