Skip to content

Commit

Permalink
Automatically restart API server upon certificate changes
Browse files Browse the repository at this point in the history
  • Loading branch information
jessesuen committed Jun 15, 2018
1 parent 8ff98cc commit 234fa6e
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 5 deletions.
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.5.2
0.5.3
13 changes: 13 additions & 0 deletions server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ import (
"github.com/argoproj/argo-cd/util/rbac"
util_session "github.com/argoproj/argo-cd/util/session"
settings_util "github.com/argoproj/argo-cd/util/settings"
tlsutil "github.com/argoproj/argo-cd/util/tls"
"github.com/argoproj/argo-cd/util/webhook"
)

Expand Down Expand Up @@ -228,6 +229,10 @@ func (a *ArgoCDServer) watchSettings(ctx context.Context) {
prevGitHubSecret := a.settings.WebhookGitHubSecret
prevGitLabSecret := a.settings.WebhookGitLabSecret
prevBitBucketUUID := a.settings.WebhookBitbucketUUID
var prevCert, prevCertKey string
if a.settings.Certificate != nil {
prevCert, prevCertKey = tlsutil.EncodeX509KeyPairString(*a.settings.Certificate)
}

for {
<-updateCh
Expand All @@ -249,6 +254,14 @@ func (a *ArgoCDServer) watchSettings(ctx context.Context) {
log.Infof("bitbucket uuid modified. restarting")
break
}
var newCert, newCertKey string
if a.settings.Certificate != nil {
newCert, newCertKey = tlsutil.EncodeX509KeyPairString(*a.settings.Certificate)
}
if newCert != prevCert || newCertKey != prevCertKey {
log.Infof("tls certificate modified. restarting")
break
}
}
log.Info("shutting down settings watch")
a.Shutdown()
Expand Down
6 changes: 3 additions & 3 deletions util/settings/settings.go
Original file line number Diff line number Diff line change
Expand Up @@ -200,9 +200,9 @@ func (mgr *SettingsManager) SaveSettings(settings *ArgoCDSettings) error {
argoCDSecret.StringData[settingsWebhookBitbucketUUIDKey] = settings.WebhookBitbucketUUID
}
if settings.Certificate != nil {
certBytes, keyBytes := tlsutil.EncodeX509KeyPair(*settings.Certificate)
argoCDSecret.StringData[settingServerCertificate] = string(certBytes)
argoCDSecret.StringData[settingServerPrivateKey] = string(keyBytes)
cert, key := tlsutil.EncodeX509KeyPairString(*settings.Certificate)
argoCDSecret.StringData[settingServerCertificate] = cert
argoCDSecret.StringData[settingServerPrivateKey] = key
} else {
delete(argoCDSecret.Data, settingServerCertificate)
delete(argoCDSecret.Data, settingServerPrivateKey)
Expand Down
8 changes: 7 additions & 1 deletion util/tls/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -172,9 +172,15 @@ func GenerateX509KeyPair(opts CertOptions) (*tls.Certificate, error) {
return &cert, nil
}

// EncodeX509KeyPair encodes a TLS Certificate into its pem encoded for storage
// EncodeX509KeyPair encodes a TLS Certificate into its pem encoded format for storage
func EncodeX509KeyPair(cert tls.Certificate) ([]byte, []byte) {
certpem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Certificate[0]})
keypem := pem.EncodeToMemory(pemBlockForKey(cert.PrivateKey))
return certpem, keypem
}

// EncodeX509KeyPairString encodes a TLS Certificate into its pem encoded string format
func EncodeX509KeyPairString(cert tls.Certificate) (string, string) {
certpem, keypem := EncodeX509KeyPair(cert)
return string(certpem), string(keypem)
}

0 comments on commit 234fa6e

Please sign in to comment.