Automatic TLS reload#3020
Conversation
|
Hi @madolson @zuiderkwast, |
|
On a side note: |
5b53e48 to
55bac7c
Compare
Signed-off-by: Yang Zhao <zymy701@gmail.com>
55bac7c to
bdadaf0
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## unstable #3020 +/- ##
============================================
+ Coverage 74.26% 74.27% +0.01%
============================================
Files 129 129
Lines 70975 71014 +39
============================================
+ Hits 52710 52747 +37
- Misses 18265 18267 +2
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR implements automatic background TLS certificate reloading to allow seamless certificate rotation without server downtime. The feature adds a new tls-auto-reload-interval configuration option that enables periodic checking and reloading of TLS materials (certificates, keys, and CA files).
Key changes:
- New
tls-auto-reload-intervalconfiguration parameter (default: 0/disabled) to control reload frequency - Change detection using SHA-256 fingerprints for certificate files and inode+mtime for directories and key files
- Background reload architecture using dedicated BIO worker thread (
BIO_TLS_RELOAD) to avoid blocking the main thread during certificate parsing
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| valkey.conf | Added documentation for the new tls-auto-reload-interval configuration option |
| src/config.c | Registered the new tls-auto-reload-interval configuration parameter |
| src/tls.c | Refactored TLS configuration into sync/async variants, added change detection logic, and implemented background reload mechanism |
| src/server.h | Added function declarations for TLS reload functions with appropriate build guards |
| src/server.c | Integrated TLS auto-reload checks into serverCron |
| src/bio.h | Added BIO_TLS_RELOAD job type and bioCreateTlsReloadJob function declaration |
| src/bio.c | Implemented BIO worker support for TLS reload jobs |
| tests/unit/tls.tcl | Added comprehensive test coverage for auto-reload functionality including change detection, validation, and CA directory handling |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
madolson
left a comment
There was a problem hiding this comment.
Thanks, most of it looks really good. Two more significant comments and minor stylistic comments.
Thanks! Will take a look at the rest shortly, been a busy start of a year but we should definitely get these merged for 9.1! |
|
Thanks Madelyn for the review! Really appreciate you taking the time. I’ll address the comments soon. |
Signed-off-by: Yang Zhao <zymy701@gmail.com>
|
Planning changes based on the review comments:
|
madolson
left a comment
There was a problem hiding this comment.
Major decision approved in weekly meeting.
|
Just one question: Key file and cert file need to be updated together, because the private key in the key file needs to match the public key in the certificate. Is there a race here? I mean if you replace the cert file and the key file on disk and the automatic reload kicks in and reloads only one of the files, is that a problem? I remember we made CONFIG SET accept multiple parameters (in Redis 7.0) and the main benefit of that change was to be able to set tls-cert-file and tls-key-file together atomically. |
I don’t think this should be a problem in practice. If only one of the cert or key files is updated and an automatic reload is triggered, With the proposed change to:
A subsequent reload attempt will still be triggered once both files are updated, so the system can converge to a consistent state.
Yes this is a great feature. The mismatch would be problematic for |
Signed-off-by: Yang Zhao <zymy701@gmail.com>
… load latest Signed-off-by: Yang Zhao <zymy701@gmail.com>
Signed-off-by: Yang Zhao <zymy701@gmail.com>
|
Hi @madolson @zuiderkwast, thanks again for the review! I’ve addressed the feedback and pushed the updates. Happy to make further changes if needed. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Yang Zhao <zymy701@gmail.com>
zuiderkwast
left a comment
There was a problem hiding this comment.
LGTM.
I only added some minor suggestion about the documentation of the config.
We should also add some information in https://github.com/valkey-io/valkey-doc/blob/main/topics/encryption.md (which btw can need some more improvements. We should mention how to use it first. How to build it can moved be further down or just be in the README file of the valkey repo instead.)
Signed-off-by: Yang Zhao <zymy701@gmail.com>
|
Hi @zuiderkwast, thank you for the review!
Agree the "how to build" part could stay in the valkey repo README, and the doc might be better focused on “how to use”. |
We don't really need an issue but you can open one if you want to keep track. We often use the You could also include any changes for your other TLS related PRs in the same doc PR.
Please don't wait until after Valkey 9.1 is released. We would like the docs to be ready before the GA release date. It's OK to do the docs after this PR is merged though. |
madolson
left a comment
There was a problem hiding this comment.
Looks good to me, thanks for the work!
Agree with Viktor, open the PR whenever for TLS. |
### Overview This PR adds support for automatic background TLS reloading, closes valkey-io#2649 TLS validity checks and fail-fast behavior on invalid certificates are handled separately in valkey-io#2999. - New configuration - `tls-auto-reload-interval <seconds>` - `0` disabled (default, backward compatible) - `>0` check interval in seconds - TLS materials change detection in background - SHA-256 fingerprint checking for certificate files - `inode + mtime` checking for CA certificate directories and key files - Skips reload if materials haven't changed `tlsCheckMaterialsAndUpdateCache` - TLS contexts reload - CPU-intensive certificate parsing happens in dedicated BIO worker thread `BIO_TLS_RELOAD` - Main thread never blocks, atomically swaps SSL contexts - Two-phase reload: background preparation `tlsConfigureAsync` + main thread application `tlsApplyPendingReload` **Note**: Original TLS load and reload still remain in main thread using `tlsConfigureSync`, including: - Initial TLS load (server startup) - Runtime reload via CONFIG SET --------- Signed-off-by: Yang Zhao <zymy701@gmail.com> Signed-off-by: arshidkv12 <arshidkv12@gmail.com>
|
Opened the PR for TLS valkey-io/valkey-doc#402 |
Changes include: - Unify TLS topic naming: previously some references used “encryption” while others used “tls” - Remove source code repo specific information: instructions on building or running unit tests - Add information on new TLS feature and behavior: - valkey-io/valkey#2999 - valkey-io/valkey#3020 --------- Signed-off-by: Yang Zhao <zymy701@gmail.com>
### Overview This PR adds support for automatic background TLS reloading, closes valkey-io#2649 TLS validity checks and fail-fast behavior on invalid certificates are handled separately in valkey-io#2999. - New configuration - `tls-auto-reload-interval <seconds>` - `0` disabled (default, backward compatible) - `>0` check interval in seconds - TLS materials change detection in background - SHA-256 fingerprint checking for certificate files - `inode + mtime` checking for CA certificate directories and key files - Skips reload if materials haven't changed `tlsCheckMaterialsAndUpdateCache` - TLS contexts reload - CPU-intensive certificate parsing happens in dedicated BIO worker thread `BIO_TLS_RELOAD` - Main thread never blocks, atomically swaps SSL contexts - Two-phase reload: background preparation `tlsConfigureAsync` + main thread application `tlsApplyPendingReload` **Note**: Original TLS load and reload still remain in main thread using `tlsConfigureSync`, including: - Initial TLS load (server startup) - Runtime reload via CONFIG SET --------- Signed-off-by: Yang Zhao <zymy701@gmail.com>
### Overview This PR adds support for automatic background TLS reloading, closes valkey-io#2649 TLS validity checks and fail-fast behavior on invalid certificates are handled separately in valkey-io#2999. - New configuration - `tls-auto-reload-interval <seconds>` - `0` disabled (default, backward compatible) - `>0` check interval in seconds - TLS materials change detection in background - SHA-256 fingerprint checking for certificate files - `inode + mtime` checking for CA certificate directories and key files - Skips reload if materials haven't changed `tlsCheckMaterialsAndUpdateCache` - TLS contexts reload - CPU-intensive certificate parsing happens in dedicated BIO worker thread `BIO_TLS_RELOAD` - Main thread never blocks, atomically swaps SSL contexts - Two-phase reload: background preparation `tlsConfigureAsync` + main thread application `tlsApplyPendingReload` **Note**: Original TLS load and reload still remain in main thread using `tlsConfigureSync`, including: - Initial TLS load (server startup) - Runtime reload via CONFIG SET --------- Signed-off-by: Yang Zhao <zymy701@gmail.com> Signed-off-by: Harkrishn Patro <bunty.hari@gmail.com>
Automatic reload might replace this need in the future: valkey-io/valkey#3020
Overview
This PR adds support for automatic background TLS reloading, closes #2649
TLS validity checks and fail-fast behavior on invalid certificates are handled separately in #2999.
tls-auto-reload-interval <seconds>0disabled (default, backward compatible)>0check interval in secondsinode + mtimechecking for CA certificate directories and key filestlsCheckMaterialsAndUpdateCacheBIO_TLS_RELOADtlsConfigureAsync+ main thread applicationtlsApplyPendingReloadNote: Original TLS load and reload still remain in main thread using
tlsConfigureSync, including:Test results