New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does ssl-reload monitor keystore when it is a symlink? #8973
Comments
In Jetty 9.4.x, by default, links are followed, so what's actually monitored would be Wait a second, do you really have a directory called Just out of curiosity, if you remove the |
I can't edit anything in the mounted directory as it is read only and mounted/handled by kubernetes. This is how kubernetes mount secrets, so that when the secret is modified , updates are propogated inside pod. ..data directory is also a symlink |
I see everything is owned by @lachlan-roberts can you please check if the |
I dont think permission is an issue, because certs are picked up when we start jetty first time , but when secret is updated i.e certificates are renewed , target files in symlinks gets updated but jetty does not pick the updated certificates. |
Just a reminder that Jetty 9.4.x is now at End of Community Support. |
I tired with jetty-home-11.0.12 and issue is same for keystore mounted as above. This is a very common scenario when deploying on kubernetes. Even for normal symbolic links where Here is the log snippet.
I think issue #8786 fixes it , not sure if it is in jetty-home-11.0.12 ? |
I have tested @chetan777in when you say "the target file for symlink keystore.p12 is changed" do you mean you changed the symlink to point to a different target, or you replaced the target file of the symlink with the updated keystore? |
There are multiple symbolic links involved here.
The target file for keystore.p12 is Also for enabling ssl-reload module .I have enabled module by adding ssl-reload.ini into start.d folder . Is there any other config required ? |
readlink resolves keystore.p12 symlink as below as there are recursive symlinks
|
This line of the logs is concerning to me
The alias is supposed to be resolved in the monitored file before this point so it shouldn't have the There was a refactor for the alias resolution for Jetty 12 which I think may need to be backported to fix this. What is your keystore path set to for you SSL configuration? |
Since Jetty 9.x is out of community support , I tried with jetty-home-11.0.12. Below are logs with keystore.p12 mounted(as a Kubernetes secret) as shown above.
Keystore path set in {jetty-base}/etc/jetty-ssl-context.xml is : etc/ssl/keystore.p12 It does not seem to detect that there is change in keystore file. Can you please try with above file/directory structure for keystore.p12 with symlinks and confirm it works at your end ? I see similar behavior in latest jetty 9.x and jetty 11.x for this case. |
Jetty 11.0.12 does not have the fix from #8786 |
This does not seem to work in jetty 11.0.13 as well. Log shows same behavior as in previous jetty versions. The keystore.p12 symlink does not seem to resolve to its final target which would be something like this: I have set jetty.sslContext.reload.followLinks=true in start.d/ssl-reload.ini |
Am I right in seeing that this is doubly sym-linked?
You have configured for |
Yes , you are right. This is how kubernetes mounts secrets inside pod. Also, when certificates are updated directory |
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Opened PR #9014 to resolve this in a different way |
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
…nges (#9014) * Issue #8973 - Rework KeyStoreScanner handling for symlink related changes + Removed changes from #8786 and #8787 + More test cases + revert jetty.sslContext.reload.followLinks boolean + Scanner should follow its own linkOptions setting + remove bad documentation in module-ssl-reload.adoc Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com> Signed-off-by: Lachlan Roberts <lachlan@webtide.com> Co-authored-by: Lachlan Roberts <lachlan@webtide.com>
@joakime Will this fix be available in upcoming jetty 11.0.13 ? If not in which next jetty 11 release will it available and what is the expected timeline for it ? |
@chetan777in you can test 11.0.13 right now (it's staged and being tested before official release ATM) The staging (maven) repo is https://oss.sonatype.org/content/groups/jetty-with-staging/ Just an FYI: the |
Your specific use case is covered in KeyStoreScannerTest (on Jetty 10, Jetty 11, and Jetty 12 now) |
I tested the fix from staging repo and it is working as expected . Thanks! |
@chetan777in 11.0.13 has been released. |
jetty-9.4.49.v20220914 and 11.0.12
Java 11
Does ssl-reload monitor keystore when it is a symlink?
Have deployed my application which uses jetty in kubernetes pod. We are using cert-manger for certificate management.
Secret is mounted inside a pod as below:
When the certificates are renewed automatically by cert-manager , the target file for symlink keystore.p12 is changed , but even after that jetty is not picking up the updated certs. If keystore is not symlink , jetty is picking the updated certs.
The text was updated successfully, but these errors were encountered: