From 4e21f87e3d014d606bb3ba2a89731a7d24806611 Mon Sep 17 00:00:00 2001
From: Tony Grosinger <tgrosinger@extrahop.com>
Date: Thu, 20 Apr 2017 08:04:18 -0700
Subject: [PATCH] pkg/transport: reload TLS certificates for every client
 requests

This changes the baseConfig used when creating tls Configs to utilize
the GetCertificate and GetClientCertificate functions to always reload
the certificates from disk whenever they are needed.

Always reloading the certificates allows changing the certificates via
an external process without interrupting etcd.

Fixes #7576

Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com>
Original commit can be found at https://github.com/coreos/etcd/pull/7784
---
 pkg/transport/listener.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go
index e024f3c6bf4..76b36d94428 100644
--- a/pkg/transport/listener.go
+++ b/pkg/transport/listener.go
@@ -172,6 +172,14 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 		MinVersion:   tls.VersionTLS12,
 		ServerName:   info.ServerName,
 	}
+	// this only reloads certs when there's a client request
+	// TODO: support server-side refresh (e.g. inotify, SIGHUP), caching
+	cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+	}
+	cfg.GetClientCertificate = func(unused *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+		return tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
+	}
 	return cfg, nil
 }