enhancement(sources): add a runtime-swappable TLS acceptor to TCP sources#25800
enhancement(sources): add a runtime-swappable TLS acceptor to TCP sources#25800guilload wants to merge 2 commits into
Conversation
e27c6ef to
37628d3
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 37628d3726
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
37628d3 to
02ffffb
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 02ffffb0b6
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
bruceg
left a comment
There was a problem hiding this comment.
LGTM. TBH I did a double take at seeing the Arc-in-Arc regime of Arc<ArcSwap<T>> but it eventually made sense.
thomasqueirozb
left a comment
There was a problem hiding this comment.
/ci-run-regression origin/master
Summary
Add a runtime-swappable TLS acceptor so a TCP source can pick up rotated
certificate material without rebinding its listener.
TlsAcceptorReloaderholds the served acceptor behindan
Arc<ArcSwap<SslAcceptor>>;reload()rebuilds it viaTlsSettings::acceptor()and swaps it in.WeakTlsAcceptorReloader(from
downgrade()) is what a background reload task holds, and reportsonce the listener is gone so the task can stop.
MaybeTlsSettingsgainsreloadable_acceptor()andbind_reloadable().The listener now snapshots the current acceptor on each
accept(), so areload only affects connections accepted afterwards; in-flight connections
keep what they negotiated.
bind()/bind_with_allowlist()delegate, soexisting behaviour is unchanged.
TcpSource::runandtry_bind_tcp_listenertake anOption<TlsAcceptorReloader>; all in-tree callers passNone, so noexisting source changes behaviour.
Also bump
opensslfrom0.10.80to0.10.81and replace the deprecatedAsn1StringRef::as_utf8withto_string.Vector configuration
How did you test this PR?
Tested locally with OPW, Splunk TCP source, and cert reloader similarly to unit test in
tls::reload.Change Type
Is this a breaking change?
Does this PR include user facing changes?
no-changeloglabel to this PR.Notes
@vectordotdev/vectorto reach out to us regarding this PR.pre-pushhook, please see this template.make fmtmake check-clippy(if there are failures it's possible some of them can be fixed withmake clippy-fix)make testgit merge origin masterandgit push.Cargo.lock), pleaserun
make build-licensesto regenerate the license inventory and commit the changes (if any). More details on the dd-rust-license-tool.