SpringBoot spring.ssl.bundle reload-on-update: true has no influence on RestTemplate with SSL bundle

If a cert gets updated in a SSL bundle by the new introduced reload-on-update: true in spring.ssl.bundle, a already consuming RestTemplate doesn't get updated. Only the server cert get's updated with this mechanism.

1. Describe this behavior in the documentation (until fixed) "A file watcher is then watching the files and if they change, the SSL bundle will be reloaded. This in turn triggers a reload in the consuming component..." This is not true for RestTemplates

2. Provide a fix for it so that all consuming dependencies of the bundle get's updated.

Example Configuration which doesn't get updated:

@Configuration
public class RestClientConfiguration {

private final SSLContext sslContext;

@Autowired
public RestClientConfiguration(SslBundles sslBundles) throws NoSuchSslBundleException {
    SslBundle sslBundle = sslBundles.getBundle("mybundle");
    this.sslContext = sslBundle.createSslContext();
}

@Bean
public RestTemplate restTemplate() {
    SSLConnectionSocketFactory sslSocketFactory = SSLConnectionSocketFactoryBuilder.create().setSslContext(this.sslContext).build();
    HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create().setSSLSocketFactory(sslSocketFactory).build();
    HttpClient httpClient = HttpClients.custom().setConnectionManager(cm).evictExpiredConnections().build();
    HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
    return new RestTemplate(factory);
}

}

Comment From: bclozel

This limitation is highlighted in the reference documentation right before the section you have quoted:

SSL bundles can be reloaded when the key material changes. The component consuming the bundle has to be compatible with reloadable SSL bundles. Currently the following components are compatible:

• Tomcat web server
• Netty web server

I'm closing this issue as a result.

Comment From: ahoehn

ok, maybe a misunderstanding from my side, but the comment pointed me more to the compatible web servers than the fact that components like rest template are not compatible.

Comment From: bclozel

Listing all incompatible libraries and technologies would not be practical. Feel free to suggest a documentation improvement that would make things clearer.