watcher should keep watching the certificate

googleforgames · Jan 11, 2024 · fcde21b · fcde21b
1 parent e7923c0
commit fcde21b
Showing 1 changed file with 29 additions and 20 deletions.
diff --git a/pkg/util/https/server.go b/pkg/util/https/server.go
@@ -31,6 +31,8 @@ const (
 	tlsDir = "/certs/"
 )
 
+var closeCh = make(chan struct{})
+
 // tls is a http server interface to enable easier testing
 type tls interface {
 	Close() error
@@ -59,36 +61,40 @@ func NewServer(certFile, keyFile string) *Server {
 		certFile: certFile,
 		keyFile:  keyFile,
 	}
-	wh.setupServer()
-
-	wh.Mux.HandleFunc("/", wh.defaultHandler)
-	wh.logger = runtime.NewLoggerWithType(wh)
 
-	return wh
-}
+	tlsCert, err := readTLSCert()
+	if err != nil {
+		logrus.WithError(err).Fatal("could not load TLS certs.")
+	}
+	wh.CertMu.Lock()
+	wh.Certs = tlsCert
+	wh.CertMu.Unlock()
 
-func (s *Server) setupServer() {
-	s.tls = &http.Server{
+	wh.tls = &http.Server{
 		Addr:    ":8081",
-		Handler: s.Mux,
-		TLSConfig: &cryptotls.Config{
-			GetCertificate: s.getCertificate,
-		},
+		Handler: wh.Mux,
 	}
 
 	// Start a goroutine to watch for certificate changes
-	go s.watchForCertificateChanges()
+	go watchForCertificateChanges(wh)
+
+	wh.Mux.HandleFunc("/", wh.defaultHandler)
+	wh.logger = runtime.NewLoggerWithType(wh)
+
+	return wh
 }
 
-// getCertificate returns the current TLS certificate
-func (s *Server) getCertificate(hello *cryptotls.ClientHelloInfo) (*cryptotls.Certificate, error) {
-	s.CertMu.Lock()
-	defer s.CertMu.Unlock()
-	return s.Certs, nil
+// It will load the key pair certificate
+func readTLSCert() (*cryptotls.Certificate, error) {
+	tlsCert, err := cryptotls.LoadX509KeyPair(tlsDir+"server.crt", tlsDir+"server.key")
+	if err != nil {
+		return nil, err
+	}
+	return &tlsCert, nil
 }
 
 // watchForCertificateChanges watches for changes in the certificate files
-func (s *Server) watchForCertificateChanges() {
+func watchForCertificateChanges(s *Server) {
 	// Watch for changes in the tlsDir
 	cancelTLS, err := fswatch.Watch(s.logger, tlsDir, time.Second, func() {
 		// Load the new TLS certificate
@@ -107,7 +113,9 @@ func (s *Server) watchForCertificateChanges() {
 		s.logger.WithError(err).Fatal("could not create watcher for TLS certs")
 	}
 
-	defer cancelTLS()
+	// Wait for the signal to close
+	<-closeCh
+	cancelTLS()
 }
 
 // Run runs the webhook server, starting a https listener.
@@ -116,6 +124,7 @@ func (s *Server) Run(ctx context.Context, _ int) error {
 	go func() {
 		<-ctx.Done()
 		s.tls.Close() // nolint: errcheck,gosec
+		close(closeCh)
 	}()
 
 	s.logger.WithField("server", s).Infof("https server started")