Skip to content

Add shared TLS support for OAP HTTP/REST servers with cert hot-reload#13933

Merged
wu-sheng merged 1 commit into
apache:masterfrom
kezhenxu94:http-rest-tls-support
Jun 30, 2026
Merged

Add shared TLS support for OAP HTTP/REST servers with cert hot-reload#13933
wu-sheng merged 1 commit into
apache:masterfrom
kezhenxu94:http-rest-tls-support

Conversation

@kezhenxu94

Copy link
Copy Markdown
Member

Motivation

The OAP gRPC servers already support TLS (including mTLS and automatic certificate reload on rotation), but the Armeria-based HTTP/REST servers did not: the certificate and key were read once at startup, and most HTTP servers did not expose any TLS configuration at all.

This PR adds server-side TLS for all OAP HTTP/REST servers with automatic reload on rotation, configurable once and shared across every HTTP endpoint — matching how certs are mounted from a Kubernetes secret on disk.

Changes

  • Cert hot-reload (HTTPServer) — replaced the one-shot sb.tls(cert, key) with Armeria's native TlsProvider.ofScheduled(...), which re-reads the key pair from disk on a schedule. Rotated certificates are picked up without an OAP restart. Key loading still goes through PrivateKeyUtil (PKCS#1 → PKCS#8).
  • Single shared configrestSSLEnabled / restSSLKeyPath / restSSLCertChainPath under core (env vars SW_CORE_REST_SSL_*). The core REST, PromQL, LogQL, TraceQL and Zipkin query/receiver servers read it through CoreModule's ConfigService at start(). The sharing-server and admin servers build their HTTP server during prepare() (where cross-module services aren't yet registered), so they carry their own fields wired to the same env vars in application.yml.
  • HTTP TLS is server-side only (no mTLS); gRPC TLS is unchanged.
  • Docs: grpc-security.md, configuration-vocabulary.md, changes.md.

Testing

  • New HTTPServerTLSTest (3 tests): loads a key pair from disk, picks up a rotated certificate on re-read, and fails on missing files.
  • All changed modules compile; checkstyle passes on all changed modules.

@kezhenxu94 kezhenxu94 force-pushed the http-rest-tls-support branch 2 times, most recently from b12349a to ae68c28 Compare June 30, 2026 11:41
@wu-sheng wu-sheng added this to the 11.0.0 milestone Jun 30, 2026
@wu-sheng wu-sheng added backend OAP backend related. enhancement Enhancement on performance or codes labels Jun 30, 2026
wu-sheng
wu-sheng previously approved these changes Jun 30, 2026
@wu-sheng

Copy link
Copy Markdown
Member

The failed e2e is expected. It verified the config/dump, which you changed.

The gRPC servers already supported TLS, mTLS, and cert reload on rotation.
This adds the equivalent for the Armeria-based HTTP/REST servers (core REST /
GraphQL, sharing REST, admin, PromQL, LogQL, TraceQL, Zipkin query/receiver):

- HTTPServer now reloads the key pair from disk via Armeria
  TlsProvider.ofScheduled, so rotated certificates (e.g. a refreshed Kubernetes
  secret) are picked up without restarting the OAP. Previously the cert/key were
  read once at startup.
- Every HTTP server exposes the same restSSLEnabled / restSSLKeyPath /
  restSSLCertChainPath config structure, each with its own dedicated environment
  variables: SW_CORE_REST_SSL_*, SW_RECEIVER_SHARING_REST_SSL_*,
  SW_ADMIN_SERVER_REST_SSL_*, SW_PROMQL_REST_SSL_*, SW_LOGQL_REST_SSL_*,
  SW_TRACEQL_REST_SSL_*, SW_QUERY_ZIPKIN_REST_SSL_*, SW_RECEIVER_ZIPKIN_REST_SSL_*.
  Each server reads the settings from its own module config.
- HTTP TLS is server-side only (no mTLS).

Adds HTTPServerTLSTest covering disk load, rotation pickup, and missing files;
updates application.yml and the TLS / configuration-vocabulary / changelog docs.
@wu-sheng wu-sheng merged commit eec76ba into apache:master Jun 30, 2026
437 of 445 checks passed
@kezhenxu94 kezhenxu94 deleted the http-rest-tls-support branch June 30, 2026 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend OAP backend related. enhancement Enhancement on performance or codes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants