fix: ensure certificate gets updated on reload (#12076)

* fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.settings.Certificate` is used. It's still a bit of a mystery to me as to why the reloading of the server does not work for this, since it should fulfill the same function. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * fix: remove break from cert changes With 3553ef8, there's no longer any need to break out of the loop. The webhook reloading logic needs another look (since it likely no longer works), but can be handled in another PR. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> --------- Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
argoproj · Mar 2, 2023 · 3f5b396 · 3f5b396
1 parent 58bb6ad
commit 3f5b396
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/server/server.go b/server/server.go
@@ -463,8 +463,9 @@ func (a *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) {
 
 		// If not matched, we assume that its TLS.
 		tlsl := tcpm.Match(cmux.Any())
-		tlsConfig := tls.Config{
-			Certificates: []tls.Certificate{*a.settings.Certificate},
+		tlsConfig := tls.Config{}
+		tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			return a.settings.Certificate, nil
 		}
 		if a.TLSConfigCustomizer != nil {
 			a.TLSConfigCustomizer(&tlsConfig)
@@ -607,8 +608,8 @@ func (a *ArgoCDServer) watchSettings() {
 				newCert, newCertKey = tlsutil.EncodeX509KeyPairString(*a.settings.Certificate)
 			}
 			if newCert != prevCert || newCertKey != prevCertKey {
-				log.Infof("tls certificate modified. restarting")
-				break
+				log.Infof("tls certificate modified. reloading certificate")
+				// No need to break out of this loop since TlsConfig.GetCertificate will automagically reload the cert.
 			}
 		}
 	}