certs: reload on both key and cert changes

Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>
2024-12-04 16:48:24 +00:00 · 2023-11-24 20:05:56 +01:00 · 2023-11-24 20:05:56 +01:00 · 198bd2bd59
commit 198bd2bd59
parent efaa4bd14f
2 changed files with 50 additions and 12 deletions
--- a/certs/certs.go
+++ b/certs/certs.go
@ -14,6 +14,7 @@ import (
 	"math/big"
 	"net"
 	"os"
 	"strings"
 	"sync"
 	"time"
@ -81,31 +82,61 @@ func New(host ...string) (tls.Certificate, error) {
 	return tls.X509KeyPair(certOut.Bytes(), keyOut.Bytes())
 }
 func TLSConfig(ctx context.Context, cert, key string) (*tls.Config, error) {
 	c, err := Load(ctx, cert, key)
 	if err != nil {
 		return nil, err
 	}
 	return &tls.Config{
 		GetCertificate: c,
 	}, nil
 }
 func Load(ctx context.Context, cert, key string) (func(info *tls.ClientHelloInfo) (*tls.Certificate, error), error) {
-	f, err := file.NewConfig(cert)
+	c, err := file.NewConfig(cert)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load cert: %v", err)
 	}
-	crt, err := load(f, key)
+	k, err := file.NewConfig(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load key: %v", err)
 	}
 	crt, err := load(c, key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load cert: %v", err)
 	}
 	var mu sync.RWMutex
-	ch := make(chan []byte)
+	kch := make(chan []byte)
-	if err := f.Watch(ctx, ch); err != nil {
+	if err := k.Watch(ctx, kch); err != nil {
 		return nil, fmt.Errorf("failed to watch key: %v", err)
 	}
 	cch := make(chan []byte)
 	if err := c.Watch(ctx, cch); err != nil {
 		return nil, fmt.Errorf("failed to watch cert: %v", err)
 	}
-	go func() {
+	reload := func() {
-		for range ch {
+		c, err := load(c, key)
-			c, err := load(f, key)
+		// ignore errors due to cert and key not matching as this is expected
-			if err != nil {
+		// when the cert is being reloaded and the key is not yet updated or vice versa
 		if err != nil && !strings.Contains(err.Error(), "does not match") {
 			logger.C(ctx).Errorf("failed to reload cert: %v", err)
-				continue
+			return
 		}
 		mu.Lock()
 		crt = c
 		mu.Unlock()
 	}
 	go func() {
 		for {
 			select {
 			case <-kch:
 				reload()
 			case <-cch:
 				reload()
 			case <-ctx.Done():
 				return
 			}
 		}
 	}()
 	return func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
--- a/certs/certs_test.go
+++ b/certs/certs_test.go
@ -55,6 +55,7 @@ func TestLoad(t *testing.T) {
 			require.NoError(t, err)
 			require.NotNil(t, got)
 			require.Equal(t, want.Certificate, got.Certificate)
 			require.Equal(t, want.PrivateKey, got.PrivateKey)
 			require.Equal(t, want.Leaf, got.Leaf)
 		}
 	})
@ -77,6 +78,9 @@ func write(t *testing.T, dir string, cert tls.Certificate) {
 		Type:  "CERTIFICATE",
 		Bytes: cert.Certificate[0],
 	}))
 	if err := crt.Sync(); err != nil {
 		t.Fatal(err)
 	}
 	key, err := os.Create(filepath.Join(dir, "key.pem"))
 	require.NoError(t, err)
 	defer key.Close()
@ -86,4 +90,7 @@ func write(t *testing.T, dir string, cert tls.Certificate) {
 		Type:  "RSA PRIVATE KEY",
 		Bytes: b,
 	}))
 	if err := key.Sync(); err != nil {
 		t.Fatal(err)
 	}
 }