Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Jetty's live cert reload on HTTPS frontend #7355

Merged
merged 2 commits into from
Mar 22, 2023
Merged

Support Jetty's live cert reload on HTTPS frontend #7355

merged 2 commits into from
Mar 22, 2023

Conversation

mlsorensen
Copy link
Contributor

Description

This PR implements Jetty's hot certificate reload per jetty/jetty.project#5042

When the keystore changes, the API server begins using the new certificate. Note that this functionality doesn't support live change of keystore password, only certificate.

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Tested locally with self-signed certs. Changed the cert in the keystore while management server was running, reloaded the website, and inspected the https certificate.

Tested against cmk, which continued to function after the cert change. Also tested against UI - website needed to be refreshed due to browser security. Perhaps a future enhancement would catch these errors and auto-refresh?

Here you can see the local cloudstack management server using a new cert after it is loaded into a keystore:

[root@kvmlab1 management]# echo | openssl s_client -showcerts -connect localhost:8443 2>/dev/null | openssl x509 -inform pem -noout -text | grep "Not Before"
            Not Before: Mar 21 21:09:50 2023 GMT

change cert

[root@kvmlab1 management]# openssl x509 -req -in cloud.csr -signkey cloud.key > cloud.crt
Signature ok
subject=C = US, ST = UT, L = Alpine, O = Marcus, OU = Marcus, CN = kvmlab1, emailAddress = example@example.com
Getting Private key

[root@kvmlab1 management]# openssl pkcs12 -export -in cloud.crt -inkey cloud.key -name cloud -passout pass:****** > cloud-localhost.pk12

[root@kvmlab1 management]# keytool -importkeystore -srckeystore cloud-localhost.pk12 -srcstoretype PKCS12 -destkeystore cloud.jks  -deststoretype JKS -srcstorepass ****** -deststorepass ******  -destkeypass ****** -noprompt
Importing keystore cloud-localhost.pk12 to cloud.jks...
Warning: Overwriting existing alias cloud in destination keystore
Entry for alias cloud successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

check cert

[root@kvmlab1 management]# echo | openssl s_client -showcerts -connect localhost:8443 2>/dev/null | openssl x509 -inform pem -noout -text | grep "Not Before"
            Not Before: Mar 21 21:24:47 2023 GMT

Support Jetty's live cert reload
cb67637 
Signed-off-by: Marcus Sorensen <mls@apple.com>
@mlsorensen mlsorensen changed the title Support Jetty's live cert reload Support Jetty's live cert reload on HTTPS API Mar 21, 2023
@mlsorensen mlsorensen changed the title Support Jetty's live cert reload on HTTPS API Support Jetty's live cert reload on HTTPS frontend Mar 21, 2023
@codecov
Copy link

codecov bot commented Mar 21, 2023
edited
Loading

Codecov Report

Merging #7355 (cc00c6a) into main (2aa3f98) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##               main    #7355   +/-   ##
=========================================
  Coverage     12.68%   12.68%           
  Complexity     8656     8656           
=========================================
  Files          2718     2718           
  Lines        256169   256169           
  Branches      39932    39932           
=========================================
  Hits          32504    32504           
  Misses       219531   219531           
  Partials       4134     4134

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

weizhouapache
weizhouapache approved these changes Mar 22, 2023
View reviewed changes
Copy link
Member

@weizhouapache weizhouapache left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code lgtm

client/src/main/java/org/apache/cloudstack/ServerDaemon.java Outdated Show resolved Hide resolved
rohityadavcloud
rohityadavcloud approved these changes Mar 22, 2023
View reviewed changes
Copy link
Member

@rohityadavcloud rohityadavcloud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM - but haven't tested it.

@sonarcloud
Copy link

sonarcloud bot commented Mar 22, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@mlsorensen
Copy link
Contributor Author

Merging based on 2x LGTM and manual testing of feature.

@mlsorensen mlsorensen merged commit 9ca5f28 into apache:main Mar 22, 2023
@mlsorensen mlsorensen deleted the jetty-reload-https-cert branch March 22, 2023 20:38
@rohityadavcloud
Copy link
Member

Sorry @mlsorensen per community guidelines, there were no @blueorangutan smoketests were performed and generally, it's not preferred that PR author serves manual tests.

However, it's possible there's no regression as smoketests in Github Actions against simulator have passed. I'll kick a round of BO smoketests on #7344

@rohityadavcloud rohityadavcloud added this to the 4.19.0.0 milestone Mar 23, 2023
kishankavala pushed a commit to shapeblue/cloudstack that referenced this pull request Apr 13, 2023
@mlsorensen @kishankavala
Support Jetty's live cert reload on HTTPS frontend (apache#7355)
ff6157a 
* Support Jetty's live cert reload

Signed-off-by: Marcus Sorensen <mls@apple.com>

* Update ServerDaemon.java

---------

Signed-off-by: Marcus Sorensen <mls@apple.com>
Co-authored-by: Marcus Sorensen <mls@apple.com>
soreana pushed a commit to Leaseweb/cloudstack that referenced this pull request May 19, 2023
@mlsorensen
Support Jetty's live cert reload on HTTPS frontend (apache#7355)
e13867c 
* Support Jetty's live cert reload

Signed-off-by: Marcus Sorensen <mls@apple.com>

* Update ServerDaemon.java

---------

Signed-off-by: Marcus Sorensen <mls@apple.com>
Co-authored-by: Marcus Sorensen <mls@apple.com>
rohityadavcloud pushed a commit to shapeblue/cloudstack that referenced this pull request Sep 27, 2023
@mlsorensen @rohityadavcloud
Support Jetty's live cert reload on HTTPS frontend (apache#7355)
8597758 
* Support Jetty's live cert reload

Signed-off-by: Marcus Sorensen <mls@apple.com>

* Update ServerDaemon.java

---------

Signed-off-by: Marcus Sorensen <mls@apple.com>
Co-authored-by: Marcus Sorensen <mls@apple.com>
(cherry picked from commit 9ca5f28)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rohityadavcloud rohityadavcloud rohityadavcloud approved these changes

@weizhouapache weizhouapache weizhouapache approved these changes

Assignees
No one assigned
Labels
component:management-server
Projects
None yet
Milestone
4.19.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@mlsorensen @rohityadavcloud @weizhouapache