Skip to content

Bug 1801573: Reload serving certs #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-robot merged 1 commit into from
Feb 12, 2020
Merged

Bug 1801573: Reload serving certs #152

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
package main

import (
"context"
"crypto/tls"
"log"
"net"
"net/http"
"strings"
"time"

"k8s.io/apiserver/pkg/server/dynamiccertificates"

oscrypto "github.com/openshift/library-go/pkg/crypto"

"github.com/openshift/oauth-proxy/util"
Expand Down Expand Up @@ -75,11 +78,19 @@ func (s *Server) ServeHTTPS() {
}

var err error
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0], err = tls.LoadX509KeyPair(s.Opts.TLSCertFile, s.Opts.TLSKeyFile)
servingCertProvider, err := dynamiccertificates.NewDynamicServingContentFromFiles("serving", s.Opts.TLSCertFile, s.Opts.TLSKeyFile)
if err != nil {
log.Fatalf("FATAL: loading tls config (%s, %s) failed - %s", s.Opts.TLSCertFile, s.Opts.TLSKeyFile, err)
}
go servingCertProvider.Run(1, context.TODO().Done())

config.GetCertificate = func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
// this disregards information from ClientHello but we're not doing SNI anyway
cert, key := servingCertProvider.CurrentCertKeyContent()
Copy link

@s-urbaniak s-urbaniak Feb 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: as this will be invoked with every TLS handshake, we are relying here on the underlying caching mechanism of the client implementation, correct?

Copy link
Author

@stlaz stlaz Feb 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which client caching mechanisms do you have in mind? Does #152 (comment) answer your question?

Copy link

@s-urbaniak s-urbaniak Feb 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds, good the above comment answers it.


certKeyPair, err := tls.X509KeyPair(cert, key)
Copy link

@s-urbaniak s-urbaniak Feb 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note though that this will be executed at every TLS handshake so maybe we want some optimization here and return early if the certificate didn't change.

Copy link
Author

@stlaz stlaz Feb 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code makes the certs refresh each minute, but this read is from memory, not from the files, this should be safe.

return &certKeyPair, err
}

if len(s.Opts.TLSClientCAFile) > 0 {
config.ClientAuth = tls.RequestClientCert
Expand Down