fixups from code review

command/agent/agent.go

@@ -730,10 +730,11 @@ func (a *Agent) Reload(newConfig *Config) error {
 	if a.config != nil && newConfig.TLSConfig != nil {
 
 		// If the agent is already running with TLS enabled, we need to only reload
-		// its certificates. In a later PR, we will introduce the ability to reload
+		// its certificates.
+		// TODO(chelseakomlo) In a later PR, we will introduce the ability to reload
 		// TLS configuration if the agent is not running with TLS enabled.
 		if a.config.TLSConfig != nil {
-			return a.config.SetTLSConfig(newConfig.TLSConfig)
+			return a.config.UpdateTLSConfig(newConfig.TLSConfig)
 		}
 	}
 

command/agent/config.go

@@ -328,12 +328,12 @@ type ServerConfig struct {
 	EncryptKey string `mapstructure:"encrypt" json:"-"`
 }
 
-// SetTLSConfig will reload an agent's TLS configuration. If there is an error
+// UpdateTLSConfig will reload an agent's TLS configuration. If there is an error
 // while loading key and certificate files, the agent will remain at its
 // current configuration and return an error.
 // This only allows reloading the certificate and keyfile- other TLSConfig
 // fields are ignored.
-func (c *Config) SetTLSConfig(newConfig *config.TLSConfig) error {
+func (c *Config) UpdateTLSConfig(newConfig *config.TLSConfig) error {
 	if c.TLSConfig == nil {
 		return fmt.Errorf("unable to update non-existing TLSConfig")
 	}

nomad/structs/config/tls.go

@@ -8,6 +8,7 @@ import (
 
 // TLSConfig provides TLS related configuration
 type TLSConfig struct {
+	configLock sync.Mutex
 
 	// EnableHTTP enabled TLS for http traffic to the Nomad server and clients
 	EnableHTTP bool `mapstructure:"http"`
@@ -80,7 +81,9 @@ func (k *KeyLoader) GetOutgoingCertificate(*tls.ClientHelloInfo) (*tls.Certifica
 func (t *TLSConfig) GetKeyLoader() *KeyLoader {
 	// If the keyloader has not yet been initialized, do it here
 	if t.KeyLoader == nil {
+		t.configLock.Lock()
 		t.KeyLoader = &KeyLoader{}
+		t.configLock.Unlock()
 	}
 	return t.KeyLoader
 }