IGNITE-28867 Implement TLS certificate hot redeployment via control.sh --ssl reload#13335
IGNITE-28867 Implement TLS certificate hot redeployment via control.sh --ssl reload#13335anton-vinogradov wants to merge 1 commit into
Conversation
2cc7619 to
edaee64
Compare
|
/runall 🚀 RunAll queued — build 9200721. The verdict lands here when the run finishes. |
|
Ignite PR Checker verdict · RunAll build 9200721 · 147 suites ran, 0 reused
✅ No test blockers otherwise; 21 pre-existing/flaky filtered out. ♻️ Settled after 3 auto re-run wave(s): #1 — 2 blocker suite(s); #2 — 3 broken suite(s); #3 — 1 broken suite(s). |
…h --ssl reload Reload TLS certificates on running nodes without a restart. The new `control.sh --ssl reload` command re-reads the configured key and trust stores from disk and replaces the active SSL context for the communication, discovery, thin client (client connector) and binary (TCP) REST transports. New connections use the updated certificates while established sessions are not interrupted. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
edaee64 to
d39d081
Compare
|
Ignite PR Checker verdict · RunAll build 9205392 · 147 suites ran, 0 reused ✅ No blockers — nothing in this run looks caused by this PR. 31 pre-existing/flaky tests filtered out. |
|
Ignite PR Checker verdict · RunAll build 9206015 · 17 suites ran, 130 reused ✅ No blockers — nothing in this run looks caused by this PR. 10 pre-existing/flaky tests filtered out. |
Overview
Implements IGNITE-28867: hot redeployment of TLS certificates on running nodes, without a full restart.
TLS certificates were previously loaded once at node startup, so rotating them required restarting every node. This PR adds a new
control.sh --ssl reloadcommand that re-reads the configured key and trust stores from disk and replaces the activeSSLContext. New connections use the updated certificates while established sessions are not interrupted.Mechanism
AbstractSslContextFactory.reload()rebuilds the cachedSSLContextfrom the current factory configuration (re-reading the key/trust stores from disk). On failure the previously cached context is kept intact.GridNioSslFilter.sslCtxis nowvolatilewithupdateSslContext(...); new sessions build theirSSLEnginefrom the new context, existing sessions keep their engines.SslContextReloadableinterface (reloadSslContext()) is implemented by each SSL-enabled transport.Coverage per transport:
sslSockFactory/sslSrvSockFactoryrebuiltCommand
A new root
--sslcommand group with areloadsub-command. It broadcasts aVisorMultiNodeTaskto all server nodes; each node reloads its own certificates locally and reports which transports were reloaded. Modelled afterencryption change_master_key.Known limitation (documented)
For the discovery transport, new outgoing connections use the reloaded certificates immediately, but the already-bound listening server socket keeps serving the previously loaded certificate to incoming connections until it is recreated (e.g. when the node re-enters the ring), because
SSLServerSocketcaptures the SSL context at creation time. Recreating the discovery server socket at runtime is intentionally avoided as too disruptive for the ring.The Jetty HTTP REST protocol manages its own SSL and is out of scope (the default
GridRestProtocol.reloadSslContext()is a no-op).Tests
SslContextFactoryReloadTest— a real loopback TLS handshake confirms that after the key store file is replaced on disk,reload()serves a different certificate, whilecreate()keeps its caching semantics.SslContextReloadNodeTest— a two-node SSL cluster runs the actual--ssl reloadtask; asserts communication/discovery/client-connector are reloaded and the cluster keeps operating (established sessions are not interrupted); a non-SSL node reports nothing to reload.Both
control.sh --helpgolden files were updated. Strict-Pcheckstylepasses.Docs / Release Notes
docs/_docs/tools/control-script.adoc— new "TLS Certificate Hot Reload" section (Docs Required flag).🤖 Generated with Claude Code