Skip to content

Commit 99ff9c0

Browse files
moorereasonmoorereason
committed
Reload TLS key pair on HUP signal
1 parent e040d84 commit 99ff9c0

File tree

3 files changed

+34
-0
lines changed

3 files changed

+34
-0
lines changed

internal/service/security/tls.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,20 @@ func NewKeyPairReloader(certPath, keyPath string) (*KeyPairReloader, error) {
3838
return res, nil
3939
}
4040

41+
// Reload attempts to reload the TLS key pair.
42+
func (kpr *KeyPairReloader) Reload() error {
43+
cert, err := tls.LoadX509KeyPair(kpr.certPath, kpr.keyPath)
44+
if err != nil {
45+
return err
46+
}
47+
48+
kpr.certMu.Lock()
49+
defer kpr.certMu.Unlock()
50+
51+
kpr.cert = &cert
52+
return nil
53+
}
54+
4155
// GetCertificateFunc provides a function for tls.Config.GetCertificate.
4256
func (kpr *KeyPairReloader) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
4357
return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {

internal/service/service.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,11 @@ func (s *Service) SetTLSEnabled() {
112112
s.enableTLS = true
113113
}
114114

115+
// TLSEnabled return true if TLS is enabled for the service.
116+
func (s *Service) TLSEnabled() bool {
117+
return s.enableTLS
118+
}
119+
115120
// SetTLSKeyPair sets the TLS key pair for the service.
116121
func (s *Service) SetTLSKeyPair(certPath, keyPath string) error {
117122
if certPath == "" {
@@ -132,6 +137,11 @@ func (s *Service) SetTLSKeyPair(certPath, keyPath string) error {
132137
return nil
133138
}
134139

140+
// ReloadTLSKeyPair attempts to reload the configured TLS certificate key pair.
141+
func (s *Service) ReloadTLSKeyPair() error {
142+
return s.kpr.Reload()
143+
}
144+
135145
// SetTLSMinVersion sets the minimum support TLS version, such as "v1.3".
136146
func (s *Service) SetTLSMinVersion(ver string) (err error) {
137147
s.tlsMinVersion, err = security.GetTLSVersion(ver)

signals.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,16 @@ func watchForSignals(svc *service.Service) {
3737
log.Println("caught HUP signal")
3838
reloadAllHooks()
3939

40+
if svc.TLSEnabled() {
41+
log.Println("attempting to reload TLS key pair")
42+
err := svc.ReloadTLSKeyPair()
43+
if err != nil {
44+
log.Printf("failed to reload TLS key pair: %s\n", err)
45+
} else {
46+
log.Println("successfully reloaded TLS key pair")
47+
}
48+
}
49+
4050
case os.Interrupt, syscall.SIGTERM:
4151
log.Printf("caught %s signal; exiting\n", sig)
4252
err := svc.DeletePIDFile()

0 commit comments

Comments
 (0)