Details
Major Description
Currently with each cert refresh we teardown the listeners and bring them back up again. This is the case for ns_server, and query(MB-61782). It is likely the case that this is true for all the services involved.
We need to consider allternate ways to refresh/rotate certs without downtime.
One of the option is put forth in MB-61782, copying snippet from bug.
----------------------------------------------------------------------
Read this https://blog.diogomonica.com/2017/01/11/hitless-tls-certificate-rotation-in-go/ or any other google. I am not sure if this works. But one should explore vs interrupt of service
Choosing the TLS config before the TLS handshake
https://github.com/couchbase/query/blob/master/server/http/service_endpoint.go#L494-L512
When we get certificates change recived why not we load certificate (under lock) in to HttpEndpoint (what we did below)
https://github.com/couchbase/query/blob/master/server/http/service_endpoint.go#L224-L241
Later use call back use that here https://github.com/couchbase/query/blob/master/server/http/service_endpoint.go#L244
Check FTS/Index services how they do? https://github.com/couchbase/cbft/blob/master/cmd/cbft/init_grpc.go#L77