WIP: Certificate Hot Reloading #24
Open
+305
−78
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
This PR adds a
Providerstruct in order to hold the TLS certificate and private key in memory, as well as somewatchers.The
watchersare responsible for watching for file events (e.g., file write) and executes a set of actions when those events are noticed. Two watchers have been created that have actionst to refresh the TLS certificate and key respectively when the files change. These are then used by theGetCertificatefunction in the serverstls.Configon every request.Rather than using
tls.LoadX509KeyPairor something similar (which decodes the certificate PEMs) on eachGetCertificatecall (i.e., every request), we instead do this on the reloading of the cert and key into theProviderstruct. This means that CPU is saved because by the time it is being used byGetCertificatethe certificate and key are already parsed into a format that the TLS Config can use straight away.I have put this PR as WIP for now. I think it is worth spending some time explaining the changes made and making sure that everyone is happy with them. I have also written some functionality to hot reload the Gatekeeper
ClientCAcertificate, but I want to first validate that it is "safe" as it makes use of theVerifyPeerCertificatewhich customises the TLS handshake flow on the server side.