[minor] Add cert refresh

config/config.go

@@ -89,6 +89,9 @@ type TLS struct {
 
 	// CAPath represents the CA certificate chain file path for verifying client certificates.
 	CAPath string `yaml:"caPath"`
+
+	// CertRefreshPeriod represents the duration to read the server certificate again.
+	CertRefreshPeriod string `yaml:"certRefreshPeriod"`
 }
 
 // HealthCheck represents the health check server configuration.

config/config_test.go

@@ -84,10 +84,11 @@ func TestNew(t *testing.T) {
 					ShutdownTimeout: "10s",
 					ShutdownDelay:   "9s",
 					TLS: TLS{
-						Enable:   true,
-						CertPath: "test/data/dummyServer.crt",
-						KeyPath:  "test/data/dummyServer.key",
-						CAPath:   "test/data/dummyCa.pem",
+						Enable:            true,
+						CertPath:          "test/data/dummyServer.crt",
+						KeyPath:           "test/data/dummyServer.key",
+						CAPath:            "test/data/dummyCa.pem",
+						CertRefreshPeriod: "24h",
 					},
 					HealthCheck: HealthCheck{
 						Port:     6082,

service/option.go

@@ -1,6 +1,7 @@
 package service
 
 import (
+	"crypto/tls"
 	"io"
 	"net/http"
 
@@ -39,6 +40,13 @@ func WithGRPCCloser(c io.Closer) Option {
 	}
 }
 
+// WithTLSConfig returns a TLS Config functional option
+func WithTLSConfig(t *tls.Config) Option {
+	return func(s *server) {
+		s.tlsConfig = t
+	}
+}
+
 // WithGRPCServer returns a gRPC Server functional option
 func WithGRPCServer(srv *grpc.Server) Option {
 	return func(s *server) {

service/option_test.go

@@ -1,6 +1,7 @@
 package service
 
 import (
+	"crypto/tls"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -206,6 +207,42 @@ func TestWithGRPCServer(t *testing.T) {
 	}
 }
 
+func TestWithTLSConfig(t *testing.T) {
+	type args struct {
+		t *tls.Config
+	}
+	tests := []struct {
+		name      string
+		args      args
+		checkFunc func(Option) error
+	}{
+		{
+			name: "set success",
+			args: args{
+				t: &tls.Config{
+					MinVersion: tls.VersionTLS12,
+				},
+			},
+			checkFunc: func(o Option) error {
+				srv := &server{}
+				o(srv)
+				if srv.tlsConfig.MinVersion != tls.VersionTLS12 {
+					return errors.New("value cannot set")
+				}
+				return nil
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := WithTLSConfig(tt.args.t)
+			if err := tt.checkFunc(got); err != nil {
+				t.Errorf("WithTLSConfig() error = %v", err)
+			}
+		})
+	}
+}
+
 func TestWithDebugHandler(t *testing.T) {
 	type args struct {
 		h http.Handler

service/server.go

@@ -18,6 +18,7 @@ package service
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"net"
@@ -51,6 +52,8 @@ type server struct {
 	grpcSrvRunning bool
 	grpcCloser     io.Closer
 
+	tlsConfig *tls.Config
+
 	// Health Check server
 	hcsrv     *http.Server
 	hcRunning bool
@@ -100,19 +103,18 @@ func NewServer(opts ...Option) (Server, error) {
 		o(s)
 	}
 
+	if s.cfg.TLS.Enable && s.tlsConfig == nil {
+		return nil, errors.New("s.cfg.TLS.Enable is true, but s.tlsConfig is nil.")
+	}
+
 	if s.grpcSrvEnable() {
 		gopts := []grpc.ServerOption{
 			grpc.CustomCodec(proxy.Codec()),
 			grpc.UnknownServiceHandler(s.grpcHandler),
 		}
 
 		if s.cfg.TLS.Enable {
-			cfg, err := NewTLSConfig(s.cfg.TLS)
-			if err != nil {
-				return nil, err
-			}
-
-			gopts = append(gopts, grpc.Creds(credentials.NewTLS(cfg)))
+			gopts = append(gopts, grpc.Creds(credentials.NewTLS(s.tlsConfig)))
 		}
 
 		s.grpcSrv = grpc.NewServer(gopts...)
@@ -122,6 +124,9 @@ func NewServer(opts ...Option) (Server, error) {
 			Handler: s.srvHandler,
 		}
 		s.srv.SetKeepAlivesEnabled(true)
+		if s.cfg.TLS.Enable {
+			s.srv.TLSConfig = s.tlsConfig
+		}
 	}
 
 	if s.hcSrvEnable() {
@@ -394,13 +399,6 @@ func (s *server) listenAndServeAPI() error {
 		return s.srv.ListenAndServe()
 	}
 
-	cfg, err := NewTLSConfig(s.cfg.TLS)
-	if err == nil && cfg != nil {
-		s.srv.TLSConfig = cfg
-	}
-	if err != nil {
-		glg.Error(errors.Wrap(err, "cannot NewTLSConfig(s.cfg.TLS)"))
-	}
 	return s.srv.ListenAndServeTLS("", "")
 }