[TINKERPOP-3146] Support hot reloading of SSL certificates by cdegroc · Pull Request #3078 · apache/tinkerpop

cdegroc · 2025-03-26T16:22:50Z

This PR introduces support for dynamic reloading of SSL certificates:

Adds a file watcher that monitors certificate files for changes every minute. When changes are detected, the certificates are reloaded.
Integrates the (Apache License) Hakky54/sslcontext-kickstart library (as suggested by the TinkerPop community) to enable hot-reloading of SSL certificates.

Addresses https://issues.apache.org/jira/browse/TINKERPOP-3146

codecov-commenter · 2025-03-26T16:51:01Z

Codecov Report

❌ Patch coverage is 65.75342% with 25 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.18%. Comparing base (9b46b67) to head (0537cbe).
⚠️ Report is 453 commits behind head on 3.7-dev.

Files with missing lines	Patch %	Lines
.../tinkerpop/gremlin/server/AbstractChannelizer.java	39.28%	14 Missing and 3 partials ⚠️
.../server/util/SSLStoreFilesModificationWatcher.java	81.81%	4 Missing and 4 partials ⚠️

Additional details and impacted files

@@              Coverage Diff              @@
##             3.7-dev    #3078      +/-   ##
=============================================
+ Coverage      76.14%   76.18%   +0.04%     
- Complexity     13152    13257     +105     
=============================================
  Files           1084     1090       +6     
  Lines          65160    67536    +2376     
  Branches        7285     7360      +75     
=============================================
+ Hits           49616    51455    +1839     
- Misses         12839    13360     +521     
- Partials        2705     2721      +16

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

cdegroc · 2025-03-28T12:25:23Z

            sslSettings.needClientAuth = ClientAuth.REQUIRE;
        }

-        builder.clientAuth(sslSettings.needClientAuth).sslProvider(provider);


📝 SSLFactory does not expose an option to configure the SSL Provider. Instead, we configure it below (L. 381) on the Netty SslContextBuilder built from the SSLFactory.

kenhuuu · 2025-04-02T04:31:41Z

It seems like this is the case, but I just wanted to confirm, the swapping is instant/atomic right? As in, theres no way for the SSL context to change during a handshake?

cdegroc · 2025-04-18T13:58:18Z

It seems like this is the case, but I just wanted to confirm, the swapping is instant/atomic right? As in, theres no way for the SSL context to change during a handshake?

That's my understanding, yes. This section in the library's documentation describes how the SSLFactoryUtils#reload call works at a high level (code). Looking at the code, the underlying KeyManager (resp. TrustManager) are swapped atomically (using locks), after which the existing SSLSessions are invalided, requiring a new handshake.

kenhuuu · 2025-04-21T19:01:37Z

VOTE +1

Cole-Greer · 2025-04-21T21:14:26Z

            <artifactId>logback-classic</artifactId>
            <optional>true</optional>
        </dependency>
+        <dependency>


Note: This package is Apache 2 licensed with no provided NOTICE file. I see no concerns from a licensing standpoint.

Cole-Greer · 2025-04-21T21:14:41Z

VOTE +1

cdegroc · 2025-04-28T12:59:55Z

👋 Hey @andreachild, I've addressed your comment. Would you mind taking another look at the updated version when you have a chance? Thanks a lot!

Set refreshInterval to <= 0 to disable hot reloading (previous behavior)

andreachild · 2025-04-30T16:58:38Z

VOTE +1

Adds a file watcher that monitors certificate files for changes every minute. When changes are detected, the certificates are reloaded. Integrates the (Apache License) Hakky54/sslcontext-kickstart library (as suggested by the TinkerPop community) to enable hot-reloading of SSL certificates.

cdegroc force-pushed the reload-certificates-with-sslcontext-kickstart branch from 4b5be2d to 87c578c Compare March 26, 2025 16:29

cdegroc force-pushed the reload-certificates-with-sslcontext-kickstart branch 4 times, most recently from a8f30ff to 054f60f Compare March 28, 2025 12:22

cdegroc commented Mar 28, 2025

View reviewed changes

cdegroc force-pushed the reload-certificates-with-sslcontext-kickstart branch 4 times, most recently from 50b6c91 to bd05ee0 Compare March 28, 2025 15:15

cdegroc changed the title ~~Support hot reloading of SSL certificates~~ [TINKERPOP-3146] Support hot reloading of SSL certificates Apr 1, 2025

cdegroc force-pushed the reload-certificates-with-sslcontext-kickstart branch from 9405e8a to 3c3cc63 Compare April 1, 2025 12:14

cdegroc marked this pull request as ready for review April 1, 2025 12:59

andreachild reviewed Apr 1, 2025

View reviewed changes

Comment thread gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java Outdated

kenhuuu reviewed Apr 2, 2025

View reviewed changes

Comment thread ...src/main/java/org/apache/tinkerpop/gremlin/server/util/SSLStoreFilesModificationWatcher.java Outdated

[TINKERPOP-3146] Support hot reloading of SSL certificates

129d1a4

cdegroc force-pushed the reload-certificates-with-sslcontext-kickstart branch from 3c3cc63 to ca0ec97 Compare April 18, 2025 14:34

[TINKERPOP-3146] Address PR comments

d144f57

cdegroc force-pushed the reload-certificates-with-sslcontext-kickstart branch from ca0ec97 to d144f57 Compare April 18, 2025 14:35

Cole-Greer reviewed Apr 21, 2025

View reviewed changes

andreachild reviewed Apr 29, 2025

View reviewed changes

Comment thread gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java Outdated

[TINKERPOP-3146] Allow disabling hot reloading

0537cbe

Set refreshInterval to <= 0 to disable hot reloading (previous behavior)

Cole-Greer merged commit 8f25b74 into apache:3.7-dev May 3, 2025
24 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[TINKERPOP-3146] Support hot reloading of SSL certificates#3078

[TINKERPOP-3146] Support hot reloading of SSL certificates#3078
Cole-Greer merged 3 commits into
apache:3.7-devfrom
cdegroc:reload-certificates-with-sslcontext-kickstart

cdegroc commented Mar 26, 2025 •

edited

Loading

Uh oh!

codecov-commenter commented Mar 26, 2025 •

edited

Loading

Uh oh!

cdegroc Mar 28, 2025

Uh oh!

Uh oh!

Uh oh!

kenhuuu commented Apr 2, 2025

Uh oh!

cdegroc commented Apr 18, 2025

Uh oh!

kenhuuu commented Apr 21, 2025

Uh oh!

Cole-Greer Apr 21, 2025

Uh oh!

Cole-Greer commented Apr 21, 2025

Uh oh!

cdegroc commented Apr 28, 2025 •

edited

Loading

Uh oh!

Uh oh!

andreachild commented Apr 30, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

cdegroc commented Mar 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov-commenter commented Mar 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

cdegroc Mar 28, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

kenhuuu commented Apr 2, 2025

Uh oh!

cdegroc commented Apr 18, 2025

Uh oh!

kenhuuu commented Apr 21, 2025

Uh oh!

Cole-Greer Apr 21, 2025

Choose a reason for hiding this comment

Uh oh!

Cole-Greer commented Apr 21, 2025

Uh oh!

cdegroc commented Apr 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

andreachild commented Apr 30, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

cdegroc commented Mar 26, 2025 •

edited

Loading

codecov-commenter commented Mar 26, 2025 •

edited

Loading

cdegroc commented Apr 28, 2025 •

edited

Loading