Added example for reloading ssl with quarkus

Author: Hakky54

README.MD

@@ -28,6 +28,7 @@ A repository containing different java tutorials
 - [Instant Server SSL Reloading with Netty](instant-server-ssl-reloading-with-netty/netty-server)
 - [Instant Server SSL Reloading with gRPC](grpc-client-server-with-ssl/instant-server-ssl-reloading-with-grpc)
 - [Instant Server SSL Reloading with Spring Boot and Jetty and Database](instant-ssl-reloading-with-spring-jetty-database)
+- [Instant Server SSL Reloading with Quarkus](instant-server-ssl-reloading-with-quarkus)
 - [gRPC with SSL for Client and Server](grpc-client-server-with-ssl)
 - [ElasticSearch with SSL](elasticsearch-with-ssl)
 - [WebSocket Client with SSL](websocket-client-with-ssl)  

grpc-client-server-with-ssl/instant-server-ssl-reloading-with-grpc/README.md

@@ -35,7 +35,7 @@ Open the certificate details in your browser by clicking on the lock logo (on Ch
 Please note down the expiration date. Afterwords you will compare it when you have run the admin application.
 
 #### Refresh the server certificates
-Wait for one minute and if the keystores are found and have been updated, than the ssl configuration will be updated.
+Wait for one minute and if the keystores are found and have been updated, then the ssl configuration will be updated.
 Refresh your browser tab and open the certificate details again and compare the expiration date with the one you have noted down.
 You should have a similar certificate detail as shown below:
 

instant-server-ssl-reloading-with-netty/netty-server/README.md

@@ -35,7 +35,7 @@ Open the certificate details in your browser by clicking on the lock logo (on Ch
 Please note down the expiration date. Afterwords you will compare it when you have run the admin application.
 
 #### Refresh the server certificates
-Wait for one minute and if the keystores are found and have been updated, than the ssl configuration will be updated.
+Wait for one minute and if the keystores are found and have been updated, then the ssl configuration will be updated.
 Refresh your browser tab and open the certificate details again and compare the expiration date with the one you have noted down.
 You should have a similar certificate detail as shown below:
 

instant-server-ssl-reloading-with-quarkus/README.md

@@ -0,0 +1,42 @@
+# Instant SSL Reloading 🔐
+A server configured with ssl has a key material and trust material. These materials are generated from a keypair and certificate which always have an expiration date.
+In a traditional server configuration a reboot of the server is required to apply the latest key material and trust material changes when the keystore and truststore are changed.
+A downtime is therefore unavoidable. This project demonstrates with a basic setup how update the server certificate from an external source without the need of restarting your server. In this way you can achieve zero downtime.
+
+The repository contains:
+ - Server, based on Quarkus
+
+### SSL Updating entrypoint for the server:
+The server has currently one way to update the existing ssl material:
+ - File based aka file change listener, see here for the implementation: [FilesBasedSslUpdateService](src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java)
+
+#### Requirements
+ - Java 11
+ - Terminal
+
+#### Configure SSL Update Service
+The server will check every minute for changes on the ssl material, in this case the `identity.jks` and `truststore.jks`. You will need to specify where the service should look for these files. Please change the properties below in [FileBasedSslUpdateService](src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java).
+```java
+private static final Path identityPath = Path.of("/path/to/your/identity.jks");
+private static final Path trustStorePath = Path.of("/path/to/your/truststore.jks");
+private static final char[] identityPassword = "secret".toCharArray();
+private static final char[] trustStorePassword = "secret".toCharArray();
+```
+
+#### Start the server
+1. run `mvn clean install` on the [root directory of this repository](https://github.com/Hakky54/java-tutorials/)
+2. run `mvn quarkus:dev` on the [quarkus-server maven module](.)
+
+Visit the server with the following url on your browser: https://localhost:8443/hello
+Open the certificate details in your browser by clicking on the lock logo (on Chrome). You will see a similar certificate detail as shown below:
+
+![alt text](https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading-with-vertx/vertx-server/images/before-reloading.png?raw=true)
+
+Please note down the expiration date. Afterwords you will compare it when you have run the admin application.
+
+#### Refresh the server certificates
+Wait for one minute and if the keystores are found and have been updated, then the ssl configuration will be updated.
+Refresh your browser tab and open the certificate details again and compare the expiration date with the one you have noted down.
+You should have a similar certificate detail as shown below:
+
+![alt text](https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading-with-quarkus/images/after-reloading.png?raw=true)

instant-server-ssl-reloading-with-quarkus/images/after-reloading.png

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.github.hakky54</groupId>
+        <artifactId>java-tutorials</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>instant-server-ssl-reloading-with-quarkus</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>sslcontext-kickstart</artifactId>
+            <version>${version.sslcontext-kickstart}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-resteasy-reactive</artifactId>
+        </dependency>
+    </dependencies>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-bom</artifactId>
+                <version>${version.quarkus}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-maven-plugin</artifactId>
+                <version>${version.quarkus}</version>
+                <extensions>true</extensions>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>build</goal>
+                            <goal>generate-code</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

instant-server-ssl-reloading-with-quarkus/images/before-reloading.png

@@ -0,0 +1,74 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import io.quarkus.vertx.http.HttpServerOptionsCustomizer;
+import io.vertx.core.http.HttpServerOptions;
+import io.vertx.core.net.KeyCertOptions;
+import io.vertx.core.net.TrustOptions;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import nl.altindag.server.service.FileBasedSslUpdateService;
+import nl.altindag.ssl.SSLFactory;
+import org.jboss.logging.Logger;
+
+import java.net.URISyntaxException;
+import java.nio.file.Paths;
+import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
+
+@ApplicationScoped
+public class ServerConfig implements HttpServerOptionsCustomizer {
+
+    private final Logger LOGGER;
+
+    @Inject
+    public ServerConfig(Logger logger) {
+        LOGGER = logger;
+    }
+
+    @Override
+    public void customizeHttpsServer(HttpServerOptions options) {
+        try {
+            // Example usage of initially loading the keystores from the classpath
+            // as absolute path within quarkus. Getting the files with class.getResource()
+            // is not needed if you are loading your files from the file system.
+            var identityUrl = ServerConfig.class.getResource("/identity.jks");
+            var trustUrl = ServerConfig.class.getResource("/truststore.jks");
+
+            var sslFactory = SSLFactory.builder()
+                    .withSwappableIdentityMaterial()
+                    .withIdentityMaterial(Paths.get(identityUrl.toURI()), "secret".toCharArray())
+                    .withSwappableTrustMaterial()
+                    .withTrustMaterial(Paths.get(trustUrl.toURI()), "secret".toCharArray())
+                    .build();
+
+            var sslUpdateService = new FileBasedSslUpdateService(sslFactory);
+
+            Executors.newSingleThreadScheduledExecutor().scheduleAtFixedRate(sslUpdateService::updateSslMaterial, 1, 1, TimeUnit.MINUTES);
+            LOGGER.info("Checking every minute for changes on the keystore and truststore files");
+
+            options.setSsl(true)
+                    .setKeyCertOptions(KeyCertOptions.wrap(sslFactory.getKeyManager().orElseThrow()))
+                    .setTrustOptions(TrustOptions.wrap(sslFactory.getTrustManager().orElseThrow()));
+
+            HttpServerOptionsCustomizer.super.customizeHttpsServer(options);
+        } catch (URISyntaxException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+}

instant-server-ssl-reloading-with-quarkus/pom.xml

@@ -0,0 +1,32 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.resource;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+
+@Path("/hello")
+public class GreetingResource {
+
+    @GET
+    @Produces(MediaType.TEXT_PLAIN)
+    public String hello() {
+        return "Hello World!";
+    }
+
+}

instant-server-ssl-reloading-with-quarkus/src/main/java/nl/altindag/server/config/ServerConfig.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.service;
+
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.util.SSLFactoryUtils;
+import org.jboss.logging.Logger;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.time.Instant;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+
+public class FileBasedSslUpdateService {
+
+    private static final Logger LOGGER = Logger.getLogger(FileBasedSslUpdateService.class);
+
+    private static final Path identityPath = Path.of("/path/to/your/identity.jks");
+    private static final Path trustStorePath = Path.of("/path/to/your/truststore.jks");
+    private static final char[] identityPassword = "secret".toCharArray();
+    private static final char[] trustStorePassword = "secret".toCharArray();
+
+    private ZonedDateTime lastModifiedTimeIdentityStore = ZonedDateTime.ofInstant(Instant.EPOCH, ZoneOffset.UTC);
+    private ZonedDateTime lastModifiedTimeTrustStore = ZonedDateTime.ofInstant(Instant.EPOCH, ZoneOffset.UTC);
+
+    private final SSLFactory baseSslFactory;
+
+    public FileBasedSslUpdateService(SSLFactory baseSslFactory) {
+        this.baseSslFactory = baseSslFactory;
+        LOGGER.info("Started listening for any changes on the keystore and truststore files...");
+    }
+
+    public void updateSslMaterial() {
+        try {
+            if (Files.exists(identityPath) && Files.exists(trustStorePath)) {
+                BasicFileAttributes identityAttributes = Files.readAttributes(identityPath, BasicFileAttributes.class);
+                BasicFileAttributes trustStoreAttributes = Files.readAttributes(trustStorePath, BasicFileAttributes.class);
+
+                boolean identityUpdated = lastModifiedTimeIdentityStore.isBefore(ZonedDateTime.ofInstant(identityAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC));
+                boolean trustStoreUpdated = lastModifiedTimeTrustStore.isBefore(ZonedDateTime.ofInstant(trustStoreAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC));
+
+                if (identityUpdated && trustStoreUpdated) {
+                    LOGGER.info("Keystore files have been changed. Trying to read the file content and preparing to update the ssl material");
+
+                    SSLFactory updatedSslFactory = SSLFactory.builder()
+                            .withIdentityMaterial(identityPath, identityPassword)
+                            .withTrustMaterial(trustStorePath, trustStorePassword)
+                            .build();
+
+                    SSLFactoryUtils.reload(baseSslFactory, updatedSslFactory);
+
+                    lastModifiedTimeIdentityStore = ZonedDateTime.ofInstant(identityAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC);
+                    lastModifiedTimeTrustStore = ZonedDateTime.ofInstant(trustStoreAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC);
+
+                    LOGGER.info("Updating ssl material finished");
+                }
+            }
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+}

instant-server-ssl-reloading-with-quarkus/src/main/java/nl/altindag/server/resource/GreetingResource.java

@@ -35,7 +35,7 @@ Open the certificate details in your browser by clicking on the lock logo (on Ch
 Please note down the expiration date. Afterwords you will compare it when you have run the admin application.
 
 #### Refresh the server certificates
-Wait for one minute and if the keystores are found and have been updated, than the ssl configuration will be updated.
+Wait for one minute and if the keystores are found and have been updated, then the ssl configuration will be updated.
 Refresh your browser tab and open the certificate details again and compare the expiration date with the one you have noted down.
 You should have a similar certificate detail as shown below:
 

instant-server-ssl-reloading-with-quarkus/src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java

@@ -21,6 +21,7 @@
         <module>instant-server-ssl-reloading-with-netty</module>
         <module>console-captor-examples</module>
         <module>instant-ssl-reloading-with-spring-jetty-database</module>
+        <module>instant-server-ssl-reloading-with-quarkus</module>
     </modules>
 
     <licenses>
@@ -76,6 +77,7 @@
         <version.websocket-client>9.4.50.v20221201</version.websocket-client>
         <version.vertx>4.3.7</version.vertx>
         <version.netty>4.1.86.Final</version.netty>
+        <version.quarkus>3.0.3.Final</version.quarkus>
         <quarkus.platform.version>2.15.1.Final</quarkus.platform.version>
         <version.lombok>1.18.24</version.lombok>
         <version.jboss-logging>3.5.0.Final</version.jboss-logging>