Skip to content

Add ability to force cert regeneration #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
briandowns merged 5 commits into from
Nov 15, 2021
Merged

Add ability to force cert regeneration #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
38b95ad
add ability to force cert regeneration
briandowns Oct 26, 2021
c32129b
check if function not nil
briandowns Oct 26, 2021
c60fd2c
add comment
briandowns Oct 28, 2021
47e116e
update implementation
briandowns Nov 12, 2021
e18c780
update implementation
briandowns Nov 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions factory/gen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,12 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
return t.generateCert(secret, cn...)
}

func (t *TLS) Regenerate(secret *v1.Secret) (*v1.Secret, error) {
cns := cns(secret)
secret, _, err := t.generateCert(nil, cns...)
return secret, err
}

func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
secret = secret.DeepCopy()
if secret == nil {
Expand Down
33 changes: 33 additions & 0 deletions listener.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ type TLSFactory interface {
AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error)
Merge(target *v1.Secret, additional *v1.Secret) (*v1.Secret, bool, error)
Filter(cn ...string) []string
Regenerate(secret *v1.Secret) (*v1.Secret, error)
}

type SetFactory interface {
Expand Down Expand Up @@ -74,11 +75,18 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
setter.SetFactory(dynamicListener.factory)
}

if config.RegenerateCerts != nil && config.RegenerateCerts() {
if err := dynamicListener.regenerateCerts(); err != nil {
return nil, nil, err
}
}

if config.ExpirationDaysCheck == 0 {
config.ExpirationDaysCheck = 30
}

tlsListener := tls.NewListener(dynamicListener.WrapExpiration(config.ExpirationDaysCheck), dynamicListener.tlsConfig)

return tlsListener, dynamicListener.cacheHandler(), nil
}

Expand Down Expand Up @@ -129,6 +137,7 @@ type Config struct {
MaxSANs int
ExpirationDaysCheck int
CloseConnOnCertChange bool
RegenerateCerts func() bool
FilterCN func(...string) []string
}

Expand Down Expand Up @@ -180,6 +189,30 @@ func (l *listener) WrapExpiration(days int) net.Listener {
}
}

// regenerateCerts regenerates the used certificates and
// updates the secret.
func (l *listener) regenerateCerts() error {
l.Lock()
defer l.Unlock()

secret, err := l.storage.Get()
if err != nil {
return err
}

newSecret, err := l.factory.Regenerate(secret)
if err != nil {
return err
}
if err := l.storage.Update(newSecret); err != nil {
return err
}
// clear version to force cert reload
l.version = ""

return nil
}

func (l *listener) checkExpiration(days int) error {
l.Lock()
defer l.Unlock()
Expand Down