Skip to content

datasource: allow mTLS certificate rotation without restarting grafana #113982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
clwluvw wants to merge 1 commit into
base: main
Choose a base branch
from
Open

datasource: allow mTLS certificate rotation without restarting grafana #113982

clwluvw wants to merge 1 commit into from

Conversation

@clwluvw
Copy link

@clwluvw clwluvw commented Nov 14, 2025

What is this feature?

When tlsClientCertFile and tlsClientKeyFile are set, configure GetClientCertificate to reload the certificate and key on each request. This enables mTLS deployments to rotate certificates without requiring an application restart.

Why do we need this feature?

mTLS datasources typically use client certificates that are rotated regularly, often with short lifetimes (e.g., a few months or less). Relying on application restarts to pick up new certificates is operationally fragile and doesn’t scale, especially when the restart must be coordinated before expiry.

With this feature, environments such as Kubernetes, where cert-manager handles certificate rotation, can update client certificates. Grafana will load the certificate dynamically.

Who is this feature for?

Whoever uses datasources with mTLS.

Which issue(s) does this PR fix?:

ref. #44296

Special notes for your reviewer:

Requires: grafana/grafana-plugin-sdk-go#1429

Please check that:

  • It works as expected from a user's perspective.
  • If this is a pre-GA feature, it is behind a feature toggle.
  • The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

@clwluvw
datasource: allow mTLS certificate rotation without restarting grafana
1010366 
When tlsClientCertFile and tlsClientKeyFile are set, configure
GetClientCertificate to reload the certificate and key on each request.
This enables mTLS deployments to rotate certificates without requiring
an application restart.

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
@clwluvw clwluvw requested review from a team and irenerl24 as code owners November 14, 2025 21:17
@clwluvw clwluvw requested review from andresmgot, oshirohugo and toddtreece and removed request for a team November 14, 2025 21:17
@CLAassistant
Copy link

CLAassistant commented Nov 14, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added this to the 12.4.x milestone Nov 14, 2025
@github-actions github-actions bot added type/docs Flags the technical writing team for documentation support; auto adds to org-wide docs project area/backend labels Nov 14, 2025
@clwluvw clwluvw mentioned this pull request Nov 14, 2025
Open
@andresmgot
Copy link
Contributor

andresmgot commented Nov 17, 2025

Again, thank you for your contribution. Replied in detail in grafana/grafana-plugin-sdk-go#1429 (comment). TL;DR; Plugins should not use the file system.

@wbrowne
Copy link
Contributor

wbrowne commented Nov 17, 2025

Also, perhaps using the approach mentioned here along with the provisioning reload API may be an option for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@irenerl24 irenerl24 Awaiting requested review from irenerl24 irenerl24 is a code owner

@toddtreece toddtreece Awaiting requested review from toddtreece toddtreece is a code owner automatically assigned from grafana/plugins-platform-backend

@andresmgot andresmgot Awaiting requested review from andresmgot andresmgot is a code owner automatically assigned from grafana/plugins-platform-backend

@oshirohugo oshirohugo Awaiting requested review from oshirohugo oshirohugo is a code owner automatically assigned from grafana/plugins-platform-backend

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/backend type/docs Flags the technical writing team for documentation support; auto adds to org-wide docs project

Projects

None yet

Milestone

12.4.x

Development

Successfully merging this pull request may close these issues.

4 participants

@clwluvw @CLAassistant @andresmgot @wbrowne