-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/transport: reload TLS certificates for every use #7784
Conversation
Caveats: This requires Go 1.8.1 |
Commit title should be |
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes #7576
So the existing TLS connections will not be terminated even if the cert is changed? Is this the expected behavior? |
That is correct. Because the TLS negotiation occurs only when the connection is opened, ongoing connection can continue. |
yea. i know how tls works. my concerns is that users might expect the existing tls connections to be terminated when they switch key/cert. but i am not a security expert and do not know the common practice. it would be great if you can feed me any related info: like what other projects do online cert/key change. thanks. |
Not terminating existing connections is the usual case. Main reason to replace certs is local renewal. In the more rare case of moving from one trust root to another, it's a conscious act, and restarting the service would be a good way to terminate all connections. Not killing existing connections matches expectation (either automatic reload, or reloading on a SIGHUP.) |
|
||
// Load the certificate from disk every time so when it is replaced we | ||
// will be using the latest version | ||
return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
have you benchmarked the overhead of doing this?
if this brings a huge overhead, we probably need to do caching. (inotify + caching parsed result or simply pull based caching)
ServerName: info.ServerName, | ||
cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) ( | ||
*tls.Certificate, error) { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this extra empty line at 172
} | ||
cfg.GetClientCertificate = func(unused *tls.CertificateRequestInfo) ( | ||
*tls.Certificate, error) { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this empty line.
|
||
// Load the certificate from disk every time so when it is replaced we | ||
// will be using the latest version | ||
return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also consider caching?
@Spindel thanks for the explanation. make sense. |
For our use case we are running etcd in a Kubernetes pod, so we are using an in-memory EmptyDir volume to help with performance. I agree that caching would be desirable, however this patch was meant to be as minimal as possible. It's something I wanted to share with the community for others to build off of, not necessarily to be merged into etcd proper as it currently stands. |
Ok, I can confirm that this works with
Test fails because we still need Thanks! |
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Cherry-picked by Gyu-Ho Lee <[email protected]> Original commit can be found at etcd-io#7784
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Cherry-picked by Gyu-Ho Lee <[email protected]> Original commit can be found at etcd-io#7784
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Cherry-picked by Gyu-Ho Lee <[email protected]> Original commit can be found at etcd-io#7784
Closing in favor of #7829. |
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Cherry-picked by Gyu-Ho Lee <[email protected]> Original commit can be found at etcd-io#7784
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Cherry-picked by Gyu-Ho Lee <[email protected]> Original commit can be found at etcd-io#7784
This changes the baseConfig used when creating tls Configs to utilize
the GetCertificate and GetClientCertificate functions to always reload
the certificates from disk whenever they are needed.
Always reloading the certificates allows changing the certificates via
an external process without interrupting etcd.
Fixes #7576