-
Notifications
You must be signed in to change notification settings - Fork 707
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Implemented ability to dynamically reload TLS certificates #866
base: main
Are you sure you want to change the base?
Conversation
Hey @jeevatkm ! As discussed, here is the PR. If you are happy with the changes, I can update doc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cdoucy Thanks for creating a PR. Please take a look at my feedback.
- Make use of https://pkg.go.dev/time#Ticker to execute the function to reload based on a timer
- Do not use
OnBeforeRequest
, instead keep the loading directly into the client instance TLS config - Do not combine RootCA and ClientCA certs pool; keep them separate by nature
- 1 minute seems very frequent; certificate refresh only happens occasionally in a practical scenario. For now, let's keep 24 hours; then user can decide on it
- Keep pem refresher as part of client struct. Once it becomes part of the client, then we do not need lastChecked, log, debug, and certPool as part of the watcher
Hi @jeevatkm thanks for the feedback!
yes, but that means that
Note sure to understand what you mean here. P.S. : I wish I could leverage |
@cdoucy I'm not 100% sure, do we really need a context for this use case? I may try to explain an approach based on what I learned from your PR and currently what is coming to my mind. This is not perfect; I am just dumping my thoughts. type CertWatcherOptions struct {
// Default interval is 24 hours
PoolInterval time.Duration
}
func (c *Client) SetRootCertificateWatcher(certPath string, options *CertWatcherOptions) *Client {
c.SetRootCertificate(certPath)
c.initRootCertWatcher(options)
return c
}
func (c *Client) SetClientRootCertificateWatcher(certPath string, options *CertWatcherOptions) *Client {
c.SetClientRootCertificate(certPath)
c.initClientRootCertWatcher(options)
return c
}
func (c *Client) initRootCertWatcher() {
c.rootCAWatcher = &pemWatcher{
// ...
}
// ...
}
func (c *Client) initClientRootCertWatcher() {
c.clientRootCAWatcher = &pemWatcher{
// ...
}
// ...
} So, that user could call We can add a method to the Client Stop cert watcher ticker and add documentation for users to call that method from their shutdown hook scenarios. What do you think? |
@cdoucy, I thought I would check with you about the last comment. |
Hello @jeevatkm, Thanks for your feedback! Sorry for the delayed response. I'll work on applying your suggestion. |
@cdoucy, Can you please implement it against the main branch for Resty v3? I plan to introduce the method Then the user would do something like this v3 onwards - client := resty.New()
defer client.Close()
... |
Hi @jeevatkm , sure! |
Hi @jeevatkm ! Hope you are doing well. I've made the following change to the PR:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cdoucy Thanks for updating PR. The implementation looks good.
I have added one comment and one thought; please have a look.
@@ -208,6 +212,8 @@ type Client struct { | |||
contentTypeDecoders map[string]ContentTypeDecoder | |||
contentDecompressorKeys []string | |||
contentDecompressors map[string]ContentDecompressor | |||
stopChan chan bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cdoucy, I wonder if we need an additional channel to stop the ticker. I will think about it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The other approach I considered is to maintain a slice that would keep track of all time.Ticker
instances, and the Close()
method would iterate over this slice and stop all the tickers.
I judged that the channel approach is easier to implement and more in line with golang idiomatics.
Do you see any other approaches?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't get a chance to look at it deeper. We can keep the current approach. If needed, I can improve it afterward.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cdoucy Thanks for updating the PR.
@cdoucy It seems there is a test case failure. Can you please take care of it? |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #866 +/- ##
==========================================
- Coverage 98.15% 97.50% -0.65%
==========================================
Files 14 16 +2
Lines 2329 3171 +842
==========================================
+ Hits 2286 3092 +806
- Misses 23 56 +33
- Partials 20 23 +3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@cdoucy Thanks for fixing the test cases. Can you please look at the missed lines in the test coverage? |
Fixes #856