pkg/transport: reload TLS certificates for every client requests

This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes #7576 Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com> Original commit can be found at https://github.com/coreos/etcd/pull/7784
2024-09-27 06:25:44 +00:00 · 2017-04-20 08:04:18 -07:00 · 2017-04-20 08:04:18 -07:00 · 4e21f87e3d
commit 4e21f87e3d
parent c309d745a6
1 changed files with 8 additions and 0 deletions
--- a/pkg/transport/listener.go
+++ b/pkg/transport/listener.go
@ -172,6 +172,14 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 		MinVersion:   tls.VersionTLS12,
 		ServerName:   info.ServerName,
 	}
+	// this only reloads certs when there's a client request
+	// TODO: support server-side refresh (e.g. inotify, SIGHUP), caching
+	cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+	}
+	cfg.GetClientCertificate = func(unused *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+		return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+	}
 	return cfg, nil
 }