From 7ef9cebdce02798df2a9ed6ebeedf79221d39b28 Mon Sep 17 00:00:00 2001 From: Ashutosh Singh Date: Thu, 28 Dec 2023 13:43:11 +0000 Subject: [PATCH] made changes in certificate handling --- cmd/extensions/main.go | 2 +- pkg/util/https/server.go | 71 +++++++++++++---------------------- pkg/util/https/server_test.go | 2 +- 3 files changed, 28 insertions(+), 47 deletions(-) diff --git a/cmd/extensions/main.go b/cmd/extensions/main.go index a7ed0e9e47..33c0411004 100644 --- a/cmd/extensions/main.go +++ b/cmd/extensions/main.go @@ -138,7 +138,7 @@ func main() { logger.WithError(err).Fatal("Could not initialize cloud product") } // https server and the items that share the Mux for routing - httpsServer := https.NewServer(ctlConf.CertFile, ctlConf.KeyFile, logger) + httpsServer := https.NewServer(ctlConf.CertFile, ctlConf.KeyFile) wh := webhooks.NewWebHook(httpsServer.Mux) api := apiserver.NewAPIServer(httpsServer.Mux) diff --git a/pkg/util/https/server.go b/pkg/util/https/server.go index 2e0645e5cf..94bbfbabd9 100644 --- a/pkg/util/https/server.go +++ b/pkg/util/https/server.go @@ -16,12 +16,9 @@ package https import ( "context" - "crypto/tls" + cryptotls "crypto/tls" "net/http" - "sync" - "time" - "agones.dev/agones/pkg/util/fswatch" "agones.dev/agones/pkg/util/runtime" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -31,10 +28,8 @@ const ( tlsDir = "/certs/" ) -var tlsMutex sync.Mutex - // tls is a http server interface to enable easier testing -type testTLS interface { +type tls interface { Close() error ListenAndServeTLS(certFile, keyFile string) error } @@ -45,54 +40,48 @@ type testTLS interface { type Server struct { logger *logrus.Entry Mux *http.ServeMux - tls testTLS + tls tls certFile string keyFile string } // NewServer returns a Server instance. -func NewServer(certFile, keyFile string, logger *logrus.Entry) *Server { +func NewServer(certFile, keyFile string) *Server { mux := http.NewServeMux() - tls_server := &http.Server{ - Addr: ":8081", - Handler: mux, - } - - go func() { - cancelTLS, err := fswatch.Watch(logger, tlsDir, time.Second, func() { - tlsCert, err := readTLSCert() - if err != nil { - logger.WithError(err).Error("could not load TLS certs; keeping old one") - return - } - tlsMutex.Lock() - defer tlsMutex.Unlock() - tls_server.TLSConfig = &tls.Config{ - GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) { - return tlsCert, nil - }, - } - logger.Info("TLS certs updated") - }) - if err != nil { - logger.WithError(err).Fatal("could not create watcher for TLS certs") - } - defer cancelTLS() - - }() wh := &Server{ Mux: mux, - tls: tls_server, certFile: certFile, keyFile: keyFile, } + wh.setupServer() + wh.Mux.HandleFunc("/", wh.defaultHandler) wh.logger = runtime.NewLoggerWithType(wh) return wh } +func (s *Server) setupServer() { + s.tls = &http.Server{ + Addr: ":8081", + Handler: s.Mux, + TLSConfig: &cryptotls.Config{ + GetCertificate: func(hello *cryptotls.ClientHelloInfo) (*cryptotls.Certificate, error) { + return s.loadTLSCert() + }, + }, + } +} + +func (s *Server) loadTLSCert() (*cryptotls.Certificate, error) { + tlsCert, err := cryptotls.LoadX509KeyPair(tlsDir+"server.crt", tlsDir+"server.key") + if err != nil { + return nil, err + } + return &tlsCert, nil +} + // Run runs the webhook server, starting a https listener. // Will close the http server on stop channel close. func (s *Server) Run(ctx context.Context, _ int) error { @@ -123,11 +112,3 @@ func (s *Server) defaultHandler(w http.ResponseWriter, r *http.Request) { FourZeroFour(s.logger, w, r) } - -func readTLSCert() (*tls.Certificate, error) { - tlsCert, err := tls.LoadX509KeyPair(tlsDir+"server.crt", tlsDir+"server.key") - if err != nil { - return nil, err - } - return &tlsCert, nil -} diff --git a/pkg/util/https/server_test.go b/pkg/util/https/server_test.go index 4a9d97b0f2..95348e6308 100644 --- a/pkg/util/https/server_test.go +++ b/pkg/util/https/server_test.go @@ -41,7 +41,7 @@ func (ts *testServer) ListenAndServeTLS(certFile, keyFile string) error { func TestServerRun(t *testing.T) { t.Parallel() - s := NewServer("", "",nil) + s := NewServer("", "") ts := &testServer{server: httptest.NewUnstartedServer(s.Mux)} s.tls = ts