BREAKING CHANGE(smart-proxy): move certificate persistence to an in-memory store and introduce consumer-managed certStore API; add default self-signed fallback cert and change ACME account handling

2026-02-13 16:32:02 +00:00
parent e0af82c1ef
commit 0e058594c9
17 changed files with 296 additions and 397 deletions
--- a/rust/crates/rustproxy-passthrough/src/tcp_listener.rs
+++ b/rust/crates/rustproxy-passthrough/src/tcp_listener.rs
@@ -88,8 +88,8 @@ pub struct TcpListenerManager {
    route_manager: Arc<ArcSwap<RouteManager>>,
    /// Shared metrics collector
    metrics: Arc<MetricsCollector>,
-    /// TLS acceptors indexed by domain
-    tls_configs: Arc<HashMap<String, TlsCertConfig>>,
+    /// TLS acceptors indexed by domain (ArcSwap for hot-reload visibility in accept loops)
+    tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
    /// HTTP proxy service for HTTP-level forwarding
    http_proxy: Arc<HttpProxyService>,
    /// Connection configuration
@@ -118,7 +118,7 @@ impl TcpListenerManager {
            listeners: HashMap::new(),
            route_manager: Arc::new(ArcSwap::from(route_manager)),
            metrics,
-            tls_configs: Arc::new(HashMap::new()),
+            tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
            http_proxy,
            conn_config: Arc::new(conn_config),
            conn_tracker,
@@ -142,7 +142,7 @@ impl TcpListenerManager {
            listeners: HashMap::new(),
            route_manager: Arc::new(ArcSwap::from(route_manager)),
            metrics,
-            tls_configs: Arc::new(HashMap::new()),
+            tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
            http_proxy,
            conn_config: Arc::new(conn_config),
            conn_tracker,
@@ -161,8 +161,9 @@ impl TcpListenerManager {
    }

    /// Set TLS certificate configurations.
-    pub fn set_tls_configs(&mut self, configs: HashMap<String, TlsCertConfig>) {
-        self.tls_configs = Arc::new(configs);
+    /// Uses ArcSwap so running accept loops immediately see the new certs.
+    pub fn set_tls_configs(&self, configs: HashMap<String, TlsCertConfig>) {
+        self.tls_configs.store(Arc::new(configs));
    }

    /// Set the shared socket-handler relay path.
@@ -284,7 +285,7 @@ impl TcpListenerManager {
        port: u16,
        route_manager_swap: Arc<ArcSwap<RouteManager>>,
        metrics: Arc<MetricsCollector>,
-        tls_configs: Arc<HashMap<String, TlsCertConfig>>,
+        tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
        http_proxy: Arc<HttpProxyService>,
        conn_config: Arc<ConnectionConfig>,
        conn_tracker: Arc<ConnectionTracker>,
@@ -314,7 +315,8 @@ impl TcpListenerManager {
                            // Load the latest route manager from ArcSwap on each connection
                            let rm = route_manager_swap.load_full();
                            let m = Arc::clone(&metrics);
-                            let tc = Arc::clone(&tls_configs);
+                            // Load the latest TLS configs from ArcSwap on each connection
+                            let tc = tls_configs.load_full();
                            let hp = Arc::clone(&http_proxy);
                            let cc = Arc::clone(&conn_config);
                            let ct = Arc::clone(&conn_tracker);