Skip to content

feat: reloadable tls client config #7230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Nov 24, 2025
Merged

feat: reloadable tls client config #7230

merged 10 commits into from
Nov 24, 2025

Conversation

@shuiyisong
Copy link
Contributor

@shuiyisong shuiyisong commented Nov 14, 2025
edited
Loading

I hereby agree to the terms of the GreptimeDB CLA.

Refer to a related PR or issue link (optional)

What's changed and what's your intention?

This patch introduces the ability for channel_manager to use a re-loadable client TLS config to automatically reload the TLS files when changed.
The ReloadableTlsServerConfig is now extracted into reloadable_tls for reuse.

PR Checklist

Please convert it to a draft if some of the following conditions are not met.

  • I have written the necessary rustdoc comments.
  • I have added the necessary unit tests and integration tests.
  • This PR requires documentation updates.
  • API changes are backward compatible.
  • Schema or data changes are backward compatible.

@github-actions github-actions bot added size/M docs-not-required This change does not impact docs. labels Nov 14, 2025
@shuiyisong shuiyisong force-pushed the feat/reload_tls_in_gRPC_client branch from caf3366 to cfcf157 Compare November 17, 2025 06:58
@shuiyisong shuiyisong marked this pull request as ready for review November 17, 2025 06:58
@shuiyisong shuiyisong requested review from a team, waynexia and zhongzc as code owners November 17, 2025 06:58
@evenyag evenyag requested review from MichaelScofield and removed request for zhongzc November 18, 2025 06:49
@fengys1996 fengys1996 self-requested a review November 18, 2025 07:40
MichaelScofield
MichaelScofield reviewed Nov 19, 2025
View reviewed changes
@shuiyisong shuiyisong requested a review from discord9 as a code owner November 19, 2025 03:32
fengys1996
fengys1996 reviewed Nov 19, 2025
View reviewed changes
@shuiyisong shuiyisong force-pushed the feat/reload_tls_in_gRPC_client branch from bfdaeda to 1e60e34 Compare November 20, 2025 06:15
@sunng87
Copy link
Member

sunng87 commented Nov 22, 2025

To be clear, in this patch we only changed intra-cluster grpc client to reload certificate. The grpc server is not covered, right?

@shuiyisong
Copy link
Contributor Author

shuiyisong commented Nov 24, 2025

To be clear, in this patch we only changed intra-cluster grpc client to reload certificate. The grpc server is not covered, right?

Yes, this only change the gRPC client(channel manager) to be able to reload the TLS change. The gRPC server of the database is not changed.

@sunng87
Copy link
Member

sunng87 commented Nov 24, 2025

This can introduce an issue if all clients reloads certs automatically but server doesn't. The updated client will not be able to connect to server without a restart.

sunng87
sunng87 approved these changes Nov 24, 2025
View reviewed changes
Copy link
Member

@sunng87 sunng87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed with @shuiyisong , this will be used for communication between database and external services like authentication providers or something.

But we still need to ensure the cert reload will work if intra-cluster grpc is configured with tls.

@sunng87 sunng87 enabled auto-merge November 24, 2025 03:30
@shuiyisong
fix: add error log
735aabe 
Signed-off-by: shuiyisong <[email protected]>
@sunng87 sunng87 added this pull request to the merge queue Nov 24, 2025
Merged via the queue into GreptimeTeam:main with commit 9f4902b Nov 24, 2025
43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MichaelScofield MichaelScofield MichaelScofield approved these changes

@sunng87 sunng87 sunng87 approved these changes

@fengys1996 fengys1996 fengys1996 approved these changes

@waynexia waynexia Awaiting requested review from waynexia waynexia is a code owner

@discord9 discord9 Awaiting requested review from discord9 discord9 is a code owner

Assignees

No one assigned

Labels

docs-not-required This change does not impact docs. size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shuiyisong @sunng87 @MichaelScofield @fengys1996