Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update client cert without downtime #5791

Closed
fabmade opened this issue Nov 14, 2022 · 3 comments
Closed

Update client cert without downtime #5791

fabmade opened this issue Nov 14, 2022 · 3 comments
Assignees
@fabmade
Labels
stale Status: Requires Reporter Clarification Type: Question

Comments

@fabmade
Copy link

fabmade commented Nov 14, 2022
edited
Loading

Hi together,

is it possible to reload the client cert without downtime? On server side it is possible with the tls.Config’s GetCertificate method.

grpc.DialContext(...,
  grpc.WithTransportCredentials(
    credentials.NewTLS(tls.Config{GetCertificate: myGetCertFunc, ...})))

But on client side i found no way to do this. It calls the handshake before GetCertificate or GetClientCertificate is called.
@arvindbr8 arvindbr8 self-assigned this Nov 15, 2022
@arvindbr8
Copy link
Member

Hey @fabmade, yes this is possible by setting a IdentityProvider in advancedTLS option when creating TLS credentials for calling Dial(). The provider will create a watcher for the cert + key files which would trigger update when for file updates. Here's an example

// specify cert + key file here (optionally set refresh duration. default: 1 hr)
clientIdentityOptions := pemfile.Options{
	CertFile:        clientCertFilename,
	KeyFile:         clientKeyFilename,
	RefreshDuration: credRefreshingInterval,
}

// create new IdentityProvider passing in Options
clientIdentityProvider, err := pemfile.NewProvider(clientIdentityOptions)

// pass in clientIdentityProvider to IdentityOption in client options
clientOptions := &ClientOptions{
	IdentityOptions: IdentityCertificateOptions{
		IdentityProvider: clientIdentityProvider,
	},
	...
}

// create credentials
clientTLSCreds, err := advancedtls.NewClientCreds(clientOptions)


// Make a connection using the credentials.
conn, err := grpc.Dial(address, grpc.WithTransportCredentials(clientTLSCreds))

Also you could check out the example from advancedTLS in our repo here

Let us know if this helps

@arvindbr8 arvindbr8 assigned fabmade and unassigned arvindbr8 Nov 15, 2022
@github-actions
Copy link

This issue is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed.

@github-actions github-actions bot added the stale label Nov 21, 2022
@fabmade
Copy link
Author

fabmade commented Nov 22, 2022

@arvindbr8 perfect, thank you very much for your help!

@fabmade fabmade closed this as completed Nov 22, 2022
@joeljeske joeljeske mentioned this issue Feb 13, 2023
Open
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@fabmade fabmade

Labels
stale Status: Requires Reporter Clarification Type: Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@easwars @arvindbr8 @fabmade