grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

advancedtls: Get Instant Updates Before Ticker Runs (#3959) 

* get instant updates before ticker runs
This commit is contained in:
ZhenLian 2020-10-15 11:47:34 -07:00 committed by GitHub
parent 7b167fd6ec
commit c6cfaba14d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 35 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
security/advancedtls/pemfile_provider.go
View File

@ -87,6 +87,36 @@ type PEMFileProvider struct {
cancel context.CancelFunc cancel context.CancelFunc
} }
func updateIdentityDistributor(distributor *certprovider.Distributor, certFile, keyFile string) {
if distributor == nil {
return
}
// Read identity certs from PEM files.
identityCert, err := readKeyCertPairFunc(certFile, keyFile)
if err != nil {
// If the reading produces an error, we will skip the update for this
// round and log the error.
logger.Warningf("tls.LoadX509KeyPair reads %s and %s failed: %v", certFile, keyFile, err)
return
}
distributor.Set(&certprovider.KeyMaterial{Certs: []tls.Certificate{identityCert}}, nil)
}
func updateRootDistributor(distributor *certprovider.Distributor, trustFile string) {
if distributor == nil {
return
}
// Read root certs from PEM files.
trustPool, err := readTrustCertFunc(trustFile)
if err != nil {
// If the reading produces an error, we will skip the update for this
// round and log the error.
logger.Warningf("readTrustCertFunc reads %v failed: %v", trustFile, err)
return
}
distributor.Set(&certprovider.KeyMaterial{Roots: trustPool}, nil)
}
// NewPEMFileProvider returns a new PEMFileProvider constructed using the // NewPEMFileProvider returns a new PEMFileProvider constructed using the
// provided options. // provided options.
func NewPEMFileProvider(o PEMFileProviderOptions) (*PEMFileProvider, error) { func NewPEMFileProvider(o PEMFileProviderOptions) (*PEMFileProvider, error) {
@ -113,42 +143,20 @@ func NewPEMFileProvider(o PEMFileProviderOptions) (*PEMFileProvider, error) {
identityTicker := time.NewTicker(o.IdentityInterval) identityTicker := time.NewTicker(o.IdentityInterval)
rootTicker := time.NewTicker(o.RootInterval) rootTicker := time.NewTicker(o.RootInterval)
ctx, cancel := context.WithCancel(context.Background()) ctx, cancel := context.WithCancel(context.Background())
// We pass a copy of PEMFileProviderOptions to the goroutine in case users
// change it after we start reloading.
go func() { go func() {
for { for {
updateIdentityDistributor(provider.identityDistributor, o.CertFile, o.KeyFile)
updateRootDistributor(provider.rootDistributor, o.TrustFile)
select { select {
case <-ctx.Done(): case <-ctx.Done():
identityTicker.Stop() identityTicker.Stop()
rootTicker.Stop() rootTicker.Stop()
return return
case <-identityTicker.C: case <-identityTicker.C:
if provider.identityDistributor == nil { break
continue
}
// Read identity certs from PEM files.
identityCert, err := readKeyCertPairFunc(o.CertFile, o.KeyFile)
if err != nil {
// If the reading produces an error, we will skip the update for this
// round and log the error.
logger.Warningf("tls.LoadX509KeyPair reads %s and %s failed: %v", o.CertFile, o.KeyFile, err)
continue
}
provider.identityDistributor.Set(&certprovider.KeyMaterial{Certs: []tls.Certificate{identityCert}}, nil)
case <-rootTicker.C: case <-rootTicker.C:
if provider.rootDistributor == nil { break
continue
}
// Read root certs from PEM files.
trustPool, err := readTrustCertFunc(o.TrustFile)
if err != nil {
// If the reading produces an error, we will skip the update for this
// round and log the error.
logger.Warningf("readTrustCertFunc reads %v failed: %v", o.TrustFile, err)
continue
}
provider.rootDistributor.Set(&certprovider.KeyMaterial{Roots: trustPool}, nil)
default:
} }
} }
}() }()