kezhenxu94 opened a new pull request, #13933: URL: https://github.com/apache/skywalking/pull/13933
## Motivation The OAP gRPC servers already support TLS (including mTLS and automatic certificate reload on rotation), but the Armeria-based HTTP/REST servers did not: the certificate and key were read **once** at startup, and most HTTP servers did not expose any TLS configuration at all. This PR adds server-side TLS for all OAP HTTP/REST servers with automatic reload on rotation, configurable once and shared across every HTTP endpoint — matching how certs are mounted from a Kubernetes secret on disk. ## Changes - **Cert hot-reload (`HTTPServer`)** — replaced the one-shot `sb.tls(cert, key)` with Armeria's native `TlsProvider.ofScheduled(...)`, which re-reads the key pair from disk on a schedule. Rotated certificates are picked up without an OAP restart. Key loading still goes through `PrivateKeyUtil` (PKCS#1 → PKCS#8). - **Single shared config** — `restSSLEnabled` / `restSSLKeyPath` / `restSSLCertChainPath` under `core` (env vars `SW_CORE_REST_SSL_*`). The core REST, PromQL, LogQL, TraceQL and Zipkin query/receiver servers read it through `CoreModule`'s `ConfigService` at `start()`. The sharing-server and admin servers build their HTTP server during `prepare()` (where cross-module services aren't yet registered), so they carry their own fields wired to the **same** env vars in `application.yml`. - HTTP TLS is **server-side only** (no mTLS); gRPC TLS is unchanged. - Docs: `grpc-security.md`, `configuration-vocabulary.md`, `changes.md`. ## Testing - New `HTTPServerTLSTest` (3 tests): loads a key pair from disk, picks up a rotated certificate on re-read, and fails on missing files. - All changed modules compile; checkstyle passes on all changed modules. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
