Skip to content

Commit

Permalink
added certificate reload logic changes
Browse files Browse the repository at this point in the history
  • Loading branch information
ashutosji committed Nov 15, 2023
1 parent 84a072f commit e58b9d5
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 40 deletions.
56 changes: 18 additions & 38 deletions cmd/controller/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ import (
)

const (
certDir = "/certs/"
tlsDir = "/home/agones/certs/"
)

const (
Expand Down Expand Up @@ -173,7 +173,21 @@ func main() {
}
// https server and the items that share the Mux for routing
httpsServer := https.NewServer(ctlConf.CertFile, ctlConf.KeyFile)
watchCertsDirectory(httpsServer, logger)

cancelTLS, err := fswatch.Watch(logger, tlsDir, time.Second, func() {
tlsCert, err := readTLSCert()
if err != nil {
logger.WithError(err).Error("could not load TLS certs; keeping old one")
return
}
httpsServer.SetCertificate(tlsCert)
logger.Info("TLS certs updated")
})
if err != nil {
logger.WithError(err).Fatal("could not create watcher for TLS certs")
}
defer cancelTLS()

wh := webhooks.NewWebHook(httpsServer.Mux)
api := apiserver.NewAPIServer(httpsServer.Mux)

Expand Down Expand Up @@ -269,42 +283,8 @@ func main() {
})
}

func watchCertsDirectory(httpsServer *https.Server, logger *logrus.Entry) {
cancel, err := fswatch.Watch(logger, certDir, time.Second*5, func() {
logger.Info("Certificate files changed. Reloading...")

newCert, err := readCertFile()
if err != nil {
logger.WithError(err).Error("Failed to reload certificates")
return
}

// Create a new http.Server with the updated TLS configuration
newHTTPServer := &http.Server{
Addr: ":8081",
Handler: httpsServer.Mux,
}
newHTTPServer.TLSConfig = &tls.Config{
Certificates: []tls.Certificate{*newCert},
}

// Update the TLS configuration
go func() {
if err := newHTTPServer.ListenAndServeTLS("", ""); err != nil {
logger.WithError(err).Error("Failed to update TLS configuration")
}
}()
logger.Info("Certificates reloaded.")
})
defer cancel()

if err != nil {
logger.WithError(err).Error("Failed to set up certificate watch")
}
}

func readCertFile() (*tls.Certificate, error) {
tlsCert, err := tls.LoadX509KeyPair(certDir+"tls.crt", certDir+"tls.key")
func readTLSCert() (*tls.Certificate, error) {
tlsCert, err := tls.LoadX509KeyPair(tlsDir+"server.crt", tlsDir+"server.key")
if err != nil {
return nil, err
}
Expand Down
29 changes: 29 additions & 0 deletions cmd/extensions/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package main

import (
"context"
"crypto/tls"
"io"
"net/http"
"os"
Expand All @@ -35,6 +36,7 @@ import (
"agones.dev/agones/pkg/gameserversets"
"agones.dev/agones/pkg/metrics"
"agones.dev/agones/pkg/util/apiserver"
"agones.dev/agones/pkg/util/fswatch"
"agones.dev/agones/pkg/util/https"
"agones.dev/agones/pkg/util/runtime"
"agones.dev/agones/pkg/util/signals"
Expand All @@ -51,6 +53,10 @@ import (
"k8s.io/client-go/tools/clientcmd"
)

const (
tlsDir = "/home/agones/certs/"
)

const (
enableStackdriverMetricsFlag = "stackdriver-exporter"
stackdriverLabels = "stackdriver-labels"
Expand Down Expand Up @@ -139,6 +145,21 @@ func main() {
}
// https server and the items that share the Mux for routing
httpsServer := https.NewServer(ctlConf.CertFile, ctlConf.KeyFile)

cancelTLS, err := fswatch.Watch(logger, tlsDir, time.Second, func() {
tlsCert, err := readTLSCert()
if err != nil {
logger.WithError(err).Error("could not load TLS certs; keeping old one")
return
}
httpsServer.SetCertificate(tlsCert)
logger.Info("TLS certs updated")
})
if err != nil {
logger.WithError(err).Fatal("could not create watcher for TLS certs")
}
defer cancelTLS()

wh := webhooks.NewWebHook(httpsServer.Mux)
api := apiserver.NewAPIServer(httpsServer.Mux)

Expand Down Expand Up @@ -221,6 +242,14 @@ func main() {
logger.Info("Shut down agones extensions")
}

func readTLSCert() (*tls.Certificate, error) {
tlsCert, err := tls.LoadX509KeyPair(tlsDir+"server.crt", tlsDir+"server.key")
if err != nil {
return nil, err
}
return &tlsCert, nil
}

func parseEnvFlags() config {
exec, err := os.Executable()
if err != nil {
Expand Down
15 changes: 13 additions & 2 deletions pkg/util/https/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,17 @@ package https

import (
"context"
"crypto/tls"
"net/http"
"sync"

"agones.dev/agones/pkg/util/runtime"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)

// tls is a http server interface to enable easier testing
type tls interface {
type testTLS interface {
Close() error
ListenAndServeTLS(certFile, keyFile string) error
}
Expand All @@ -35,7 +37,9 @@ type tls interface {
type Server struct {
logger *logrus.Entry
Mux *http.ServeMux
tls tls
tls testTLS
certMu sync.RWMutex
cert *tls.Certificate
certFile string
keyFile string
}
Expand All @@ -53,13 +57,20 @@ func NewServer(certFile, keyFile string) *Server {
tls: tls,
certFile: certFile,
keyFile: keyFile,
cert: nil,
}
wh.Mux.HandleFunc("/", wh.defaultHandler)
wh.logger = runtime.NewLoggerWithType(wh)

return wh
}

func (s *Server) SetCertificate(cert *tls.Certificate) {
s.certMu.Lock()
defer s.certMu.Unlock()
s.cert = cert
}

// Run runs the webhook server, starting a https listener.
// Will close the http server on stop channel close.
func (s *Server) Run(ctx context.Context, _ int) error {
Expand Down

0 comments on commit e58b9d5

Please sign in to comment.