Hot reload - cert renewal

[lenin-joseph]

Hi,

We run jmxexporter as a container with the below command and we would like to know whether hot reload of certs is supported?

java -XX:InitialRAMPercentage=50.000000 -XX:MinRAMPercentage=70.000000 -XX:MaxRAMPercentage=50.000000 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=7071 -jar /opt/jmx_exporter/jmx_prometheus_httpserver-0.20.0.jar 9072 /tmp/https_config.yml

Configs:

httpServer:
ssl:
keyStore:
filename: /tmp/keystore.jks
password: password
certificate:
alias: cmx
hostPort: localhost:7072
ssl: false

bash-4.4$ java -version
openjdk version "11.0.25" 2024-10-15
OpenJDK Runtime Environment (build 11.0.25+9-suse-150000.3.119.1-x8664)
OpenJDK 64-Bit Server VM (build 11.0.25+9-suse-150000.3.119.1-x8664, mixed mode)

[dhoard]

@lenin-joseph hot reloading of the certificates used by the HTTP server is not supported.

Questions

1. Are using the standalone JmxExporter and connecting via RMI?
2. If you are connecting via RMI, are the RMI connections using SSL/TLS?
3. If so, how are you managing the RMI SSL certificate rotation since they are handled by the JVM as command-line properties/arguments?

Details

Implementation would require some refactoring. We would have to move the configuration loading/reloading to the main Java agent/standalone classes and remove it from JmxExporter in the collector module.

There are a few people that are using the JmxCollector directly. Moving the configuration loading/reloading would require them to implement the logic themselves.

Considering our support statement on using the JmxCollector / collector module directly...

https://prometheus.github.io/jmx_exporter/1.1.0/collector/

... I'm not opposed to the change.