IGNITE-28867 Implement TLS certificate hot redeployment via control.sh --ssl reload#13335
Open
anton-vinogradov wants to merge 1 commit into
Open
IGNITE-28867 Implement TLS certificate hot redeployment via control.sh --ssl reload#13335anton-vinogradov wants to merge 1 commit into
anton-vinogradov wants to merge 1 commit into
Conversation
…h --ssl reload Reload TLS certificates on running nodes without a restart. The new `control.sh --ssl reload` command re-reads the configured key and trust stores from disk and replaces the active SSL context for the communication, discovery, thin client (client connector) and binary (TCP) REST transports. New connections use the updated certificates while established sessions are not interrupted. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Implements IGNITE-28867: hot redeployment of TLS certificates on running nodes, without a full restart.
TLS certificates were previously loaded once at node startup, so rotating them required restarting every node. This PR adds a new
control.sh --ssl reloadcommand that re-reads the configured key and trust stores from disk and replaces the activeSSLContext. New connections use the updated certificates while established sessions are not interrupted.Mechanism
AbstractSslContextFactory.reload()rebuilds the cachedSSLContextfrom the current factory configuration (re-reading the key/trust stores from disk). On failure the previously cached context is kept intact.GridNioSslFilter.sslCtxis nowvolatilewithupdateSslContext(...); new sessions build theirSSLEnginefrom the new context, existing sessions keep their engines.SslContextReloadableinterface (reloadSslContext()) is implemented by each SSL-enabled transport.Coverage per transport:
sslSockFactory/sslSrvSockFactoryrebuiltCommand
A new root
--sslcommand group with areloadsub-command. It broadcasts aVisorMultiNodeTaskto all server nodes; each node reloads its own certificates locally and reports which transports were reloaded. Modelled afterencryption change_master_key.Known limitation (documented)
For the discovery transport, new outgoing connections use the reloaded certificates immediately, but the already-bound listening server socket keeps serving the previously loaded certificate to incoming connections until it is recreated (e.g. when the node re-enters the ring), because
SSLServerSocketcaptures the SSL context at creation time. Recreating the discovery server socket at runtime is intentionally avoided as too disruptive for the ring.The Jetty HTTP REST protocol manages its own SSL and is out of scope (the default
GridRestProtocol.reloadSslContext()is a no-op).Tests
SslContextFactoryReloadTest— a real loopback TLS handshake confirms that after the key store file is replaced on disk,reload()serves a different certificate, whilecreate()keeps its caching semantics.SslContextReloadNodeTest— a two-node SSL cluster runs the actual--ssl reloadtask; asserts communication/discovery/client-connector are reloaded and the cluster keeps operating (established sessions are not interrupted); a non-SSL node reports nothing to reload.Both
control.sh --helpgolden files were updated. Strict-Pcheckstylepasses.Docs / Release Notes
docs/_docs/tools/control-script.adoc— new "TLS Certificate Hot Reload" section (Docs Required flag).🤖 Generated with Claude Code