made changes in certificate handling

googleforgames · Dec 28, 2023 · d7f1a17 · d7f1a17
1 parent c5b0a31
commit d7f1a17
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 47 deletions.
diff --git a/cmd/extensions/main.go b/cmd/extensions/main.go
@@ -138,7 +138,7 @@ func main() {
 		logger.WithError(err).Fatal("Could not initialize cloud product")
 	}
 	// https server and the items that share the Mux for routing
-	httpsServer := https.NewServer(ctlConf.CertFile, ctlConf.KeyFile, logger)
+	httpsServer := https.NewServer(ctlConf.CertFile, ctlConf.KeyFile)
 	wh := webhooks.NewWebHook(httpsServer.Mux)
 	api := apiserver.NewAPIServer(httpsServer.Mux)
 

diff --git a/pkg/util/https/server.go b/pkg/util/https/server.go
@@ -16,12 +16,9 @@ package https
 
 import (
 	"context"
-	"crypto/tls"
+	cryptotls "crypto/tls"
 	"net/http"
-	"sync"
-	"time"
 
-	"agones.dev/agones/pkg/util/fswatch"
 	"agones.dev/agones/pkg/util/runtime"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -31,10 +28,8 @@ const (
 	tlsDir = "/certs/"
 )
 
-var tlsMutex sync.Mutex
-
 // tls is a http server interface to enable easier testing
-type testTLS interface {
+type tls interface {
 	Close() error
 	ListenAndServeTLS(certFile, keyFile string) error
 }
@@ -45,54 +40,48 @@ type testTLS interface {
 type Server struct {
 	logger   *logrus.Entry
 	Mux      *http.ServeMux
-	tls      testTLS
+	tls      tls
 	certFile string
 	keyFile  string
 }
 
 // NewServer returns a Server instance.
-func NewServer(certFile, keyFile string, logger *logrus.Entry) *Server {
+func NewServer(certFile, keyFile string) *Server {
 	mux := http.NewServeMux()
-	tls_server := &http.Server{
-		Addr:    ":8081",
-		Handler: mux,
-	}
-
-	go func() {
-		cancelTLS, err := fswatch.Watch(logger, tlsDir, time.Second, func() {
-			tlsCert, err := readTLSCert()
-			if err != nil {
-				logger.WithError(err).Error("could not load TLS certs; keeping old one")
-				return
-			}
-			tlsMutex.Lock()
-			defer tlsMutex.Unlock()
-			tls_server.TLSConfig = &tls.Config{
-				GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
-					return tlsCert, nil
-				},
-			}
-			logger.Info("TLS certs updated")
-		})
-		if err != nil {
-			logger.WithError(err).Fatal("could not create watcher for TLS certs")
-		}
-		defer cancelTLS()
-
-	}()
 
 	wh := &Server{
 		Mux:      mux,
-		tls:      tls_server,
 		certFile: certFile,
 		keyFile:  keyFile,
 	}
+	wh.setupServer()
+
 	wh.Mux.HandleFunc("/", wh.defaultHandler)
 	wh.logger = runtime.NewLoggerWithType(wh)
 
 	return wh
 }
 
+func (s *Server) setupServer() {
+	s.tls = &http.Server{
+		Addr:    ":8081",
+		Handler: s.Mux,
+		TLSConfig: &cryptotls.Config{
+			GetCertificate: func(hello *cryptotls.ClientHelloInfo) (*cryptotls.Certificate, error) {
+				return s.loadTLSCert()
+			},
+		},
+	}
+}
+
+func (s *Server) loadTLSCert() (*cryptotls.Certificate, error) {
+	tlsCert, err := cryptotls.LoadX509KeyPair(tlsDir+"server.crt", tlsDir+"server.key")
+	if err != nil {
+		return nil, err
+	}
+	return &tlsCert, nil
+}
+
 // Run runs the webhook server, starting a https listener.
 // Will close the http server on stop channel close.
 func (s *Server) Run(ctx context.Context, _ int) error {
@@ -123,11 +112,3 @@ func (s *Server) defaultHandler(w http.ResponseWriter, r *http.Request) {
 
 	FourZeroFour(s.logger, w, r)
 }
-
-func readTLSCert() (*tls.Certificate, error) {
-	tlsCert, err := tls.LoadX509KeyPair(tlsDir+"server.crt", tlsDir+"server.key")
-	if err != nil {
-		return nil, err
-	}
-	return &tlsCert, nil
-}
diff --git a/pkg/util/https/server_test.go b/pkg/util/https/server_test.go
@@ -41,7 +41,7 @@ func (ts *testServer) ListenAndServeTLS(certFile, keyFile string) error {
 func TestServerRun(t *testing.T) {
 	t.Parallel()
 
-	s := NewServer("", "",nil)
+	s := NewServer("", "")
 	ts := &testServer{server: httptest.NewUnstartedServer(s.Mux)}
 	s.tls = ts