improve how to reload tls configuration via upgrades/downgrades

command/agent/agent.go

@@ -727,23 +727,37 @@ func (a *Agent) Stats() map[string]map[string]string {
 // Reload handles configuration changes for the agent. Provides a method that
 // is easier to unit test, as this action is invoked via SIGHUP.
 func (a *Agent) Reload(newConfig *Config) error {
-	if a.config != nil && newConfig.TLSConfig != nil {
-
-		// If the agent is already running with TLS enabled, we need to only reload
-		// its certificates. In a later PR, we will introduce the ability to reload
-		// TLS configuration if the agent is not running with TLS enabled.
-		if a.config.TLSConfig != nil {
-			return a.config.SetTLSConfig(newConfig.TLSConfig)
-		}
-
-		// Reload the TLS configuration for the client or server, depending on how
-		// the agent is configured to run.
-		if s := a.Server(); s != nil {
-			err := s.ReloadTLSConnections()
-			if err != nil {
-				a.logger.Printf("[WARN] agent: Issue reloading the server's TLS Configuration, consider a full system restart: %v", err.Error())
-				return err
-			}
+	// If the agent is already running with TLS enabled and the new
+	// configuration specifies a TLS configuration, we need to only reload
+	// its certificates.
+
+	if !a.config.TLSConfig.IsEmpty() && !newConfig.TLSConfig.IsEmpty() {
+		a.logger.Println("[INFO] Updating agent's existing TLS configuration \n\n")
+		// Handle errors in loading the new certificate files.
+		// This is just a TLS configuration reload, we don't need to refresh
+		// existing network connections
+		return a.config.SetTLSConfig(newConfig.TLSConfig)
+	}
+
+	if a.config.TLSConfig.IsEmpty() && !newConfig.TLSConfig.IsEmpty() {
+		a.logger.Println("[INFO] Moving from plaintext configuration to TLS \n\n")
+		// compeltely reload the agent's TLS configuration. This means the agent
+		// is moving from plaintext to TLS connections.
+		// This does not handle errors in loading the new TLS configuration
+		a.config.TLSConfig = newConfig.TLSConfig
+	} else if !a.config.TLSConfig.IsEmpty() && newConfig.TLSConfig.IsEmpty() {
+		a.logger.Println("[WARN] Updating agent's existing TLS configuration \n\n")
+		// This means we are downgrading from a TLS to non-TLS connection.
+		// TODO
+	}
+
+	// Reload the TLS configuration for the client or server, depending on how
+	// the agent is configured to run.
+	if s := a.Server(); s != nil {
+		err := s.ReloadTLSConnections()
+		if err != nil {
+			a.logger.Printf("[WARN] agent: Issue reloading the server's TLS Configuration, consider a full system restart: %v", err.Error())
+			return err
 		}
 	}
 

command/agent/agent_test.go

@@ -634,6 +634,8 @@ func TestServer_Reload_TLS_DowngradeFromTLS(t *testing.T) {
 		},
 	}
 
+	assert.NotNil(agentConfig.TLSConfig.GetKeyLoader().Certificate)
+
 	err := agent.Reload(newConfig)
 	assert.Nil(err)
 

nomad/server.go

@@ -356,6 +356,8 @@ func NewServer(config *Config, consulCatalog consul.CatalogAPI, logger *log.Logg
 // ReloadTLSConnections will completely reload the server's RPC connections if
 // the server is moving from a non-TLS to TLS connection, or vice versa.
 func (s *Server) ReloadTLSConnections() error {
+	s.logger.Printf("[INFO] nomad: reloading server network connections due to server configuration changes")
+
 	// Configure TLS wrapper
 	var tlsWrap tlsutil.RegionWrapper
 	var incomingTLS *tls.Config

nomad/server_test.go

@@ -2,6 +2,7 @@ package nomad
 
 import (
 	"fmt"
+	"io"
 	"io/ioutil"
 	"log"
 	"math/rand"
@@ -321,5 +322,5 @@ func TestServer_Reload_TLSConnections(t *testing.T) {
 	arg1 := struct{}{}
 	var out1 struct{}
 	newErr := msgpackrpc.CallWithCodec(codec, "Status.Ping", arg1, &out1)
-	assert.NotNil(newErr)
+	assert.Equal(newErr, io.EOF)
 }

nomad/structs/config/tls.go

@@ -112,3 +112,10 @@ func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
 	}
 	return &result
 }
+
+// IsEmpty checks to see if every (non-boolean) field in the struct is nil
+func (t *TLSConfig) IsEmpty() bool {
+	return t.CAFile == "" &&
+		t.CertFile == "" &&
+		t.KeyFile == ""
+}