[Proposal] Auto Refresh SSL Certs

[niketh]

Motivation

Whenever SSL certs expire a restart is required to load fresh certs.

Proposed changes

1. Add property druid.server.https.cert.autoRefresh and druid.server.https.cert.autoRefreshPeriod
2. Create class CertificateWatcher which watches for changes in druid.server.https.keyStorePath
3. Once keystore is changed, Jetty does hot reload https://www.eclipse.org/jetty/javadoc/9.4.14.v20181114/org/eclipse/jetty/util/ssl/SslContextFactory.html#reload-java.util.function.Consumer-

[drcrallen]

Interesting proposal.

jetty/jetty.project#918 (comment) has some gotchas that will probably need noted on if it impacts here.

There could be other cases where the key store is not on disk though, yes? for example, if a server does on-the-fly decryption out of blob storage to get the key store, then it wouldn't just be a path that needs watched.

In such a scenario, CertificateWatcher would be an interface and not an implementation, so any sort of updates could be handled by an extension.

[gianm]

What is the purpose of druid.server.https.cert.autoRefreshPeriod, if the idea is that a CertificateWatcher would watch for changes and trigger reloads?

In such a scenario, CertificateWatcher would be an interface and not an implementation, so any sort of updates could be handled by an extension.

Definitely sounds useful to have it be an interface, with an implementation in core that simply watches a file.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.