Skip to content

feat(relay): reloading certificate resolver #2999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Dec 12, 2024
Merged

feat(relay): reloading certificate resolver #2999

merged 14 commits into from
Dec 12, 2024

Conversation

Arqu
Copy link
Collaborator

@Arqu Arqu commented Dec 3, 2024
edited
Loading

Description

This sets us up so we can have manually/externally managed certs that will reload on a daily basis. This should close #1108 and we should follow up on the ops side to utilize this where needed.

Ok, this turned out to be much grosser than expected.

  • I don't like the new dependencies we introduce
  • I don't like the loader setup
  • I'm unsure whether to keep the reloading resolver in the iroh repo or move it into tokio-rustls-acme (think it should move over, but for the sake of this discussion, included it here)
  • Should I do anything with the _handle for the reloader in regards to shutting down?

Most of this still feels necessary. I could maybe feature flag it?
I had a really hard time trying to extract the loader creation into a standalone func which also aligns all the traits and error types so the thing compiles.

Suggestions are welcome :)

Example config:

enable_relay = true
http_bind_addr = "[::]:80"
enable_stun = true
stun_bind_addr = "[::]:3478"
enable_metrics = true
metrics_addr = "127.0.0.1:9090"

[tls]
manual_cert_path="certificate.der"
manual_key_path="private_key.der"
cert_mode = "Reloading"

Breaking Changes

Notes & open questions

Change checklist

  • Self-review.
  • Documentation updates following the style guide, if relevant.
  • Tests if relevant.
  • All breaking changes documented.

@Arqu Arqu self-assigned this Dec 3, 2024
@Arqu Arqu force-pushed the arqu/reloading_certs branch from 19d291b to d232285 Compare December 3, 2024 22:14
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 3, 2024
edited
Loading

Netsim report & logs for this PR have been generated and is available at: LOGS
This report will remain available for 3 days.

Last updated for commit: 146804b

@Arqu
Copy link
Collaborator Author

Arqu commented Dec 4, 2024
edited
Loading

From @flub in discord (moving the discussion over here to make things a bit easier)

i have some comments on the config structure, code (and bikeshedding 😉 ), but the principle of it doesn't seem that gross?

👍

IIUC this reads certs from a file at given intervals. which seems fine

Correct

i'm also not sure why you think this might belong in tokio-acme-rustls, it doesn't seem to have anything acme about it?

I guess what I wanted it to be is mostly it's own separate thing. It's both generally useful outside of iroh and also makes the relay codebase less cluttered. I also expect this to crop up with other services we're running, I'd rather not copy it over.

wrt the comments, my biggest structural one is probably why this is separate from Manual as it seems at some level this is > just manual + an interval?

I agree, the CertMode handling should be separate, but bellow that it's the same as Manual anyways.

Thanks for the input!

@flub
Copy link
Contributor

flub commented Dec 4, 2024

i'm also not sure why you think this might belong in tokio-acme-rustls, it doesn't seem to have anything acme about it?

I guess what I wanted it to be is mostly it's own separate thing. It's both generally useful outside of iroh and also makes the relay codebase less cluttered. I also expect this to crop up with other services we're running, I'd rather not copy it over.

This is not that much code and I think it fits just fine inside the relay server for now. Once we have to start copy-pasting it we can re-visit that I guess.

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 4, 2024
edited
Loading

Documentation for this PR has been generated and is available at: https://n0-computer.github.io/iroh/pr/2999/docs/iroh/

Last updated: 2024-12-12T14:49:55Z

@dignifiedquire dignifiedquire added this to the v0.30.0 milestone Dec 9, 2024
dignifiedquire
dignifiedquire reviewed Dec 10, 2024
View reviewed changes
dignifiedquire
dignifiedquire reviewed Dec 10, 2024
View reviewed changes
iroh-relay/src/server/resolver.rs Outdated
/// The inner reloadable value.
reloadable: Arc<Reloadable<CertifiedKey, Loader>>,
/// The handle to the task that reloads the certificate.
_handle: JoinHandle<()>,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AbortingDropJoinHandle?

@Arqu
Copy link
Collaborator Author

Arqu commented Dec 10, 2024

Looking to get back to this tonight

@Arqu Arqu force-pushed the arqu/reloading_certs branch from 675778a to caf438d Compare December 11, 2024 12:43
Arqu
Arqu commented Dec 11, 2024
View reviewed changes
iroh-relay/src/server/resolver.rs Outdated
/// The handle to the task that reloads the certificate.
_handle: AbortOnDropHandle<()>,
/// Shutdown signal sender
_shutdown_tx: tokio::sync::oneshot::Sender<()>,
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I bubble this up into the relay so we call it on relay.shutdown() or is the AbortOnDropHandle enough for this usecase?

@Arqu Arqu changed the title [WIP] feat(relay): reloading certificate resolver feat(relay): reloading certificate resolver Dec 11, 2024
@Arqu
Copy link
Collaborator Author

Arqu commented Dec 11, 2024

Do we have to bump the MSRV because redb got bumped to 2.3?

@Arqu Arqu marked this pull request as ready for review December 11, 2024 14:44
@dignifiedquire
Copy link
Contributor

Do we have to bump the MSRV because redb got bumped to 2.3?

what's their new MSRV? we probably want to bump it to normalize cargo.lock to v4

@Arqu
Copy link
Collaborator Author

Arqu commented Dec 11, 2024

Do we have to bump the MSRV because redb got bumped to 2.3?

what's their new MSRV? we probably want to bump it to normalize cargo.lock to v4

1.81

@dignifiedquire
Copy link
Contributor

lets bump MSRV to 1.81 then, this will make live easier for us

@dignifiedquire
Copy link
Contributor

but in a new PR

@dignifiedquire
Copy link
Contributor

#3031

@Arqu
Copy link
Collaborator Author

Arqu commented Dec 11, 2024

Rest of the PR good now?

dignifiedquire
dignifiedquire reviewed Dec 11, 2024
View reviewed changes
iroh-relay/src/server/resolver.rs Outdated
tracing::info!("Reloaded the certificate");
}
} => {},
_ = shutdown_rx => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we usually use cancellation token for this

@dignifiedquire
Copy link
Contributor

MSRV fix is in now

@Arqu Arqu force-pushed the arqu/reloading_certs branch from cdb0bc1 to 183bc97 Compare December 12, 2024 14:00
dignifiedquire
dignifiedquire reviewed Dec 12, 2024
View reviewed changes
iroh-relay/Cargo.toml Outdated
reqwest = { version = "0.12", default-features = false, features = [
"rustls-tls",
] }
ring = "0.17"
rustls = { version = "0.23", default-features = false, features = ["ring"] }
rustls-cert-reloadable-resolver = "0.7.1"
rustls-cert-file-reader = "0.4.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think all the new dependencies should be optional and only for the server feature

@Arqu Arqu added this pull request to the merge queue Dec 12, 2024
flub
flub reviewed Dec 12, 2024
View reviewed changes
Cargo.toml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you revert this noisy change?

iroh-relay/Cargo.toml
@@ -135,4 +141,4 @@ required-features = ["server"]

[package.metadata.docs.rs]
all-features = true
rustdoc-args = ["--cfg", "iroh_docsrs"]
rustdoc-args = ["--cfg", "iroh_docsrs"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is also a needless change. It is better to leave newlines at the end of files.

iroh-relay/src/server/resolver.rs
use tokio_util::{sync::CancellationToken, task::AbortOnDropHandle};

/// The default certificate reload interval.
pub const DEFAULT_CERT_RELOAD_INTERVAL: u64 = 60 * 60 * 24;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No units! Maybe make it a Duration? Or is that still not const? Should definitely document the units though.

Merged via the queue into main with commit c37895b Dec 12, 2024
25 of 26 checks passed
@flub
Copy link
Contributor

flub commented Dec 12, 2024

lol, i miss the review window again 😄

@Arqu
Copy link
Collaborator Author

Arqu commented Dec 12, 2024

I'll do a follow up, just for you :D

@Arqu Arqu deleted the arqu/reloading_certs branch December 12, 2024 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flub flub flub left review comments

@dignifiedquire dignifiedquire dignifiedquire approved these changes

@matheus23 matheus23 Awaiting requested review from matheus23

Assignees

@Arqu Arqu

Labels
c-iroh-relay
Projects
iroh
Archived in project
Milestone
v0.30.0
Development

Successfully merging this pull request may close these issues.

relay: no support for wildcard certs
3 participants
@Arqu @flub @dignifiedquire