Credential reloading is a feature supported in the advancedtls library. A very common way to achieve this is to reload from files.
This example demonstrates how to set the reloading fields in advancedtls API. Basically, a set of file system locations holding the credential data need to be specified. Once the credential data needs to be updated, users just change the credential data in the file system, and gRPC will pick up the changes automatically.
This example only shows how to set the API, without demonstrating the way to reload credentials on file system.
To learn more about how to do that in Go, please see advancedtls_integration_test.go.
A couple of things to note:
- once a connection is authenticated, we will NOT re-trigger the authentication even after the credential gets refreshed.
- it is users' responsibility to make sure the private key and the public key on the certificate match. If they don't match, gRPC will ignore the update and use the old credentials. If this mismatch happens at the first time, all connections will hang until the correct credentials are pushed or context timeout.
In directory security/advancedtls/examples:
go run server/main.go
go run client/main.go