Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CHANGED] Reload TLS certificates on reconnect #1264

Merged
merged 2 commits into from
May 16, 2023
Merged

[CHANGED] Reload TLS certificates on reconnect #1264

merged 2 commits into from
May 16, 2023

Conversation

piotrpio
Copy link
Collaborator

  • Use callbacks when reconnecting to get current cert/key and CAs (similar to credentials)
  • Send async error on failed connect (previously only protocol auth errors were reported)

@piotrpio
[FIXED] Reload TLS certificates on reconnect
2782dde 
Signed-off-by: Piotr Piotrowski <piotr@synadia.com>
@coveralls
Copy link

coveralls commented May 12, 2023
edited

Coverage Status

Coverage: 85.237% (+0.03%) from 85.211% when pulling 2782dde on tls-certs-reload into 2765665 on main.

@piotrpio piotrpio requested review from wallyqs and Jarema May 12, 2023 11:55
wallyqs
wallyqs reviewed May 12, 2023
View reviewed changes
nats.go
}
if o.TLSConfig == nil {
o.TLSConfig = &tls.Config{MinVersion: tls.VersionTLS12}
}
o.TLSConfig.RootCAs = pool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to smoke test the callback at least once when building the option here, and return in case there is an error, otherwise it will fail until much later and fall into reconnect logic potentially hiding some of the errors.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call - done

wallyqs
wallyqs reviewed May 12, 2023
View reviewed changes
nats.go
@@ -2474,6 +2509,9 @@ func (nc *Conn) sendConnect() error {
// Read the rest now...
proto, err = nc.readProto()
if err != nil {
if !nc.initc && nc.Opts.AsyncErrorCB != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These probably help would help with the visibility of the errors that I was mentioning above 👍, still think that might be better to just check that the callbacks won't work at config time (bad path to client cert) on connect than after connect init has started, otherwise I think last error on connect would be no servers available instead of the config error.

@piotrpio
Verify if certs load correctly when building options
a5efabf 
Signed-off-by: Piotr Piotrowski <piotr@synadia.com>
@piotrpio piotrpio requested a review from wallyqs May 15, 2023 07:29
wallyqs
wallyqs approved these changes May 15, 2023
View reviewed changes
Copy link
Member

@wallyqs wallyqs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@piotrpio piotrpio merged commit d18be03 into main May 16, 2023
2 of 3 checks passed
@piotrpio piotrpio deleted the tls-certs-reload branch May 16, 2023 15:49
@piotrpio piotrpio mentioned this pull request May 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wallyqs wallyqs wallyqs approved these changes

@Jarema Jarema Awaiting requested review from Jarema

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@piotrpio @coveralls @wallyqs