Restore ssl_multicert.config for compatibility#13199
Draft
masaori335 wants to merge 7 commits into
Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR restores backward compatibility for TLS multi-certificate configuration by reintroducing support for legacy ssl_multicert.config as a fallback when ssl_multicert.yaml is absent, while keeping YAML as the preferred/default format.
Changes:
- Add runtime fallback logic: prefer
ssl_multicert.yaml, fall back tossl_multicert.configonly when the multicert filename record is at the default and YAML is missing. - Update config tracking / file naming constants so components reference the YAML default explicitly while still registering the legacy file for monitoring.
- Add gold tests and admin documentation covering legacy fallback, precedence when both files exist, and disabling fallback when a custom filename record is set.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/gold_tests/config/ssl_multicert_legacy_fallback.test.py | New gold test covering legacy fallback, “both present” precedence, and custom-record disabling of fallback. |
| tests/gold_tests/autest-site/trafficserver.test.ext | Adds a use_legacy_ssl_multicert option to skip staging the default ssl_multicert.yaml in tests. |
| src/traffic_server/traffic_server.cc | Adjusts FileManager parent binding to match the actually-loaded multicert filename (YAML vs legacy). |
| src/traffic_layout/info.cc | Updates layout output to use the YAML multicert filename constant. |
| src/traffic_ctl/SSLMultiCertCommand.cc | Makes traffic_ctl prefer YAML but fall back to legacy when YAML is absent and legacy exists. |
| src/records/RecordsConfig.cc | Changes the default record value for proxy.config.ssl.server.multicert.filename to ssl_multicert.yaml. |
| src/iocore/net/SSLUtils.cc | Uses the resolved multicert path in loader diagnostics and moves the null-path guard earlier. |
| src/iocore/net/SSLConfig.cc | Implements the default-only legacy fallback logic and emits Notes for fallback / legacy-ignored cases. |
| src/iocore/net/SSLClientCoordinator.cc | Tracks the YAML multicert file via ConfigRegistry and also registers the legacy file with FileManager. |
| include/tscore/Filenames.h | Splits multicert constants into SSL_MULTICERT_YAML and legacy SSL_MULTICERT (.config). |
| doc/admin-guide/files/ssl_multicert.yaml.en.rst | Documents the legacy fallback behavior in the YAML-format docs. |
| doc/admin-guide/files/ssl_multicert.config.en.rst | Adds documentation for the legacy line-based format and migration guidance. |
| doc/admin-guide/files/index.en.rst | Adds the legacy multicert doc page to the admin guide index and brief description. |
Comment on lines
36
to
+53
| @@ -41,7 +44,13 @@ get_default_ssl_multicert_path() | |||
| } else { | |||
| sysconfdir = Layout::get()->sysconfdir; | |||
| } | |||
| return Layout::get()->relative_to(sysconfdir, ts::filename::SSL_MULTICERT); | |||
| std::string yaml_path = Layout::get()->relative_to(sysconfdir, ts::filename::SSL_MULTICERT_YAML); | |||
| std::string legacy_path = Layout::get()->relative_to(sysconfdir, ts::filename::SSL_MULTICERT); | |||
|
|
|||
| if (!swoc::file::exists(swoc::file::path(yaml_path)) && swoc::file::exists(swoc::file::path(legacy_path))) { | |||
| return legacy_path; | |||
| } | |||
| return yaml_path; | |||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
#12755 replaced
ssl_multicert.configwithssl_multicert.yaml. This restoresssl_multicert.configsupport for compatibility. Following #13191.