apache · FrankChen021 · Aug 25, 2022 · Aug 19, 2022 · Aug 19, 2022 · Aug 22, 2022
diff --git a/core/src/test/java/org/apache/druid/java/util/http/client/FriendlyServersTest.java b/core/src/test/java/org/apache/druid/java/util/http/client/FriendlyServersTest.java
@@ -31,6 +31,7 @@
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.SslConnectionFactory;
+import org.eclipse.jetty.util.ssl.KeyStoreScanner;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.jboss.netty.channel.ChannelException;
 import org.jboss.netty.handler.codec.http.HttpMethod;
@@ -275,6 +276,8 @@ public void testFriendlySelfSignedHttpsServer() throws Exception
 
     sslConnector.setPort(0);
     server.setConnectors(new Connector[]{sslConnector});
+    KeyStoreScanner keyStoreScanner = new KeyStoreScanner(sslContextFactory);
+    server.addBean(keyStoreScanner);
     server.start();
 
     try {

diff --git a/docs/operations/tls-support.md b/docs/operations/tls-support.md
@@ -50,6 +50,8 @@ values for the configs below, among others provided by Java implementation.
 |`druid.server.https.keyStoreType`|The type of the key store.|none|yes|
 |`druid.server.https.certAlias`|Alias of TLS/SSL certificate for the connector.|none|yes|
 |`druid.server.https.keyStorePassword`|The [Password Provider](../operations/password-provider.md) or String password for the Key Store.|none|yes|
+|`druid.server.https.reloadSslContext`| Should Druid server detect Key Store file change and reload.|false|no|
+|`druid.server.https.reloadSslContextSeconds`| How frequently should Druid server scan for Key Store file change.|60|yes|
 
 The following table contains configuration options related to client certificate authentication.
 

diff --git a/server/src/main/java/org/apache/druid/server/initialization/TLSServerConfig.java b/server/src/main/java/org/apache/druid/server/initialization/TLSServerConfig.java
@@ -80,6 +80,12 @@ public class TLSServerConfig
   @JsonProperty
   private String crlPath;
 
+  @JsonProperty
+  private boolean reloadSslContext = false;
+
+  @JsonProperty
+  private int reloadSslContextSeconds = 60;
+
   public String getKeyStorePath()
   {
     return keyStorePath;
@@ -170,6 +176,16 @@ public String getCrlPath()
     return crlPath;
   }
 
+  public int getReloadSslContextSeconds()
+  {
+    return reloadSslContextSeconds;
+  }
+
+  public boolean isReloadSslContext()
+  {
+    return reloadSslContext;
+  }
+
   @Override
   public String toString()
   {
@@ -189,6 +205,8 @@ public String toString()
            ", trustStoreAlgorithm='" + trustStoreAlgorithm + '\'' +
            ", validateHostnames='" + validateHostnames + '\'' +
            ", crlPath='" + crlPath + '\'' +
+           ", reloadSslContext='" + reloadSslContext + '\'' +
+           ", reloadSslContextSeconds='" + reloadSslContextSeconds + '\'' +
            '}';
   }
 }
diff --git a/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java b/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java
@@ -75,6 +75,7 @@
 import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.server.handler.ErrorHandler;
 import org.eclipse.jetty.util.component.LifeCycle;
+import org.eclipse.jetty.util.ssl.KeyStoreScanner;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.eclipse.jetty.util.thread.ScheduledExecutorScheduler;
@@ -347,6 +348,11 @@ static Server makeAndInitializeServer(
       }
       connector.setPort(node.getTlsPort());
       serverConnectors.add(connector);
+      if (tlsServerConfig.isReloadSslContext()) {
+        KeyStoreScanner keyStoreScanner = new KeyStoreScanner(sslContextFactory);
+        keyStoreScanner.setScanInterval(tlsServerConfig.getReloadSslContextSeconds());
+        server.addBean(keyStoreScanner);
+      }
     } else {
       sslContextFactory = null;
     }