Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Certificate Hot Reloading #24

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

ChaosInTheCRD
Copy link

What this PR does / why we need it:
This PR adds a Provider struct in order to hold the TLS certificate and private key in memory, as well as some watchers.

The watchers are responsible for watching for file events (e.g., file write) and executes a set of actions when those events are noticed. Two watchers have been created that have actionst to refresh the TLS certificate and key respectively when the files change. These are then used by the GetCertificate function in the servers tls.Config on every request.

Rather than using tls.LoadX509KeyPair or something similar (which decodes the certificate PEMs) on each GetCertificate call (i.e., every request), we instead do this on the reloading of the cert and key into the Provider struct. This means that CPU is saved because by the time it is being used by GetCertificate the certificate and key are already parsed into a format that the TLS Config can use straight away.

I have put this PR as WIP for now. I think it is worth spending some time explaining the changes made and making sure that everyone is happy with them. I have also written some functionality to hot reload the Gatekeeper ClientCA certificate, but I want to first validate that it is "safe" as it makes use of the VerifyPeerCertificate which customises the TLS handshake flow on the server side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant