chore: streamline config reload

Author: tobyhede

docs/errors.md

@@ -32,6 +32,8 @@
 
 - Configuration errors:
   - [Missing or invalid TLS configuration](#config-missing-or-invalid-tls)
+  - [Network configuration change requires restart](#config-network-change-requires-restart)
+
 <!-- ---------------------------------------------------------------------------------------------------- -->
 
 <!-- ---------------------------------------------------------------------------------------------------- -->
@@ -651,3 +653,35 @@ Check that the certificate and private key are valid.
 
 
 <!-- ---------------------------------------------------------------------------------------------------- -->
+
+
+## Network configuration change requires restart <a id='config-network-change-requires-restart'></a>
+
+A configuration reload was attempted with network-level changes that require a full restart.
+
+### Error message
+
+```
+Network configuration change requires restart
+```
+
+### Notes
+
+When receiving a SIGHUP signal, CipherStash Proxy attempts to reload application-level configuration without disrupting active connections. However, certain network-related configuration changes require stopping and restarting the proxy service to take effect.
+
+The following settings require a restart when changed:
+- `server.host` - The host address the proxy listens on
+- `server.port` - The port the proxy listens on
+- `server.require_tls` - TLS requirement setting
+- `server.worker_threads` - Number of worker threads
+- `tls` - Any TLS certificate or key configuration
+
+### How to fix
+
+1. Stop the CipherStash Proxy service
+2. Update the configuration as needed
+3. Restart the CipherStash Proxy service
+
+Application-level configuration changes (database, auth, encrypt, log, prometheus, development) can be reloaded without restart using SIGHUP.
+
+<!-- ---------------------------------------------------------------------------------------------------- -->

packages/cipherstash-proxy/src/config/tls.rs

@@ -10,7 +10,7 @@ use crate::{error::TlsConfigError, log::CONFIG};
 /// Server TLS Configuration
 /// This is listener/inbound connection config
 ///
-#[derive(Clone, Debug, Deserialize)]
+#[derive(Clone, Debug, Deserialize, PartialEq)]
 #[serde(untagged)]
 pub enum TlsConfig {
     Pem {

packages/cipherstash-proxy/src/error.rs

@@ -176,6 +176,9 @@ pub enum ConfigError {
     #[error("Expected an Encrypt configuration table")]
     MissingEncryptConfigTable,
 
+    #[error("Network configuration change requires restart For help visit {}#config-network-change-requires-restart", ERROR_DOC_BASE_URL)]
+    NetworkConfigurationChangeRequiresRestart,
+
     #[error(transparent)]
     Parse(#[from] serde_json::Error),
 

packages/cipherstash-proxy/src/main.rs

@@ -1,12 +1,11 @@
 use cipherstash_proxy::config::TandemConfig;
 use cipherstash_proxy::connect::{self, AsyncStream};
-use cipherstash_proxy::error::Error;
+use cipherstash_proxy::error::{ConfigError, Error};
 use cipherstash_proxy::prometheus::CLIENTS_ACTIVE_CONNECTIONS;
 use cipherstash_proxy::proxy::Proxy;
 use cipherstash_proxy::{cli, log, postgresql as pg, prometheus, tls, Args};
 use clap::Parser;
 use metrics::gauge;
-use tokio::net::TcpListener;
 use tokio::signal::unix::{signal, SignalKind};
 use tokio_util::task::TaskTracker;
 use tracing::{error, info, warn};
@@ -55,7 +54,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 
         let mut proxy = init(config).await;
 
-        let mut listener = connect::bind_with_retry(&proxy.config.server).await;
+        let listener = connect::bind_with_retry(&proxy.config.server).await;
         let tracker = TaskTracker::new();
 
         let mut client_id = 0;
@@ -81,13 +80,8 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
                 break;
             },
             _ = sighup() => {
-                info!(msg = "Received SIGHUP. Reloading configuration");
-                (listener, proxy) = match reload_config(listener, &args).await {
-                    Ok((listener, proxy)) => (listener, proxy),
-                    Err(_) => todo!(),
-                };
-
-                info!(msg = "Reloaded configuration");
+                info!(msg = "Received SIGHUP. Reloading application configuration");
+                proxy = reload_application_config(&proxy.config, &args).await.unwrap_or(proxy);
             },
             _ = sigterm() => {
                 info!(msg = "Received SIGTERM");
@@ -264,7 +258,15 @@ async fn sighup() -> std::io::Result<()> {
     Ok(())
 }
 
-async fn reload_config(listener: TcpListener, args: &Args) -> Result<(TcpListener, Proxy), Error> {
+fn has_network_config_changed(current: &TandemConfig, new: &TandemConfig) -> bool {
+    current.server.host != new.server.host
+        || current.server.port != new.server.port
+        || current.server.require_tls != new.server.require_tls
+        || current.server.worker_threads != new.server.worker_threads
+        || current.tls != new.tls
+}
+
+async fn reload_application_config(config: &TandemConfig, args: &Args) -> Result<Proxy, Error> {
     let new_config = match TandemConfig::load(args) {
         Ok(config) => config,
         Err(err) => {
@@ -276,13 +278,15 @@ async fn reload_config(listener: TcpListener, args: &Args) -> Result<(TcpListene
         }
     };
 
-    let new_proxy = init(new_config).await;
+    // Check for network config changes that require restart
+    if has_network_config_changed(config, &new_config) {
+        let err = ConfigError::NetworkConfigurationChangeRequiresRestart;
+        warn!(msg = err.to_string());
 
-    // Explicit drop needed here to free the network resources before binding if using the same address & port
-    std::mem::drop(listener);
+        return Err(err.into());
+    }
 
-    Ok((
-        connect::bind_with_retry(&new_proxy.config.server).await,
-        new_proxy,
-    ))
+    info!(msg = "Configuration reloaded");
+    let proxy = init(new_config).await;
+    Ok(proxy)
 }