linkerd2

Commit Graph

Author	SHA1	Message	Date
Eliza Weisman	7220fb5367	proxy: Reload TLS config on changes (#1056 ) This PR modifies the proxy's TLS code so that the TLS config files are reloaded when any of them has changed (including if they did not previously exist). If reloading the configs returns an error, we log an error and continue using the old config. Currently, this is implemented by polling the file system for the time they were last modified at a fixed interval. However, I've implemented this so that the changes are passed around as a `Stream`, and that reloading and updating the config is in a separate function the one that detects changes. Therefore, it should be fairly easy to plug in support for `inotify` (and other FS watch APIs) later, as long as we can use them to generate a `Stream` of changes. Closes #369 Signed-off-by: Eliza Weisman <eliza@buoyant.io>	2018-06-04 13:36:28 -07:00
Brian Smith	b114ef6819	Add initial infrastructure for optionally accepting TLS connections (#1047 ) * Add initial infrastructure for optinally accepting TLS connections. If the environment gives us the paths to the certificate chain and private key then use TLS for all accepted TCP connections. Otherwise, continue on using plaintext for all accepted TCP connections. The default behavior--no TLS--isn't changed. Later we'll make this smarter by adding protocol detection so that when the TLS configuration is available, we'll accept both TLS and non-TLS connections. Signed-off-by: Brian Smith <brian@briansmith.org>	2018-05-31 12:20:57 -10:00

Author

SHA1

Message

Date

Eliza Weisman

7220fb5367

proxy: Reload TLS config on changes (#1056 )

This PR modifies the proxy's TLS code so that the TLS config files are reloaded
when any of them has changed (including if they did not previously exist).

If reloading the configs returns an error, we log an error and continue using
the old config.

Currently, this is implemented by polling the file system for the time they
were last modified at a fixed interval. However, I've implemented this so 
that the changes are passed around as a `Stream`, and that reloading and
updating the config is in a separate function the one that detects changes.
Therefore, it should be fairly easy to plug in support for `inotify` (and 
other FS watch APIs) later, as long as we can use them to generate a 
`Stream` of changes.

Closes #369 

Signed-off-by: Eliza Weisman <eliza@buoyant.io>

2018-06-04 13:36:28 -07:00

Brian Smith

b114ef6819

Add initial infrastructure for optionally accepting TLS connections (#1047 )

* Add initial infrastructure for optinally accepting TLS connections.

If the environment gives us the paths to the certificate chain and private key
then use TLS for all accepted TCP connections. Otherwise, continue on using
plaintext for all accepted TCP connections. The default behavior--no TLS--isn't
changed.

Later we'll make this smarter by adding protocol detection so that when the TLS
configuration is available, we'll accept both TLS and non-TLS connections.

Signed-off-by: Brian Smith <brian@briansmith.org>

2018-05-31 12:20:57 -10:00

2 Commits