Add watcher to TLS certificates

Signed-off-by: Ruben Vargas <[email protected]>

Author: rubenvp8510

api/traces/v1/api.go

@@ -2,7 +2,6 @@ package v1
 
 import (
 	"context"
-	stdtls "crypto/tls"
 	"time"
 
 	"github.com/go-kit/log"
@@ -18,9 +17,8 @@ import (
 const TraceRoute = "/opentelemetry.proto.collector.trace.v1.TraceService/Export"
 
 type connOptions struct {
-	logger             log.Logger
-	tracesUpstreamCert *stdtls.Certificate
-	tracesUpstreamCA   []byte
+	logger  log.Logger
+	watcher *tls.CertWatcher
 }
 
 // ClientOption modifies the connection's configuration.
@@ -33,15 +31,14 @@ func WithLogger(logger log.Logger) ClientOption {
 	}
 }
 
-func WithUpstreamTLS(tracesUpstreamCA []byte, tracesUpstreamCert *stdtls.Certificate) ClientOption {
+func WithUpstreamTLSWatcher(watcher *tls.CertWatcher) ClientOption {
 	return func(h *connOptions) {
-		h.tracesUpstreamCA = tracesUpstreamCA
-		h.tracesUpstreamCert = tracesUpstreamCert
+		h.watcher = watcher
 	}
 }
 
-func newCredentials(upstreamCA []byte, upstreamCert *stdtls.Certificate) credentials.TransportCredentials {
-	tlsConfig := tls.NewClientConfig(upstreamCA, upstreamCert)
+func newCredentials(watcher *tls.CertWatcher) credentials.TransportCredentials {
+	tlsConfig := tls.NewClientConfigFromWatcher(watcher)
 	if tlsConfig == nil {
 		return insecure.NewCredentials()
 	}
@@ -70,5 +67,5 @@ func NewOTelConnection(write string, opts ...ClientOption) (*grpc.ClientConn, er
 		// because the codec we need to register is also deprecated.  A better fix, is the newer
 		// version of mwitkow/grpc-proxy, but that version doesn't (currently) work with OTel protocol.
 		grpc.WithCodec(grpcproxy.Codec()), // nolint: staticcheck
-		grpc.WithTransportCredentials(newCredentials(c.tracesUpstreamCA, c.tracesUpstreamCert)))
+		grpc.WithTransportCredentials(newCredentials(c.watcher)))
 }

api/traces/v1/http.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"compress/flate"
 	"compress/gzip"
-	stdtls "crypto/tls"
 	"fmt"
 	"io"
 	"net"
@@ -109,7 +108,7 @@ func (n nopInstrumentHandler) NewHandler(labels prometheus.Labels, handler http.
 // The web UI handler is able to rewrite
 // HTML to change the <base> attribute so that it works with the Observatorium-style
 // "/api/v1/traces/{tenant}/" URLs.
-func NewV2Handler(read *url.URL, readTemplate string, tempo *url.URL, writeOTLPHttp *url.URL, upstreamCA []byte, upstreamCert *stdtls.Certificate, opts ...HandlerOption) http.Handler {
+func NewV2Handler(read *url.URL, readTemplate string, tempo *url.URL, writeOTLPHttp *url.URL, upstreamTLSWatcher *tls.CertWatcher, opts ...HandlerOption) http.Handler {
 
 	if read == nil && readTemplate == "" && tempo == nil {
 		panic("missing Jaeger read url")
@@ -152,7 +151,7 @@ func NewV2Handler(read *url.URL, readTemplate string, tempo *url.URL, writeOTLPH
 				DialContext: (&net.Dialer{
 					Timeout: dialTimeout,
 				}).DialContext,
-				TLSClientConfig: tls.NewClientConfig(upstreamCA, upstreamCert),
+				TLSClientConfig: tls.NewClientConfigFromWatcher(upstreamTLSWatcher),
 			}
 
 			proxyRead = &httputil.ReverseProxy{
@@ -203,7 +202,7 @@ func NewV2Handler(read *url.URL, readTemplate string, tempo *url.URL, writeOTLPH
 			DialContext: (&net.Dialer{
 				Timeout: dialTimeout,
 			}).DialContext,
-			TLSClientConfig: tls.NewClientConfig(upstreamCA, upstreamCert),
+			TLSClientConfig: tls.NewClientConfigFromWatcher(upstreamTLSWatcher),
 		}
 
 		proxyOTLP := &httputil.ReverseProxy{
@@ -229,7 +228,7 @@ func NewV2Handler(read *url.URL, readTemplate string, tempo *url.URL, writeOTLPH
 			DialContext: (&net.Dialer{
 				Timeout: dialTimeout,
 			}).DialContext,
-			TLSClientConfig: tls.NewClientConfig(upstreamCA, upstreamCert),
+			TLSClientConfig: tls.NewClientConfigFromWatcher(upstreamTLSWatcher),
 		}
 
 		middlewares := proxy.Middlewares(

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/deepmap/oapi-codegen v1.16.2
 	github.com/efficientgo/core v1.0.0-rc.2
 	github.com/efficientgo/e2e v0.14.1-0.20230413162904-ebc233c5a32f
+	github.com/fsnotify/fsnotify v1.7.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/go-chi/chi/v5 v5.0.12
@@ -84,7 +85,6 @@ require (
 	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/flosch/pongo2/v4 v4.0.2 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/gin-gonic/gin v1.9.1 // indirect

main.go

@@ -505,8 +505,6 @@ func main() {
 			metricsUpstreamClientCert *stdtls.Certificate
 			logsUpstreamCACert        []byte
 			logsUpstreamClientCert    *stdtls.Certificate
-			tracesUpstreamCACert      []byte
-			tracesUpstreamClientCert  *stdtls.Certificate
 		)
 
 		if cfg.metrics.upstreamCAFile != "" {
@@ -540,20 +538,14 @@ func main() {
 			logsUpstreamClientCert = &clientCert
 		}
 
-		if cfg.traces.upstreamCAFile != "" {
-			tracesUpstreamCACert, err = os.ReadFile(cfg.traces.upstreamCAFile)
-			if err != nil {
-				stdlog.Fatalf("failed to read upstream traces TLS CA: %v", err)
-			}
-
-		}
+		tracesUpstreamTLSWatcher, err := tls.NewCertWatcher(tls.CertPaths{
+			CAPath:   cfg.traces.upstreamCAFile,
+			CertPath: cfg.traces.upstreamCertFile,
+			KeyPath:  cfg.traces.upstreamKeyFile,
+		}, logger)
 
-		if cfg.traces.upstreamCertFile != "" && cfg.traces.upstreamKeyFile != "" {
-			clientCert, err := stdtls.LoadX509KeyPair(cfg.traces.upstreamCertFile, cfg.traces.upstreamKeyFile)
-			if err != nil {
-				stdlog.Fatalf("failed to read upstream traces client TLS cert/key pair: %v", err)
-			}
-			tracesUpstreamClientCert = &clientCert
+		if err != nil {
+			stdlog.Fatalf("failed to read upstream traces TLS watcher: %v", err)
 		}
 
 		r := chi.NewRouter()
@@ -804,8 +796,7 @@ func main() {
 								cfg.traces.readTemplateEndpoint,
 								cfg.traces.tempoEndpoint,
 								cfg.traces.writeOTLPHTTPEndpoint,
-								tracesUpstreamCACert,
-								tracesUpstreamClientCert,
+								tracesUpstreamTLSWatcher,
 								tracesv1.Logger(logger),
 								tracesv1.WithRegistry(reg),
 								tracesv1.WithHandlerInstrumenter(instrumenter),
@@ -895,8 +886,7 @@ func main() {
 				pm.GRPCMiddlewares,
 				authorizers,
 				logger,
-				tracesUpstreamCACert,
-				tracesUpstreamClientCert,
+				tracesUpstreamTLSWatcher,
 			)
 			if err != nil {
 				stdlog.Fatalf("failed to initialize gRPC server: %v", err)
@@ -1458,12 +1448,12 @@ var gRPCRBAC = authorization.GRPCRBac{
 }
 
 func newGRPCServer(cfg *config, tenantHeader string, tenantIDs map[string]string, pmis authentication.GRPCMiddlewareFunc,
-	authorizers map[string]rbac.Authorizer, logger log.Logger, tracesUpstreamCA []byte, tracesUpstreamCert *stdtls.Certificate,
+	authorizers map[string]rbac.Authorizer, logger log.Logger, watcher *tls.CertWatcher,
 ) (*grpc.Server, error) {
 	connOtel, err := tracesv1.NewOTelConnection(
 		cfg.traces.writeOTLPGRPCEndpoint,
 		tracesv1.WithLogger(logger),
-		tracesv1.WithUpstreamTLS(tracesUpstreamCA, tracesUpstreamCert),
+		tracesv1.WithUpstreamTLSWatcher(watcher),
 	)
 	if err != nil {
 		return nil, err

tls/cert_watcher.go

@@ -0,0 +1,131 @@
+package tls
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"path/filepath"
+	"sync"
+
+	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
+)
+
+type CertWatcher struct {
+	mu       sync.RWMutex
+	watchers []*fsWatcher
+	cert     *tls.Certificate
+	paths    CertPaths
+	certPool *x509.CertPool
+	logger   log.Logger
+}
+
+type CertPaths struct {
+	CertPath string
+	KeyPath  string
+	CAPath   string
+}
+
+func NewCertWatcher(paths CertPaths, logger log.Logger) (*CertWatcher, error) {
+	var cert *tls.Certificate
+	if paths.CertPath != "" && paths.KeyPath != "" {
+		// load certs at startup to catch missing certs error early
+		c, err := tls.LoadX509KeyPair(filepath.Clean(paths.CertPath), filepath.Clean(paths.KeyPath))
+		if err != nil {
+			return nil, fmt.Errorf("failed to load server TLS cert and key: %w", err)
+		}
+		cert = &c
+	}
+
+	// TLS disabled, no key and no CA specified
+	if cert == nil && paths.CAPath == "" {
+		return nil, nil
+	}
+
+	w := &CertWatcher{
+		paths:  paths,
+		cert:   cert,
+		logger: logger,
+	}
+
+	if cert != nil {
+		if err := w.watchCertPair(); err != nil {
+			return nil, err
+		}
+	}
+
+	if paths.CAPath != "" {
+		if err := w.watchCert(w.paths.CAPath); err != nil {
+			return nil, err
+		}
+	}
+
+	return w, nil
+}
+
+func (w *CertWatcher) Close() error {
+	var errs []error
+	for _, w := range w.watchers {
+		errs = append(errs, w.Close())
+	}
+	return errors.Join(errs...)
+}
+
+func (w *CertWatcher) certificate() *tls.Certificate {
+	w.mu.RLock()
+	defer w.mu.RUnlock()
+	return w.cert
+}
+
+func (w *CertWatcher) watchCertPair() error {
+	watcher, err := newWatcher(
+		[]string{w.paths.CertPath, w.paths.KeyPath},
+		w.onCertPairChange, w.logger,
+	)
+	if err == nil {
+		w.watchers = append(w.watchers, watcher)
+		return nil
+	}
+	w.Close()
+	return fmt.Errorf("failed to watch key pair %s and %s: %w", w.paths.KeyPath, w.paths.CertPath, err)
+}
+
+func (w *CertWatcher) watchCert(certPath string) error {
+	onCertChange := func() { w.onCertChange(certPath) }
+
+	watcher, err := newWatcher([]string{certPath}, onCertChange, w.logger)
+	if err == nil {
+		w.watchers = append(w.watchers, watcher)
+		return nil
+	}
+	w.Close()
+	return fmt.Errorf("failed to watch cert %s: %w", certPath, err)
+}
+
+func (w *CertWatcher) onCertPairChange() {
+	cert, err := tls.LoadX509KeyPair(filepath.Clean(w.paths.CertPath), filepath.Clean(w.paths.KeyPath))
+	if err == nil {
+		w.mu.Lock()
+		w.cert = &cert
+		w.mu.Unlock()
+		level.Info(w.logger).Log("msg", "cert/key pair reloaded", "cert", w.paths.CertPath, "key", w.paths.KeyPath)
+	} else {
+		level.Error(w.logger).Log("msg", "error reloading cert/key pair",
+			"cert", w.paths.CertPath, "key", w.paths.KeyPath, "error", err.Error())
+	}
+}
+
+func (w *CertWatcher) Pool() *x509.CertPool {
+	return w.certPool
+}
+
+func (w *CertWatcher) onCertChange(certPath string) {
+	w.mu.Lock() // prevent concurrent updates to the same certPool
+	if err := addCertToPool(certPath, w.certPool); err == nil {
+		level.Info(w.logger).Log("msg", "certificate reloaded", certPath)
+	} else {
+		level.Error(w.logger).Log("msg", "error reloading certificate", "cert", certPath, "error", err.Error())
+	}
+	w.mu.Unlock()
+}

tls/config.go

@@ -27,21 +27,31 @@ func NewClientConfig(upstreamCA []byte, upstreamCert *tls.Certificate) *tls.Conf
 	return cfg
 }
 
+func NewClientConfigFromWatcher(watcher *CertWatcher) *tls.Config {
+	if watcher == nil {
+		return nil
+	}
+
+	cfg := &tls.Config{
+		RootCAs: watcher.Pool(),
+	}
+
+	cfg.GetClientCertificate = func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+		return watcher.certificate(), nil
+	}
+
+	return cfg
+}
+
 // NewServerConfig provides new server TLS configuration.
 func NewServerConfig(logger log.Logger, certFile, keyFile, minVersion, maxVersion, clientAuthType string, cipherSuites []string) (*tls.Config, error) {
 	if certFile == "" && keyFile == "" {
 		level.Info(logger).Log("msg", "TLS disabled; key and cert must be set to enable")
-
 		return nil, nil
 	}
 
 	level.Info(logger).Log("msg", "enabling server side TLS")
 
-	tlsCert, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return nil, fmt.Errorf("server credentials: %w", err)
-	}
-
 	tlsMinVersion, err := parseTLSVersion(minVersion)
 	if err != nil {
 		return nil, fmt.Errorf("cannot parse TLS Version: %w", err)
@@ -66,15 +76,25 @@ func NewServerConfig(logger log.Logger, certFile, keyFile, minVersion, maxVersio
 		return nil, fmt.Errorf("can not parse TLS Client authentication policy: %w", err)
 	}
 
+	watcher, err := NewCertWatcher(CertPaths{
+		CertPath: certFile,
+		KeyPath:  keyFile,
+	}, logger)
+	if err != nil {
+		return nil, fmt.Errorf("error starting certificate watcher: %w", err)
+	}
+
 	tlsCfg := &tls.Config{
-		Certificates: []tls.Certificate{tlsCert},
 		// A list of supported cipher suites for TLS versions up to TLS 1.2.
 		// If CipherSuites is nil, a default list of secure cipher suites is used.
 		// Note that TLS 1.3 ciphersuites are not configurable.
 		CipherSuites: cipherSuiteIDs,
 		ClientAuth:   tlsClientAuthType,
 		MinVersion:   tlsMinVersion,
 		MaxVersion:   tlsMaxVersion,
+		GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			return watcher.certificate(), nil
+		},
 	}
 
 	return tlsCfg, nil