search

clusterlink-net / clusterlink

A Gateway for connecting application services in different domains, networks, and cloud infrastructures
https://clusterlink.net
Other
17 stars 18 forks source link

cmd/cl-controlplane: Support dynamic peer certificates #629

Closed orozery closed 1 month ago

orozery commented 1 month ago

This PR changes the controlplane to watch the peer certificate files for changes, in order to support dynamic peer certificates.

Note that when switching TLS certificates, existing connections are still valid. The client-side controlplane (the importer) terminates those controlplane connections when switching certificates. However, if only the server switches certificates, the server will continue to allow authz connections, which will be dropped only at the tunnel establishment phase (where a new connection is used).

elevran commented 1 month ago

The client-side controlplane (the importer) terminates those controlplane connections when switching certificates.

Am I reading this correctly: When the client side control plane has a new certificate, it will re-establish (and therefore reauthenticate) control connections to remote peers.

This does not refer to existing workload-to-workload connections which are kept intact. Correct?

orozery commented 1 month ago

The client-side controlplane (the importer) terminates those controlplane connections when switching certificates.

Am I reading this correctly: When the client side control plane has a new certificate, it will re-establish (and therefore reauthenticate) control connections to remote peers.

This does not refer to existing workload-to-workload connections which are kept intact. Correct?

Correct