Support on-demand certificate reload on SIGHUP #88
Draft
AntiD2ta wants to merge 9 commits intocertificate-san-supportfrom
Draft
Support on-demand certificate reload on SIGHUP #88AntiD2ta wants to merge 9 commits intocertificate-san-supportfrom
AntiD2ta wants to merge 9 commits intocertificate-san-supportfrom
Conversation
Added new certmanager service Co-authored-by: Jacob Shufro <jacob@shuf.ro>
Updates: - Add test to assert new certificates renewal feature - Update test suite to use certManager to handle certificates Co-authored-by: Jacob Shufro <jacob@shuf.ro>
- Bump ReleaseVersion to 1.2.1-rc.2 - Modify CA certificate handling to log a warning when no CA certificate is specified, allowing the use of standard CA certificates. - Fix conditional check in parameter parsing to ensure correct application of parameters.
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR provides an alternative implementation of #83 to support on-demand certificate reload on a SIGHUP signal.
The PR's branch is based on #87, therefore it is suggested to merge that PR first and then update this PR's reference to point to master.
The
GetCertificatefunction is designed to be a callback used by the Go standard library's tls.Config. This means it only runs when a client connects to the server and initiates a TLS handshake. Currently, a certificate reload is automatically attempted whenGetCertificateis called if the current certificate is expired. We can keep this behavior or only allow a certificate reload after a SIGHUP.Current tests are asserting the reloading behavior, but not Dirk's process reaction on a SIGHUP.