GetCertificate only reloads certificates dynamically for the server

hashicorp · Nov 14, 2017 · 12cb657 · 12cb657
1 parent 2cade96
commit 12cb657
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 15 deletions.
diff --git a/client/client.go b/client/client.go
@@ -173,7 +173,8 @@ func NewClient(cfg *config.Config, consulCatalog consul.CatalogAPI, consulServic
 	// Create the tls wrapper
 	var tlsWrap tlsutil.RegionWrapper
 	if cfg.TLSConfig.EnableRPC {
-		tw, err := cfg.TLSConfiguration().OutgoingTLSWrapper()
+		isServerMode := false
+		tw, err := cfg.TLSConfiguration().OutgoingTLSWrapper(isServerMode)
 		if err != nil {
 			return nil, err
 		}

diff --git a/helper/tlsutil/config.go b/helper/tlsutil/config.go
@@ -108,7 +108,7 @@ func (c *Config) LoadKeyPair() (*tls.Certificate, error) {
 // requests. It will return a nil config if this configuration should
 // not use TLS for outgoing connections. Provides a callback to
 // fetch certificates, allowing for reloading on the fly.
-func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
+func (c *Config) OutgoingTLSConfig(serverMode bool) (*tls.Config, error) {
 	// If VerifyServerHostname is true, that implies VerifyOutgoing
 	if c.VerifyServerHostname {
 		c.VerifyOutgoing = true
@@ -140,7 +140,11 @@ func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
 	if err != nil {
 		return nil, err
 	} else if cert != nil {
-		tlsConfig.GetCertificate = c.KeyLoader.GetOutgoingCertificate
+		if serverMode {
+			tlsConfig.GetCertificate = c.KeyLoader.GetOutgoingCertificate
+		} else {
+			tlsConfig.Certificates = []tls.Certificate{*cert}
+		}
 	}
 
 	return tlsConfig, nil
@@ -149,9 +153,9 @@ func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
 // OutgoingTLSWrapper returns a a Wrapper based on the OutgoingTLS
 // configuration. If hostname verification is on, the wrapper
 // will properly generate the dynamic server name for verification.
-func (c *Config) OutgoingTLSWrapper() (RegionWrapper, error) {
+func (c *Config) OutgoingTLSWrapper(serverMode bool) (RegionWrapper, error) {
 	// Get the TLS config
-	tlsConfig, err := c.OutgoingTLSConfig()
+	tlsConfig, err := c.OutgoingTLSConfig(serverMode)
 	if err != nil {
 		return nil, err
 	}

diff --git a/helper/tlsutil/config_test.go b/helper/tlsutil/config_test.go
@@ -80,7 +80,8 @@ func TestConfig_OutgoingTLS_MissingCA(t *testing.T) {
 	conf := &Config{
 		VerifyOutgoing: true,
 	}
-	tls, err := conf.OutgoingTLSConfig()
+	isServerMode := false
+	tls, err := conf.OutgoingTLSConfig(isServerMode)
 	if err == nil {
 		t.Fatalf("expected err")
 	}
@@ -93,7 +94,8 @@ func TestConfig_OutgoingTLS_OnlyCA(t *testing.T) {
 	conf := &Config{
 		CAFile: cacert,
 	}
-	tls, err := conf.OutgoingTLSConfig()
+	isServerMode := false
+	tls, err := conf.OutgoingTLSConfig(isServerMode)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -107,7 +109,8 @@ func TestConfig_OutgoingTLS_VerifyOutgoing(t *testing.T) {
 		VerifyOutgoing: true,
 		CAFile:         cacert,
 	}
-	tls, err := conf.OutgoingTLSConfig()
+	isServerMode := true
+	tls, err := conf.OutgoingTLSConfig(isServerMode)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -127,7 +130,8 @@ func TestConfig_OutgoingTLS_VerifyHostname(t *testing.T) {
 		VerifyServerHostname: true,
 		CAFile:               cacert,
 	}
-	tls, err := conf.OutgoingTLSConfig()
+	isServerMode := true
+	tls, err := conf.OutgoingTLSConfig(isServerMode)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -152,7 +156,8 @@ func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) {
 		KeyFile:        fookey,
 		KeyLoader:      &config.KeyLoader{},
 	}
-	tlsConf, err := conf.OutgoingTLSConfig()
+	isServerMode := true
+	tlsConf, err := conf.OutgoingTLSConfig(isServerMode)
 	assert.Nil(err)
 	assert.NotNil(tlsConf)
 	assert.Equal(len(tlsConf.RootCAs.Subjects()), 1)
@@ -216,7 +221,8 @@ func TestConfig_outgoingWrapper_OK(t *testing.T) {
 		t.Fatalf("startTLSServer err: %v", <-errc)
 	}
 
-	wrap, err := config.OutgoingTLSWrapper()
+	isServerMode := true
+	wrap, err := config.OutgoingTLSWrapper(isServerMode)
 	if err != nil {
 		t.Fatalf("OutgoingTLSWrapper err: %v", err)
 	}
@@ -252,7 +258,8 @@ func TestConfig_outgoingWrapper_BadCert(t *testing.T) {
 		t.Fatalf("startTLSServer err: %v", <-errc)
 	}
 
-	wrap, err := config.OutgoingTLSWrapper()
+	isServerMode := true
+	wrap, err := config.OutgoingTLSWrapper(isServerMode)
 	if err != nil {
 		t.Fatalf("OutgoingTLSWrapper err: %v", err)
 	}
@@ -285,7 +292,8 @@ func TestConfig_wrapTLS_OK(t *testing.T) {
 		t.Fatalf("startTLSServer err: %v", <-errc)
 	}
 
-	clientConfig, err := config.OutgoingTLSConfig()
+	isServerMode := false
+	clientConfig, err := config.OutgoingTLSConfig(isServerMode)
 	if err != nil {
 		t.Fatalf("OutgoingTLSConfig err: %v", err)
 	}
@@ -320,7 +328,8 @@ func TestConfig_wrapTLS_BadCert(t *testing.T) {
 		VerifyOutgoing: true,
 	}
 
-	clientTLSConfig, err := clientConfig.OutgoingTLSConfig()
+	isServerMode := false
+	clientTLSConfig, err := clientConfig.OutgoingTLSConfig(isServerMode)
 	if err != nil {
 		t.Fatalf("OutgoingTLSConfig err: %v", err)
 	}

diff --git a/nomad/server.go b/nomad/server.go
@@ -230,7 +230,8 @@ func NewServer(config *Config, consulCatalog consul.CatalogAPI, logger *log.Logg
 	var incomingTLS *tls.Config
 	if config.TLSConfig.EnableRPC {
 		tlsConf := config.tlsConfig()
-		tw, err := tlsConf.OutgoingTLSWrapper()
+		isServerMode := true
+		tw, err := tlsConf.OutgoingTLSWrapper(isServerMode)
 		if err != nil {
 			return nil, err
 		}