etcd icon indicating copy to clipboard operation
etcd copied to clipboard
Published 2 weeks ago verified publisher icon etcd-io

Enable reloading CA without a restart

Open hongbin opened this issue 2 years ago • 5 comments

  • Add two options to server: "client-root-ca-reload" and "peer-root-ca-reload". By default, these options are false. Whenever the options are enabled, the server will dynamically load CA keys & certs.
  • Provide implementation for "GetConfigForClient". This will allow server to load CA files on each TLS handshake.
  • Provide implementation for "VerifyConnection". This will allow clients (for peer connection) to load CA files per request.

Note: this patch implements CA reloading without performance optimization. Optimization could be done in the future. Potential optimization is to avoid loading CA on each request. We could implement a background routine to periodically loading CA files instead.

Fixes https://github.com/etcd-io/etcd/issues/11555

hongbin avatar Aug 28 '23 20:08 hongbin

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 17 '24 12:03 stale[bot]

hello, we are also in need of this feature

E: can we remove stale tag?

vladorf avatar Jun 06 '24 09:06 vladorf

Contributions are welcomed!

serathius avatar Jun 06 '24 12:06 serathius

:wave: hey Marek, you mean we can contribute with the review? :)

oblazek avatar Jun 06 '24 12:06 oblazek

Please start from contributing to discussion https://github.com/etcd-io/etcd/issues/11555.

Please note "I need it", is not a productive comment.

serathius avatar Jun 06 '24 12:06 serathius

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 26 '25 07:04 stale[bot]