Reload VaultConfig if CAFile, CertFile, KeyFile have changed

Fixes hashicorp#4395, hashicorp#6052
Xopherus · Nov 12, 2019 · 57b365d · 57b365d
1 parent 3fea25b
commit 57b365d
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 18 deletions.
diff --git a/nomad/structs/config/vault.go b/nomad/structs/config/vault.go
@@ -78,6 +78,9 @@ type VaultConfig struct {
 
 	// TLSServerName, if set, is used to set the SNI host when connecting via TLS.
 	TLSServerName string `hcl:"tls_server_name"`
+
+	// Checksum is a MD5 hash of the TLSCaFile, TLSCertFile, and TLSKeyFile.
+	Checksum string
 }
 
 // DefaultVaultConfig() returns the canonical defaults for the Nomad
@@ -191,52 +194,75 @@ func (c *VaultConfig) Copy() *VaultConfig {
 
 // IsEqual compares two Vault configurations and returns a boolean indicating
 // if they are equal.
-func (a *VaultConfig) IsEqual(b *VaultConfig) bool {
+func (a *VaultConfig) IsEqual(b *VaultConfig) (bool, error) {
 	if a == nil && b != nil {
-		return false
+		return false, nil
 	}
 	if a != nil && b == nil {
-		return false
+		return false, nil
 	}
 
 	if a.Token != b.Token {
-		return false
+		return false, nil
 	}
 	if a.Role != b.Role {
-		return false
+		return false, nil
 	}
 	if a.TaskTokenTTL != b.TaskTokenTTL {
-		return false
+		return false, nil
 	}
 	if a.Addr != b.Addr {
-		return false
+		return false, nil
 	}
 	if a.ConnectionRetryIntv.Nanoseconds() != b.ConnectionRetryIntv.Nanoseconds() {
-		return false
+		return false, nil
 	}
 	if a.TLSCaFile != b.TLSCaFile {
-		return false
+		return false, nil
 	}
 	if a.TLSCaPath != b.TLSCaPath {
-		return false
+		return false, nil
 	}
 	if a.TLSCertFile != b.TLSCertFile {
-		return false
+		return false, nil
 	}
 	if a.TLSKeyFile != b.TLSKeyFile {
-		return false
+		return false, nil
 	}
 	if a.TLSServerName != b.TLSServerName {
-		return false
+		return false, nil
 	}
 	if a.AllowUnauthenticated != b.AllowUnauthenticated {
-		return false
+		return false, nil
 	}
 	if a.TLSSkipVerify != b.TLSSkipVerify {
-		return false
+		return false, nil
 	}
 	if a.Enabled != b.Enabled {
-		return false
+		return false, nil
+	}
+
+	if a.Checksum == "" {
+		if err := a.SetChecksum(); err != nil {
+			return true, err
+		}
+	}
+
+	if b.Checksum == "" {
+		if err := b.SetChecksum(); err != nil {
+			return true, err
+		}
 	}
-	return true
+	return a.Checksum == b.Checksum, nil
+}
+
+// SetChecksum generates and sets the checksum for a Vault configuration.
+func (a *VaultConfig) SetChecksum() error {
+	newChecksum, err := createChecksumOfFiles(a.TLSCaFile, a.TLSCertFile, a.TLSKeyFile)
+	if err != nil {
+		return err
+	}
+
+	a.Checksum = newChecksum
+	return nil
 }
diff --git a/nomad/vault.go b/nomad/vault.go
@@ -342,7 +342,11 @@ func (v *vaultClient) SetConfig(config *config.VaultConfig) error {
 	defer v.l.Unlock()
 
 	// If reloading the same config, no-op
-	if v.config.IsEqual(config) {
+	isEqual, err := v.config.IsEqual(config)
+	if err != nil {
+		v.logger.Info("error when parsing TLS certificate %v", err)
+		return nil
+	} else if isEqual {
 		return nil
 	}