From 38b95ad3d9476a379501a78f220ddd2f5e14a6f6 Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Tue, 26 Oct 2021 11:13:00 -0700 Subject: [PATCH 1/5] add ability to force cert regeneration Signed-off-by: Brian Downs --- listener.go | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/listener.go b/listener.go index bd310ee..8a0d000 100644 --- a/listener.go +++ b/listener.go @@ -74,11 +74,18 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c setter.SetFactory(dynamicListener.factory) } + if config.RegenerateCerts() { + if err := dynamicListener.regenerateCerts(); err != nil { + return nil, nil, err + } + } + if config.ExpirationDaysCheck == 0 { config.ExpirationDaysCheck = 30 } tlsListener := tls.NewListener(dynamicListener.WrapExpiration(config.ExpirationDaysCheck), dynamicListener.tlsConfig) + return tlsListener, dynamicListener.cacheHandler(), nil } @@ -129,6 +136,7 @@ type Config struct { MaxSANs int ExpirationDaysCheck int CloseConnOnCertChange bool + RegenerateCerts func() bool FilterCN func(...string) []string } @@ -180,6 +188,29 @@ func (l *listener) WrapExpiration(days int) net.Listener { } } +// regenerateCerts regenerates the used certificates and +// updates the secret. +func (l *listener) regenerateCerts() error { + l.Lock() + defer l.Unlock() + + secret, err := l.storage.Get() + if err != nil { + return err + } + + newSecret, err := l.factory.Renew(secret) + if err != nil { + return err + } + if err := l.storage.Update(newSecret); err != nil { + return err + } + l.version = "" + + return nil +} + func (l *listener) checkExpiration(days int) error { l.Lock() defer l.Unlock() From c32129be27c5a07688f6d7b5bbbcb0088769ad93 Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Tue, 26 Oct 2021 11:20:57 -0700 Subject: [PATCH 2/5] check if function not nil Signed-off-by: Brian Downs --- listener.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/listener.go b/listener.go index 8a0d000..1bb62b3 100644 --- a/listener.go +++ b/listener.go @@ -74,7 +74,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c setter.SetFactory(dynamicListener.factory) } - if config.RegenerateCerts() { + if config.RegenerateCerts != nil && config.RegenerateCerts() { if err := dynamicListener.regenerateCerts(); err != nil { return nil, nil, err } From c60fd2c329b41870e9695348de7a40a93b3b14a8 Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Thu, 28 Oct 2021 09:39:23 -0700 Subject: [PATCH 3/5] add comment Signed-off-by: Brian Downs --- listener.go | 1 + 1 file changed, 1 insertion(+) diff --git a/listener.go b/listener.go index 1bb62b3..5ff73d6 100644 --- a/listener.go +++ b/listener.go @@ -206,6 +206,7 @@ func (l *listener) regenerateCerts() error { if err := l.storage.Update(newSecret); err != nil { return err } + // clear version to force cert reload l.version = "" return nil From 47e116ed3879c764a9a71800f5424587bb8588cd Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Thu, 11 Nov 2021 17:08:50 -0700 Subject: [PATCH 4/5] update implementation Signed-off-by: Brian Downs --- factory/gen.go | 5 +++++ listener.go | 8 ++------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/factory/gen.go b/factory/gen.go index 6922f51..93f64c9 100644 --- a/factory/gen.go +++ b/factory/gen.go @@ -119,6 +119,11 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) { return t.generateCert(secret, cn...) } +func (t *TLS) Regenerate() (*v1.Secret, error) { + sec, _, err := t.generateCert(nil) + return sec, err +} + func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) { secret = secret.DeepCopy() if secret == nil { diff --git a/listener.go b/listener.go index 5ff73d6..8f074d2 100644 --- a/listener.go +++ b/listener.go @@ -27,6 +27,7 @@ type TLSFactory interface { AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) Merge(target *v1.Secret, additional *v1.Secret) (*v1.Secret, bool, error) Filter(cn ...string) []string + Regenerate() (*v1.Secret, error) } type SetFactory interface { @@ -194,12 +195,7 @@ func (l *listener) regenerateCerts() error { l.Lock() defer l.Unlock() - secret, err := l.storage.Get() - if err != nil { - return err - } - - newSecret, err := l.factory.Renew(secret) + newSecret, err := l.factory.Regenerate() if err != nil { return err } From e18c7800e7a543048441b0a8534ca00e337aa8f0 Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Thu, 11 Nov 2021 17:15:27 -0700 Subject: [PATCH 5/5] update implementation Signed-off-by: Brian Downs --- factory/gen.go | 7 ++++--- listener.go | 9 +++++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/factory/gen.go b/factory/gen.go index 93f64c9..dea742e 100644 --- a/factory/gen.go +++ b/factory/gen.go @@ -119,9 +119,10 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) { return t.generateCert(secret, cn...) } -func (t *TLS) Regenerate() (*v1.Secret, error) { - sec, _, err := t.generateCert(nil) - return sec, err +func (t *TLS) Regenerate(secret *v1.Secret) (*v1.Secret, error) { + cns := cns(secret) + secret, _, err := t.generateCert(nil, cns...) + return secret, err } func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) { diff --git a/listener.go b/listener.go index 8f074d2..be9e5ce 100644 --- a/listener.go +++ b/listener.go @@ -27,7 +27,7 @@ type TLSFactory interface { AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) Merge(target *v1.Secret, additional *v1.Secret) (*v1.Secret, bool, error) Filter(cn ...string) []string - Regenerate() (*v1.Secret, error) + Regenerate(secret *v1.Secret) (*v1.Secret, error) } type SetFactory interface { @@ -195,7 +195,12 @@ func (l *listener) regenerateCerts() error { l.Lock() defer l.Unlock() - newSecret, err := l.factory.Regenerate() + secret, err := l.storage.Get() + if err != nil { + return err + } + + newSecret, err := l.factory.Regenerate(secret) if err != nil { return err }