pkg/transport: reload TLS certificates for every use

This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576
gyuho · Apr 26, 2017 · 40cae65 · 40cae65
1 parent 633a0a8
commit 40cae65
Showing 1 changed file with 17 additions and 7 deletions.
diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go
@@ -162,16 +162,26 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 		return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile)
 	}
 
-	tlsCert, err := tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
-	if err != nil {
-		return nil, err
+	cfg := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		ServerName: info.ServerName,
 	}
 
-	cfg := &tls.Config{
-		Certificates: []tls.Certificate{*tlsCert},
-		MinVersion:   tls.VersionTLS12,
-		ServerName:   info.ServerName,
+	cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) (
+		*tls.Certificate, error) {
+
+		// Load the certificate from disk every time so when it is replaced we
+		// will be using the latest version
+		return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+	}
+	cfg.GetClientCertificate = func(unused *tls.CertificateRequestInfo) (
+		*tls.Certificate, error) {
+
+		// Load the certificate from disk every time so when it is replaced we
+		// will be using the latest version
+		return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
 	}
+
 	return cfg, nil
 }