Skip to content

feat: reloadable tls client config #7230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: reloadable tls client config #7230

wants to merge 9 commits into from
+411 −118

Conversation

@shuiyisong
Copy link
Contributor

@shuiyisong shuiyisong commented Nov 14, 2025
edited
Loading

I hereby agree to the terms of the GreptimeDB CLA.

Refer to a related PR or issue link (optional)

What's changed and what's your intention?

This patch introduces the ability for channel_manager to use a re-loadable client TLS config to automatically reload the TLS files when changed.
The ReloadableTlsServerConfig is now extracted into reloadable_tls for reuse.

PR Checklist

Please convert it to a draft if some of the following conditions are not met.

  • I have written the necessary rustdoc comments.
  • I have added the necessary unit tests and integration tests.
  • This PR requires documentation updates.
  • API changes are backward compatible.
  • Schema or data changes are backward compatible.

@github-actions github-actions bot added size/M docs-not-required This change does not impact docs. labels Nov 14, 2025
@shuiyisong shuiyisong force-pushed the feat/reload_tls_in_gRPC_client branch from caf3366 to cfcf157 Compare November 17, 2025 06:58
@shuiyisong shuiyisong marked this pull request as ready for review November 17, 2025 06:58
@shuiyisong shuiyisong requested review from a team, waynexia and zhongzc as code owners November 17, 2025 06:58
@evenyag evenyag requested review from MichaelScofield and removed request for zhongzc November 18, 2025 06:49
@fengys1996 fengys1996 self-requested a review November 18, 2025 07:40
MichaelScofield
MichaelScofield reviewed Nov 19, 2025
View reviewed changes
src/servers/src/tls.rs
pub fn maybe_watch_server_tls_config(
tls_server_config: Arc<ReloadableTlsServerConfig>,
) -> Result<()> {
common_grpc::reloadable_tls::maybe_watch_tls_config(tls_server_config, || {}).map_err(|e| {
Copy link
Collaborator

@MichaelScofield MichaelScofield Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If server TLS config is changed, do we need to proactively close all connected client channels?

Copy link
Contributor Author

@shuiyisong shuiyisong Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The newly request would be served using the new TLS config in MySQL and PG, but the connected/alive connection stays unaffected. What do you think, should we actively close the connection to force refresh TLS change? @sunng87

Copy link
Member

@sunng87 sunng87 Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we don't need to. The previous connection should work seamlessly because all state is already in memory.

Copy link
Collaborator

@MichaelScofield MichaelScofield Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But doesn't this make TLS reloading less meaningful? Is the primary concern that the server reload TLS about potential certificate leak?

@shuiyisong shuiyisong requested a review from discord9 as a code owner November 19, 2025 03:32
fengys1996
fengys1996 reviewed Nov 19, 2025
View reviewed changes
src/common/grpc/src/reloadable_tls.rs
info!("Spawning background task for watching TLS cert/key file changes");
std::thread::spawn(move || {
let _watcher = watcher;
while let Ok(res) = rx.recv() {
Copy link
Contributor

@fengys1996 fengys1996 Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Should we ignore the error here? Or add log

@shuiyisong shuiyisong force-pushed the feat/reload_tls_in_gRPC_client branch from bfdaeda to 1e60e34 Compare November 20, 2025 06:15
@sunng87
Copy link
Member

sunng87 commented Nov 22, 2025

To be clear, in this patch we only changed intra-cluster grpc client to reload certificate. The grpc server is not covered, right?

@shuiyisong
Copy link
Contributor Author

shuiyisong commented Nov 24, 2025

To be clear, in this patch we only changed intra-cluster grpc client to reload certificate. The grpc server is not covered, right?

Yes, this only change the gRPC client(channel manager) to be able to reload the TLS change. The gRPC server of the database is not changed.

@sunng87
Copy link
Member

sunng87 commented Nov 24, 2025

This can introduce an issue if all clients reloads certs automatically but server doesn't. The updated client will not be able to connect to server without a restart.

sunng87
sunng87 approved these changes Nov 24, 2025
View reviewed changes
Copy link
Member

@sunng87 sunng87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed with @shuiyisong , this will be used for communication between database and external services like authentication providers or something.

But we still need to ensure the cert reload will work if intra-cluster grpc is configured with tls.

@sunng87 sunng87 enabled auto-merge November 24, 2025 03:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MichaelScofield MichaelScofield MichaelScofield approved these changes

@fengys1996 fengys1996 fengys1996 left review comments

@sunng87 sunng87 sunng87 approved these changes

@waynexia waynexia Awaiting requested review from waynexia waynexia is a code owner

@discord9 discord9 Awaiting requested review from discord9 discord9 is a code owner

Assignees

No one assigned

Labels

docs-not-required This change does not impact docs. size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shuiyisong @sunng87 @MichaelScofield @fengys1996