From 234fa6e5fe908146e2dabe9f5312292295633e86 Mon Sep 17 00:00:00 2001 From: Jesse Suen Date: Thu, 14 Jun 2018 17:42:18 -0700 Subject: [PATCH] Automatically restart API server upon certificate changes --- VERSION | 2 +- server/server.go | 13 +++++++++++++ util/settings/settings.go | 6 +++--- util/tls/tls.go | 8 +++++++- 4 files changed, 24 insertions(+), 5 deletions(-) diff --git a/VERSION b/VERSION index cb0c939a936f1..be14282b7fffb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.5.2 +0.5.3 diff --git a/server/server.go b/server/server.go index 448b3b757b2c8..7f36b70b77277 100644 --- a/server/server.go +++ b/server/server.go @@ -48,6 +48,7 @@ import ( "github.com/argoproj/argo-cd/util/rbac" util_session "github.com/argoproj/argo-cd/util/session" settings_util "github.com/argoproj/argo-cd/util/settings" + tlsutil "github.com/argoproj/argo-cd/util/tls" "github.com/argoproj/argo-cd/util/webhook" ) @@ -228,6 +229,10 @@ func (a *ArgoCDServer) watchSettings(ctx context.Context) { prevGitHubSecret := a.settings.WebhookGitHubSecret prevGitLabSecret := a.settings.WebhookGitLabSecret prevBitBucketUUID := a.settings.WebhookBitbucketUUID + var prevCert, prevCertKey string + if a.settings.Certificate != nil { + prevCert, prevCertKey = tlsutil.EncodeX509KeyPairString(*a.settings.Certificate) + } for { <-updateCh @@ -249,6 +254,14 @@ func (a *ArgoCDServer) watchSettings(ctx context.Context) { log.Infof("bitbucket uuid modified. restarting") break } + var newCert, newCertKey string + if a.settings.Certificate != nil { + newCert, newCertKey = tlsutil.EncodeX509KeyPairString(*a.settings.Certificate) + } + if newCert != prevCert || newCertKey != prevCertKey { + log.Infof("tls certificate modified. restarting") + break + } } log.Info("shutting down settings watch") a.Shutdown() diff --git a/util/settings/settings.go b/util/settings/settings.go index 87299f47f5c42..eccc5a0457515 100644 --- a/util/settings/settings.go +++ b/util/settings/settings.go @@ -200,9 +200,9 @@ func (mgr *SettingsManager) SaveSettings(settings *ArgoCDSettings) error { argoCDSecret.StringData[settingsWebhookBitbucketUUIDKey] = settings.WebhookBitbucketUUID } if settings.Certificate != nil { - certBytes, keyBytes := tlsutil.EncodeX509KeyPair(*settings.Certificate) - argoCDSecret.StringData[settingServerCertificate] = string(certBytes) - argoCDSecret.StringData[settingServerPrivateKey] = string(keyBytes) + cert, key := tlsutil.EncodeX509KeyPairString(*settings.Certificate) + argoCDSecret.StringData[settingServerCertificate] = cert + argoCDSecret.StringData[settingServerPrivateKey] = key } else { delete(argoCDSecret.Data, settingServerCertificate) delete(argoCDSecret.Data, settingServerPrivateKey) diff --git a/util/tls/tls.go b/util/tls/tls.go index 15a06d4e2ae9a..639ca2a3c05d4 100644 --- a/util/tls/tls.go +++ b/util/tls/tls.go @@ -172,9 +172,15 @@ func GenerateX509KeyPair(opts CertOptions) (*tls.Certificate, error) { return &cert, nil } -// EncodeX509KeyPair encodes a TLS Certificate into its pem encoded for storage +// EncodeX509KeyPair encodes a TLS Certificate into its pem encoded format for storage func EncodeX509KeyPair(cert tls.Certificate) ([]byte, []byte) { certpem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Certificate[0]}) keypem := pem.EncodeToMemory(pemBlockForKey(cert.PrivateKey)) return certpem, keypem } + +// EncodeX509KeyPairString encodes a TLS Certificate into its pem encoded string format +func EncodeX509KeyPairString(cert tls.Certificate) (string, string) { + certpem, keypem := EncodeX509KeyPair(cert) + return string(certpem), string(keypem) +}