pgpool: Feature: reload SSL certificates on SIGHUP without restart.

Feature: reload SSL certificates on SIGHUP without restart.

Allow Pgpool-II to pick up rotated TLS certificates (and any change to
SSL-related configuration) when receiving SIGHUP (i.e. systemctl reload
pgpool2), matching the behavior PostgreSQL has had since PostgreSQL 12.

Problem:
All SSL configuration parameters (ssl_cert, ssl_key, ssl_ca_cert,
ssl_ciphers, etc.) were declared CFGCXT_INIT, meaning they were silently
ignored when pool_get_config() was called under CFGCXT_RELOAD.
Furthermore, SSL_ServerSide_init() was only called once at startup in
main.c and never again, so the in-memory SSL_CTX was never refreshed.

Fix:
1. src/main/pgpool_main.c
- Include utils/pool_ssl.h.
- In reload_config(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) *before* kill_all_children(SIGHUP). The function
already replaces SSL_frontend_context atomically: it frees the old
SSL_CTX only after a new one has been created successfully, so a
failed reload leaves the existing context intact.

2. src/protocol/child.c
- In check_config_reload(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) so each worker child also refreshes its own copy of
the SSL context for subsequent new connections. In-flight TLS
sessions are unaffected because they hold a direct reference to the
SSL object, not to SSL_frontend_context.

3. src/config/pool_config_variables.c
- Change CFGCXT_INIT -> CFGCXT_RELOAD for:
ssl_prefer_server_ciphers, ssl_cert, ssl_key, ssl_ca_cert,
ssl_ca_cert_dir, ssl_crl_file, ssl_ciphers, ssl_ecdh_curve,
ssl_dh_params_file, ssl_passphrase_command.
- The 'ssl' boolean (master enable flag) is intentionally left as
CFGCXT_INIT because dynamically enabling SSL at runtime is a
larger, separate concern.

Usage after this change:
Standard in-place certificate rotation (cert-manager, ACME, manual
openssl refresh at the same path):

# replace /etc/pgpool/server.{crt,key} with new files
systemctl reload pgpool2
# or: pgpool -f /etc/pgpool/pgpool.conf reload

New connections will use the new certificates after workers process
the reload signal. Existing connections are not interrupted.

Switching to a different certificate path also works: update
pgpool.conf then reload — the new paths are now accepted in
CFGCXT_RELOAD context.

Author: Bob Ross <bob(dot)ross(dot)19821(at)gmail(dot)com>
Reviewed-by: Tatsuo Ishii <ishii(at)postgresql(dot)org>
Discussion: https://www.postgresql.org/message-id/flat/CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag%40mail.gmail.com

Branch
------
master

Details
-------
https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=931a37e7f63fe514e989d427e1b0c2b7f4344c0d

Modified Files
--------------
doc.ja/src/sgml/ssl.sgml | 64 +++--
doc/src/sgml/ssl.sgml | 60 ++++-
src/config/pool_config_variables.c | 21 +-
src/main/pgpool_main.c | 18 ++
src/protocol/child.c | 12 +
src/test/regression/tests/042.ssl_reload/README | 6 +
.../regression/tests/042.ssl_reload/server.crt | 79 ++++++
.../regression/tests/042.ssl_reload/server.key | 27 ++
.../regression/tests/042.ssl_reload/server.req | 61 +++++
src/test/regression/tests/042.ssl_reload/test.sh | 290 +++++++++++++++++++++
10 files changed, 584 insertions(+), 54 deletions(-)