Auto-port 5.0: Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation#16802
Merged
Merged
Conversation
… cert rotation (#16523) ### Motivation: The current `OpenSslCachingKeyMaterialProvider` does not evict stale entries after a cert rotation. This is related to a performance concern when using grpc-java (grpc/grpc-java#12670) ### Modification: Added `evictStaleEntries()`, which removes cached entries whose alias is no longer recognized by the `X509KeyManager`. It is called on a cache miss when new material is successfully loaded, so stale entries from rotated credentials are pruned before inserting the new one. ### Result: Better support for cert rotation. Related discussion: grpc/grpc-java#12686 grpc/grpc-java#12670 --------- Co-authored-by: Chris Vest <christianvest_hansen@apple.com> (cherry picked from commit 40b824b)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Auto-port of #16523 to 5.0
Cherry-picked commit: 40b824b
Motivation:
The current
OpenSslCachingKeyMaterialProviderdoes not evict stale entries after a cert rotation.This is related to a performance concern when using grpc-java (grpc/grpc-java#12670)
Modification:
Added
evictStaleEntries(), which removes cached entries whose alias is no longer recognized by theX509KeyManager. It is called on a cache miss when new material is successfully loaded, so stale entries from rotated credentials are pruned before inserting the new one.Result:
Better support for cert rotation.
Related discussion:
grpc/grpc-java#12686
grpc/grpc-java#12670