Implement hot-reload for TLS client certificate

Signed-off-by: Tero Saarni <[email protected]>

Author: tsaarni

tls.go

@@ -22,12 +22,17 @@ func createTLSConfig(pemFile, pemCertFile, pemPrivateKeyFile string, insecureSki
 		tlsConfig.RootCAs = rootCerts
 	}
 	if len(pemCertFile) > 0 && len(pemPrivateKeyFile) > 0 {
-		clientPrivateKey, err := loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
+		// Load files once to catch configuration error early.
+		_, err := loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
 		if err != nil {
 			log.Fatalf("Couldn't setup client authentication. Got %s.", err)
 			return nil
 		}
-		tlsConfig.Certificates = []tls.Certificate{*clientPrivateKey}
+		// Define a function to load certificate and key lazily at TLS handshake to
+		// ensure that the latest files are used in case they have been rotated.
+		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			return loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
+		}
 	}
 	return &tlsConfig
 }