-
Notifications
You must be signed in to change notification settings - Fork 11
/
fswatcher.go
123 lines (101 loc) · 3.24 KB
/
fswatcher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
// Package fswatcher implements the Certinel interface by watching for filesystem
// change events using the cross-platform fsnotify package.
//
// This implementation watches the directory of the configured certificate to properly
// notice replacements and symlink updates, this allows fswatcher to be used within
// Kubernetes watching a certificate updated from a mounted ConfigMap or Secret.
package fswatcher
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"path/filepath"
"sync/atomic"
"github.com/fsnotify/fsnotify"
)
// Sentinel watches for filesystem change events that effect the watched certificate.
type Sentinel struct {
certPath, keyPath string
certificate atomic.Value
}
const fsCreateOrWriteOpMask = fsnotify.Create | fsnotify.Write
func New(cert, key string) (*Sentinel, error) {
fsw := &Sentinel{
certPath: cert,
keyPath: key,
}
if err := fsw.loadCertificate(); err != nil {
return nil, fmt.Errorf("unable to load initial certificate: %w", err)
}
return fsw, nil
}
func (w *Sentinel) Start(ctx context.Context) error {
watcher, err := fsnotify.NewWatcher()
if err != nil {
return fmt.Errorf("unable to create watcher: %w", err)
}
defer watcher.Close()
certPath := filepath.Clean(w.certPath)
certDir, _ := filepath.Split(certPath)
realCertPath, _ := filepath.EvalSymlinks(certPath)
if err := watcher.Add(certDir); err != nil {
return fmt.Errorf("unable to create watcher: %w", err)
}
for {
select {
case <-ctx.Done():
return ctx.Err()
case event := <-watcher.Events:
// Portions of this case are inspired by spf13/viper's WatchConfig.
// (c) 2014 Steve Francia. MIT Licensed.
currentPath, err := filepath.EvalSymlinks(certPath)
if err != nil {
return err
}
switch {
case eventCreatesOrWritesPath(event, certPath), symlinkModified(currentPath, realCertPath):
realCertPath = currentPath
if err := w.loadCertificate(); err != nil {
return err
}
}
case err := <-watcher.Errors:
return err
}
}
}
func (w *Sentinel) loadCertificate() error {
certificate, err := tls.LoadX509KeyPair(w.certPath, w.keyPath)
if err != nil {
return fmt.Errorf("unable to load certificate: %w", err)
}
leaf, err := x509.ParseCertificate(certificate.Certificate[0])
if err != nil {
return fmt.Errorf("unable to load certificate: %w", err)
}
certificate.Leaf = leaf
w.certificate.Store(&certificate)
return nil
}
func (w *Sentinel) GetCertificate(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
cert, _ := w.certificate.Load().(*tls.Certificate)
return cert, nil
}
func (w *Sentinel) GetClientCertificate(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
cert, _ := w.certificate.Load().(*tls.Certificate)
if cert == nil {
cert = &tls.Certificate{}
}
return cert, nil
}
// eventCreatesOrWritesPath predicate returns true for fsnotify.Create and fsnotify.Write
// events that modify that specified path.
func eventCreatesOrWritesPath(event fsnotify.Event, path string) bool {
return filepath.Clean(event.Name) == path && event.Op&fsCreateOrWriteOpMask != 0
}
// symlinkModified predicate returns true when the current symlink path does
// not match the previous resolved path.
func symlinkModified(cur, prev string) bool {
return cur != "" && cur != prev
}