Reload serving certs

openshift · Feb 11, 2020 · f9d15a9 · f9d15a9
1 parent 52dc5bb
commit f9d15a9
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/http.go b/http.go
@@ -1,13 +1,16 @@
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"log"
 	"net"
 	"net/http"
 	"strings"
 	"time"
 
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+
 	oscrypto "github.com/openshift/library-go/pkg/crypto"
 
 	"github.com/openshift/oauth-proxy/util"
@@ -75,11 +78,19 @@ func (s *Server) ServeHTTPS() {
 	}
 
 	var err error
-	config.Certificates = make([]tls.Certificate, 1)
-	config.Certificates[0], err = tls.LoadX509KeyPair(s.Opts.TLSCertFile, s.Opts.TLSKeyFile)
+	servingCertProvider, err := dynamiccertificates.NewDynamicServingContentFromFiles("serving", s.Opts.TLSCertFile, s.Opts.TLSKeyFile)
 	if err != nil {
 		log.Fatalf("FATAL: loading tls config (%s, %s) failed - %s", s.Opts.TLSCertFile, s.Opts.TLSKeyFile, err)
 	}
+	go servingCertProvider.Run(1, context.TODO().Done())
+
+	config.GetCertificate = func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		// this disregards information from ClientHello but we're not doing SNI anyway
+		cert, key := servingCertProvider.CurrentCertKeyContent()
+
+		certKeyPair, err := tls.X509KeyPair(cert, key)
+		return &certKeyPair, err
+	}
 
 	if len(s.Opts.TLSClientCAFile) > 0 {
 		config.ClientAuth = tls.RequestClientCert