pkg/transport: reload TLS certificates for every client requests

This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes #7576 Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com> Original commit can be found at #7784
etcd-io · Apr 27, 2017 · 4e21f87 · 4e21f87
1 parent c309d74
commit 4e21f87
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go
@@ -172,6 +172,14 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 		MinVersion:   tls.VersionTLS12,
 		ServerName:   info.ServerName,
 	}
+	// this only reloads certs when there's a client request
+	// TODO: support server-side refresh (e.g. inotify, SIGHUP), caching
+	cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+	}
+	cfg.GetClientCertificate = func(unused *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+		return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+	}
 	return cfg, nil
 }