Merge pull request #414 from Nordix/tls-cert-hot-reload-pr-for-upstream

Implement hot-reload for TLS client certificate
prometheus-community · Jun 4, 2021 · a676d71 · a676d71
2 parents 23ad1e7 + 1629eda
commit a676d71
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/tls.go b/tls.go
@@ -35,12 +35,17 @@ func createTLSConfig(pemFile, pemCertFile, pemPrivateKeyFile string, insecureSki
 		tlsConfig.RootCAs = rootCerts
 	}
 	if len(pemCertFile) > 0 && len(pemPrivateKeyFile) > 0 {
-		clientPrivateKey, err := loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
+		// Load files once to catch configuration error early.
+		_, err := loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
 		if err != nil {
 			log.Fatalf("Couldn't setup client authentication. Got %s.", err)
 			return nil
 		}
-		tlsConfig.Certificates = []tls.Certificate{*clientPrivateKey}
+		// Define a function to load certificate and key lazily at TLS handshake to
+		// ensure that the latest files are used in case they have been rotated.
+		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			return loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
+		}
 	}
 	return &tlsConfig
 }