Add shared TLS support for OAP HTTP/REST servers with cert hot-reload#13933
Merged
Conversation
b12349a to
ae68c28
Compare
wu-sheng
previously approved these changes
Jun 30, 2026
Member
|
The failed e2e is expected. It verified the config/dump, which you changed. |
The gRPC servers already supported TLS, mTLS, and cert reload on rotation. This adds the equivalent for the Armeria-based HTTP/REST servers (core REST / GraphQL, sharing REST, admin, PromQL, LogQL, TraceQL, Zipkin query/receiver): - HTTPServer now reloads the key pair from disk via Armeria TlsProvider.ofScheduled, so rotated certificates (e.g. a refreshed Kubernetes secret) are picked up without restarting the OAP. Previously the cert/key were read once at startup. - Every HTTP server exposes the same restSSLEnabled / restSSLKeyPath / restSSLCertChainPath config structure, each with its own dedicated environment variables: SW_CORE_REST_SSL_*, SW_RECEIVER_SHARING_REST_SSL_*, SW_ADMIN_SERVER_REST_SSL_*, SW_PROMQL_REST_SSL_*, SW_LOGQL_REST_SSL_*, SW_TRACEQL_REST_SSL_*, SW_QUERY_ZIPKIN_REST_SSL_*, SW_RECEIVER_ZIPKIN_REST_SSL_*. Each server reads the settings from its own module config. - HTTP TLS is server-side only (no mTLS). Adds HTTPServerTLSTest covering disk load, rotation pickup, and missing files; updates application.yml and the TLS / configuration-vocabulary / changelog docs.
ae68c28 to
b78d6db
Compare
wu-sheng
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The OAP gRPC servers already support TLS (including mTLS and automatic certificate reload on rotation), but the Armeria-based HTTP/REST servers did not: the certificate and key were read once at startup, and most HTTP servers did not expose any TLS configuration at all.
This PR adds server-side TLS for all OAP HTTP/REST servers with automatic reload on rotation, configurable once and shared across every HTTP endpoint — matching how certs are mounted from a Kubernetes secret on disk.
Changes
HTTPServer) — replaced the one-shotsb.tls(cert, key)with Armeria's nativeTlsProvider.ofScheduled(...), which re-reads the key pair from disk on a schedule. Rotated certificates are picked up without an OAP restart. Key loading still goes throughPrivateKeyUtil(PKCS#1 → PKCS#8).restSSLEnabled/restSSLKeyPath/restSSLCertChainPathundercore(env varsSW_CORE_REST_SSL_*). The core REST, PromQL, LogQL, TraceQL and Zipkin query/receiver servers read it throughCoreModule'sConfigServiceatstart(). The sharing-server and admin servers build their HTTP server duringprepare()(where cross-module services aren't yet registered), so they carry their own fields wired to the same env vars inapplication.yml.grpc-security.md,configuration-vocabulary.md,changes.md.Testing
HTTPServerTLSTest(3 tests): loads a key pair from disk, picks up a rotated certificate on re-read, and fails on missing files.