feat: Hot reload TLS certificate when TLS cert or key files changes#111
Merged
clement0010 merged 28 commits intomasterfrom Aug 28, 2025
Merged
feat: Hot reload TLS certificate when TLS cert or key files changes#111clement0010 merged 28 commits intomasterfrom
clement0010 merged 28 commits intomasterfrom
Conversation
minhtule
requested changes
Aug 21, 2025
clement0010
changed the title
sghiocel
reviewed
Aug 22, 2025
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds hot reload functionality for TLS certificates by implementing a custom CertReloader that watches for changes to TLS certificate and private key files in the /etc/tls-secret-volume directory using fsnotify.
- Implements a
CertReloaderstruct that monitors file system events for certificate and key files - Replaces static certificate loading with dynamic certificate retrieval through
GetCertificatecallback - Adds comprehensive test coverage for certificate reloading scenarios including file changes and invalid certificate pairs
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
internal/httpproxy/cert_reloader.go |
Core implementation of the certificate reloader with file watching and hot reload logic |
internal/httpproxy/cert_reloader_test.go |
Test suite covering certificate reloading scenarios and edge cases |
internal/httpproxy/http_proxy.go |
Integration of cert reloader into the HTTP proxy server configuration |
test/data/proxy/tls1.crt |
Additional test certificate for testing certificate rotation |
test/data/proxy/tls1.key |
Additional test private key for testing certificate rotation |
test/data/data.go |
Embedded test data variables for the new certificate and key files |
go.mod |
Moved fsnotify dependency from indirect to direct requirement |
Comments suppressed due to low confidence (1)
go.mod:3
- Go version 1.24.6 does not exist. The latest Go version as of January 2025 was 1.23.x. This appears to be an invalid version number.
go 1.24.6
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Collaborator
Pull Request Test Coverage Report for Build 17256260704Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
minhtule
reviewed
Aug 23, 2025
minhtule
approved these changes
Aug 26, 2025
sghiocel
reviewed
Aug 26, 2025
sghiocel
reviewed
Aug 26, 2025
sghiocel
reviewed
Aug 26, 2025
sghiocel
approved these changes
Aug 27, 2025
minhtule
added a commit
that referenced
this pull request
Dec 30, 2025
) ## Changes Move inner TLS upgrade outside of `ProxyConn.Authenticate()` to keep `ProxyConn.Authenticate()` only responsible for the authentication. After that, the connection would have 2 paths - SSH secure transport (only for SSH protocol): the connection is sent to `SSHListener`. The SSH proxy handles both the secure transport and application layer. - TLS secure transport: upgrade the `ProxyConn` connection to TLS and pass it to the `HTTPListener`. Right now only HTTPS (`kubectl`) uses this transport but in the future, database protocols like Postgres would use TLS as the secure transport too. We will have different listener for different L7 procol.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
CertReloaderto watch for TLS certificate and private key changes. When the watcher is removed, it will also attempt to restart the watcher periodically (every 1 minute).Notes
When the TLS Secret is changed, we expect
fsnotifyto notify multiplechmodevents. As such, it's not uncommon to reload the cert file multiple times during cert rotation.Reference: K8s Dynamic Certificates