feat(rustproxy): support dynamically loaded TLS certificates via loadCertificate IPC and include them in listener TLS configs for rebuilds and hot-swap

2026-02-16 01:37:43 +00:00
parent 8409984fcc
commit 7b2ccbdd11
3 changed files with 37 additions and 1 deletions
--- a/rust/crates/rustproxy/src/lib.rs
+++ b/rust/crates/rustproxy/src/lib.rs
@@ -77,6 +77,8 @@ pub struct RustProxy {
    started_at: Option<Instant>,
    /// Shared path to a Unix domain socket for relaying socket-handler connections back to TypeScript.
    socket_handler_relay: Arc<std::sync::RwLock<Option<String>>>,
+    /// Dynamically loaded certificates (via loadCertificate IPC), independent of CertManager.
+    loaded_certs: HashMap<String, TlsCertConfig>,
 }

 impl RustProxy {
@@ -118,6 +120,7 @@ impl RustProxy {
            started: false,
            started_at: None,
            socket_handler_relay: Arc::new(std::sync::RwLock::new(None)),
+            loaded_certs: HashMap::new(),
        })
    }

@@ -268,6 +271,13 @@ impl RustProxy {
            }
        }

+        // Merge dynamically loaded certs (from loadCertificate IPC)
+        for (d, c) in &self.loaded_certs {
+            if !tls_configs.contains_key(d) {
+                tls_configs.insert(d.clone(), c.clone());
+            }
+        }
+
        if !tls_configs.is_empty() {
            debug!("Loaded TLS certificates for {} domains", tls_configs.len());
            listener.set_tls_configs(tls_configs);
@@ -576,6 +586,12 @@ impl RustProxy {
                    }
                }
            }
+            // Merge dynamically loaded certs (from loadCertificate IPC)
+            for (d, c) in &self.loaded_certs {
+                if !tls_configs.contains_key(d) {
+                    tls_configs.insert(d.clone(), c.clone());
+                }
+            }
            listener.set_tls_configs(tls_configs);

            // Add new ports
@@ -786,6 +802,12 @@ impl RustProxy {
            cm.load_static(domain.to_string(), bundle);
        }

+        // Persist in loaded_certs so future rebuild calls include this cert
+        self.loaded_certs.insert(domain.to_string(), TlsCertConfig {
+            cert_pem: cert_pem.clone(),
+            key_pem: key_pem.clone(),
+        });
+
        // Hot-swap TLS config on the listener
        if let Some(ref mut listener) = self.listener_manager {
            let mut tls_configs = Self::extract_tls_configs(&self.options.routes);
@@ -809,6 +831,13 @@ impl RustProxy {
                }
            }

+            // Merge dynamically loaded certs from previous loadCertificate calls
+            for (d, c) in &self.loaded_certs {
+                if !tls_configs.contains_key(d) {
+                    tls_configs.insert(d.clone(), c.clone());
+                }
+            }
+
            listener.set_tls_configs(tls_configs);
        }