New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reload certificate configuration at runtime #1799
Conversation
82bf558
to
b2ed47a
Compare
I think it's a very good improvement to Dropwizard from the operational side!
I think we could use a new module for that. This will allows users to disable this feature, if they don't want to expose the ability to change SSL certificates on the fly.
We now support POST requests for admin tasks, so it's doable to use this approach. I like it, because
Looks good to me. We use Jetty's lifecycle in other bundles and it works well. I think we can use it,
I think we should try to provide an atomic way to update all configurations with new certificates. I think it would be a nightmare to debug a server with a partially updated configuration. |
Ok I'll cave to adding the submodule. My initial plan was not to add a submodule because many dropwizard submodules that users have to manually import have additional third party dependencies, On atomic updates. Good point. It's entirely plausible that the keystore could have been swapped out for one with a different password, causing the reload to fail. A failure to reload is tragic. No future connections are allowed (I tested this). Like you alluded to, it's a scary thought to hot reload a certificate and break all functionality. But on one hand, if the app was restarted, it would break as well. The app wouldn't start. If we could fallback to the previous configuration we could keep the app chugging along, but at the cost it failing at the next restart. It's debatably a reasonable response. A 500 status code could inform the admin to examine the new certificate information before the next reboot that would force usage of the new certificate. Since an EDIT: This post was me thinking about loud, no need to respond to anything 馃槤 |
I'd probably favor keeping this in the existing jetty module and have a configuration option to enable or disable it (disabled by default). |
This is cool. Thanks, @nickbabcock! I agree with @jplock. Including the feature in In order to help avoid the case where an invalid cert silently fails upon hot reload, perhaps we could add an Anybody have opinions on the |
I like the task approach for triggering the reload |
Unfortunately none of the classes can go in |
Is it awkward that I put the code in Also looks like coveralls doesn't do cross module code coverage, so my tests in |
I think I'm core is fine to me |
Added the documentation. PR is in a pretty good spot, but additional reviews/comments/suggestions welcomed 馃槃 |
|
||
@Override | ||
public void initialize(Bootstrap<HelloWorldConfiguration> bootstrap) { | ||
bootstrap.addBundle(new SslReloadBundle("/assets/", "/")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the assets path in here needed or a cut and paste issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a cut-and-paste-with-unsaved-changes-that-fixed-this-issue 馃槥
fixed.
0448de9
to
04f2a6e
Compare
@nickbabcock do you want to update the release notes? Then I think this is good to merge. Great job! 馃憤 |
04f2a6e
to
1a52d6d
Compare
Cleaned up the commit history and made this PR first in the release notes because it seems like something we might want to highlight 馃槇 |
Recent Jetty releases have allowed us to reload ssl/tls information at runtime, so it's no longer necessary to restart Dropwizard to install a new certificate. More information can be found: jetty/jetty.project#918
The motivation behind this PR is that as certificate management starts to be more automatic (looking at Let's Encrypt) and certificates are issues more frequently, the downtime caused by new certificates starts to become palpable. Yes, the service may only be down for a few moments, but any reductions in downtime should be welcomed.
Those who use a TLS termination proxy in front of dropwizard (or use http endpoints) will not be affected.
I implemented a quick check to ensure it's working
I can confirm that the certificate was indeed changed without needing a restart. 馃帀
I marked this PR as RFC (request for comments) to get a feel of opinions. This PR is not ready to be merged.
Questions:
SslReloadBundle
/SslReloadTask
should live. Right now, they reside in the e2e module, which shouldn't be their final resting place 馃槤SslReloadTask
to dropwizard-servlets with otherTasks
?dropwizard-ssl-reload
submodule?Todos: