[8.11] [HTTP Server] support TLS config hot reload via SIGHUP (#171823)
#171907
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
) ## Summary Fix elastic#54368 Add support for hot reloading the Kibana server's TLS configuration, using the same `SIGHUP`-based reload signal, as already implemented for other parts of the Kibana configuration (e.g `logging`) **Note:** - hot reloading is only supported for the server TLS configuration (`server.ssl`), not for the whole `server.*` config prefix - swaping the certificate files (without modifying the kibana config itself) is supported - it is not possible to toggle TLS (enabling or disabling) without restarting Kibana - hot reloading requires to force the process to reload its configuration by sending a `SIGHUP` signal ### Example / how to test #### Before ```yaml server.ssl.enabled: true server.ssl.certificate: /path-to-kibana/packages/kbn-dev-utils/certs/kibana.crt server.ssl.key: /path-to-kibana/packages/kbn-dev-utils/certs/kibana.key ``` <img width="550" alt="Screenshot 2023-11-23 at 15 11 28" src="https://github.com/elastic/kibana/assets/1532934/1226d161-a9f2-4d62-a3de-37161829f187"> #### Changing the config ```yaml server.ssl.enabled: true server.ssl.certificate: /path-to-kibana/packages/kbn-dev-utils/certs/elasticsearch.crt server.ssl.key: /path-to-kibana/packages/kbn-dev-utils/certs/elasticsearch.key ``` ```bash kill -SIGHUP {KIBANA_PID} ``` <img width="865" alt="Screenshot 2023-11-23 at 15 18 21" src="https://github.com/elastic/kibana/assets/1532934/c9412b2e-d70e-4cf0-8eaf-4db70a45af60"> #### After <img width="547" alt="Screenshot 2023-11-23 at 15 18 43" src="https://github.com/elastic/kibana/assets/1532934/c839f04f-4adb-456d-a174-4f0ebd5c234c"> ## Release notes It is now possible to hot reload Kibana's TLS (`server.ssl`) configuration by updating it and then sending a `SIGHUP` signal to the Kibana process. Note that TLS cannot be toggled (disabled/enabled) that way, and that hot reload only works for the TLS configuration, not other properties of the `server` config prefix. --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 87213e7) # Conflicts: # src/core/tsconfig.json
afharo
approved these changes
Nov 24, 2023
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Public APIs missing exports
Unknown metric groupsAPI count
To update your PR or re-run it, just comment with: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.11:SIGHUP(#171823)Questions ?
Please refer to the Backport tool documentation