FileWatcher used for SSL reload does not support symlinks #43586
Conversation
This allows using symlinks for SSL certificate hot reloading.
|
@tmaciejewski Please sign the Contributor License Agreement! Click here to manually synchronize the status of this Pull Request. See the FAQ for frequently asked questions. |
spring-projects-issues
added
the
status: waiting-for-triage
|
@tmaciejewski Thank you for signing the Contributor License Agreement! |
philwebb
added
type: bug
philwebb
changed the title
| private Set<Path> resolveSymlinks(Set<Path> paths) throws IOException { | ||
| Set<Path> result = new HashSet<>(); | ||
| for (Path path : paths) { | ||
| result.add(path); |
There was a problem hiding this comment.
What is the reason for adding the symlink to the files to watch. Shouldn't we only add the real file?
There was a problem hiding this comment.
Thanks for the review. Yeah, you're right. I wanted to keep backward compatibility, but since the real file is watched, it would still be there if the link is changed to some other file, which is less intuitive. Changed it to watch only the real file.
snicoll
added
the
status: waiting-for-feedback
snicoll
removed
the
status: waiting-for-feedback
This commit allows using symlinks for SSL certificate hot reloading. See gh-43586
|
@tmaciejewski thank you for making your first contribution to Spring Boot. |
Prior to this commit, a change in gh-43586 unlocked the support for symlinks: instead of watching the link itself which might never change, this would watch the target file which is likely to change. This could break with an `IllegalStateException` in case the symlink is using a path relative to the link itself. This commit ensures that the target is resolved against the current link path to avoid incorrect watch operations. Fixes gh-43966
|
Hi Everyone! Is this released? I have the same or similar issue. I use kubernetes cert manager in order to manage my certs. It stores those as sym links: ssl config: spring:
application:
name: "shell"
ssl:
bundle:
jks:
shell:
reload-on-update: false
keystore:
location: ${KEYSTORE:file:/opt/certs/keystore.p12}
password: ${KEYSTORE_PW:changeit}
type: "PKCS12"
truststore:
location: ${TRUSTSTORE:file:/opt/certs/truststore.p12}
password: ${TRUSTSTORE_PW:changeit}
type: "PKCS12"But somehow spring cannot resolve them and I got this exception: **The problem is in the FileWatcher class witch resolves the file wrong and add the wrong absolute path to the resolved file. I my case int should prepend /opt/certs. The corect path is /opt/certs/..data/keystore.p12
The logs are from my local machine but in a kubernetes cluster I got the same result, just the path prefix is the path where the jar file executed.** Can anyone help? |
|
@PetarDimitrovZH See #43966 which will be released this week. |
|
@bclozel Thank you! |
This allows using symlinks for SSL certificate hot reloading.
In my company we have services on k8s with SSL certificates stored on a mounted volumes. Since they are symlinks, we cannot use hot-reloading, because the content is changed in the file under the symlink, not the symlink itself. This change make
FileWatcherwatch not only the symlink, but also the file it resolves to.