diff options
| author | Konstantin Khlebnikov <[email protected]> | 2024-04-09 08:14:23 +0300 |
|---|---|---|
| committer | robot-piglet <[email protected]> | 2024-04-09 08:21:16 +0300 |
| commit | a8b456d0e029cb11e445e66fb0dc7b609a546659 (patch) | |
| tree | b48f9a00b8165c4b854d36c7ee6ce14d3ac3922c | |
| parent | a106791f655eec412494a6a3992be68ca28d6553 (diff) | |
HTTP proxy TLS certificate update - follow-up
- Move TLS context commit time into impl
- Update TLS certificates in http proxy control invoker
---
94ebe9cd2c4ddb7b1fd520bf8c6bd6c56baa50fa
Pull Request resolved: https://github.com/ytsaurus/ytsaurus/pull/418
| -rw-r--r-- | yt/yt/core/crypto/tls.cpp | 17 | ||||
| -rw-r--r-- | yt/yt/core/crypto/tls.h | 3 | ||||
| -rw-r--r-- | yt/yt/core/https/server.cpp | 23 | ||||
| -rw-r--r-- | yt/yt/core/https/server.h | 5 |
4 files changed, 32 insertions, 16 deletions
diff --git a/yt/yt/core/crypto/tls.cpp b/yt/yt/core/crypto/tls.cpp index 8ec3bef4b65..5da176043d9 100644 --- a/yt/yt/core/crypto/tls.cpp +++ b/yt/yt/core/crypto/tls.cpp @@ -102,7 +102,7 @@ struct TSslContextImpl #endif } - void Commit() + void Commit(TInstant time) { SSL_CTX* oldCtx; YT_ASSERT(Ctx); @@ -111,12 +111,19 @@ struct TSslContextImpl oldCtx = ActiveCtx_; ActiveCtx_ = Ctx; Ctx = nullptr; + CommitTime_ = time; } if (oldCtx) { SSL_CTX_free(oldCtx); } } + TInstant GetCommitTime() const + { + auto guard = ReaderGuard(Lock_); + return CommitTime_; + } + SSL* NewSsl() { auto guard = ReaderGuard(Lock_); @@ -133,6 +140,7 @@ struct TSslContextImpl private: YT_DECLARE_SPIN_LOCK(NThreading::TReaderWriterSpinLock, Lock_); SSL_CTX* ActiveCtx_ = nullptr; + TInstant CommitTime_; }; DEFINE_REFCOUNTED_TYPE(TSslContextImpl) @@ -624,13 +632,12 @@ void TSslContext::Reset() void TSslContext::Commit(TInstant time) { - CommitTime_ = time; - Impl_->Commit(); + Impl_->Commit(time); } -TInstant TSslContext::GetCommitTime() +TInstant TSslContext::GetCommitTime() const { - return CommitTime_; + return Impl_->GetCommitTime(); } void TSslContext::UseBuiltinOpenSslX509Store() diff --git a/yt/yt/core/crypto/tls.h b/yt/yt/core/crypto/tls.h index bb9f85503f5..7903cb35701 100644 --- a/yt/yt/core/crypto/tls.h +++ b/yt/yt/core/crypto/tls.h @@ -22,7 +22,7 @@ public: void Reset(); void Commit(TInstant time = TInstant::Zero()); - TInstant GetCommitTime(); + TInstant GetCommitTime() const; void UseBuiltinOpenSslX509Store(); @@ -52,7 +52,6 @@ public: private: const TIntrusivePtr<TSslContextImpl> Impl_; - TInstant CommitTime_; }; DEFINE_REFCOUNTED_TYPE(TSslContext) diff --git a/yt/yt/core/https/server.cpp b/yt/yt/core/https/server.cpp index 96fd1553907..4f7179823bc 100644 --- a/yt/yt/core/https/server.cpp +++ b/yt/yt/core/https/server.cpp @@ -30,7 +30,7 @@ class TServer : public IServer { public: - explicit TServer(IServerPtr underlying, TPeriodicExecutorPtr certificateUpdater) + TServer(IServerPtr underlying, TPeriodicExecutorPtr certificateUpdater) : Underlying_(std::move(underlying)) , CertificateUpdater_(certificateUpdater) { } @@ -101,7 +101,8 @@ static void ApplySslConfig(const TSslContextPtr& sslContext, const TServerCrede IServerPtr CreateServer( const TServerConfigPtr& config, const IPollerPtr& poller, - const IPollerPtr& acceptor) + const IPollerPtr& acceptor, + const IInvokerPtr& controlInvoker) { auto sslContext = New<TSslContext>(); ApplySslConfig(sslContext, config->Credentials); @@ -113,9 +114,10 @@ IServerPtr CreateServer( sslConfig->CertChain->FileName && sslConfig->PrivateKey->FileName) { + YT_VERIFY(controlInvoker); certificateUpdater = New<TPeriodicExecutor>( - poller->GetInvoker(), - BIND([=, serverName = config->ServerName] { + controlInvoker, + BIND([=] { try { auto modificationTime = Max( NFS::GetPathStatistics(*sslConfig->CertChain->FileName).ModificationTime, @@ -125,14 +127,19 @@ IServerPtr CreateServer( if (modificationTime > sslContext->GetCommitTime() && modificationTime + sslConfig->UpdatePeriod <= TInstant::Now()) { - YT_LOG_INFO("Updating TLS certificates (ServerName: %v, ModificationTime: %v)", serverName, modificationTime); + YT_LOG_INFO("Updating TLS certificates (ServerName: %v, ModificationTime: %v)", + config->ServerName, + modificationTime); sslContext->Reset(); ApplySslConfig(sslContext, sslConfig); sslContext->Commit(modificationTime); - YT_LOG_INFO("TLS certificates updated (ServerName: %v)", serverName); + YT_LOG_INFO("TLS certificates updated (ServerName: %v)", + config->ServerName); } } catch (const std::exception& ex) { - YT_LOG_WARNING(ex, "Unexpected exception while updating TLS certificates (ServerName: %v)", serverName); + YT_LOG_WARNING(ex, + "Unexpected exception while updating TLS certificates (ServerName: %v)", + config->ServerName); } }), sslConfig->UpdatePeriod); @@ -150,7 +157,7 @@ IServerPtr CreateServer( IServerPtr CreateServer(const TServerConfigPtr& config, const IPollerPtr& poller) { - return CreateServer(config, poller, poller); + return CreateServer(config, poller, poller, /*controlInvoker*/ nullptr); } //////////////////////////////////////////////////////////////////////////////// diff --git a/yt/yt/core/https/server.h b/yt/yt/core/https/server.h index e07dc0f722b..876e62fdd67 100644 --- a/yt/yt/core/https/server.h +++ b/yt/yt/core/https/server.h @@ -2,6 +2,8 @@ #include "public.h" +#include "yt/yt/core/actions/public.h" + #include <yt/yt/core/concurrency/public.h> #include <yt/yt/core/http/public.h> @@ -17,7 +19,8 @@ NHttp::IServerPtr CreateServer( NHttp::IServerPtr CreateServer( const TServerConfigPtr& config, const NConcurrency::IPollerPtr& poller, - const NConcurrency::IPollerPtr& acceptor); + const NConcurrency::IPollerPtr& acceptor, + const IInvokerPtr& controlInvoker); //////////////////////////////////////////////////////////////////////////////// |