fxcert_reloader

package

v0.0.0-...-edc4474 Latest Latest Go to latest Published: May 5, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/exoscale/stelling

Links

Open Source Insights

README ¶

CertReloader Module

This module provides facilities for automatically reloading TLS certificates.

It will generally not be used directly, but through other stelling modules such as the grpc server and clients.

Components

Due to the simple nature of this package, there is no module constructor. There is a ProvideCertReloader function which will provision a CertReloader and register lifecycle hooks.

Configuration

The module provides the following configuration options:

CertFile: Path to the pem encoded server TLS certificate
KeyFile: Path to the pem encoded private key of the server TLS certificate
ReloadInterval: The minimum time between 2 certificate reloads

Documentation ¶

Overview ¶

Package fxcert-reloader provides a way to automatically reload certificates

Index ¶

func MakeServerTLS(r *CertReloader, clientCAFile string) (*tls.Config, error)
type CertReloader
- func NewCertReloader(conf *CertReloaderConfig, logger *zap.Logger) (*CertReloader, error)
- func ProvideCertReloader(lc fx.Lifecycle, conf *CertReloaderConfig, logger *zap.Logger) (*CertReloader, error)
type CertReloaderConfig
- func (c *CertReloaderConfig) MarshalLogObject(enc zapcore.ObjectEncoder) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func MakeServerTLS ¶

func MakeServerTLS(r *CertReloader, clientCAFile string) (*tls.Config, error)

MakeServerTLS produces a *tls.Config using a cert reloader and additional config TODO: expose more TLS options?

Types ¶

type CertReloader ¶

type CertReloader struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

CertReloader periodically reloads a TLS keypair on disk. The reloader must be explicitly started and stopped The GetCertificate() method can be used in a tls.Config

func NewCertReloader ¶

func NewCertReloader(conf *CertReloaderConfig, logger *zap.Logger) (*CertReloader, error)

NewCertReloader returns a CertReloader for a KeyPair This function will try to eagerly load the KeyPair and will error out if that fails

func ProvideCertReloader ¶

func ProvideCertReloader(lc fx.Lifecycle, conf *CertReloaderConfig, logger *zap.Logger) (*CertReloader, error)

func (*CertReloader) GetCertificate ¶

func (c *CertReloader) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns the currently loaded keypair It is meant to be passed into a tls.Config If reloading fails, this method will return the last valid keypair

Example ¶

conf := &CertReloaderConfig{
	CertFile:       "/path/to/cert.pem",
	KeyFile:        "/path/to/key.pem",
	ReloadInterval: 1 * time.Hour,
}
reloader, err := NewCertReloader(conf, zap.NewNop())
if err != nil {
	log.Fatal(err)
}

if err := reloader.Start(context.Background()); err != nil {
	log.Fatal(err)
}
defer reloader.Stop(context.Background()) //nolint:errcheck

cfg := &tls.Config{GetCertificate: reloader.GetCertificate}

listener, err := tls.Listen("tcp", ":2000", cfg)
if err != nil {
	log.Fatal(err)
}
_ = listener

func (*CertReloader) GetClientCertificate ¶

func (c *CertReloader) GetClientCertificate(_ *tls.CertificateRequestInfo) (*tls.Certificate, error)

Example ¶

conf := &CertReloaderConfig{
	CertFile:       "/path/to/cert.pem",
	KeyFile:        "/path/to/key.pem",
	ReloadInterval: 1 * time.Hour,
}
reloader, err := NewCertReloader(conf, zap.NewNop())
if err != nil {
	log.Fatal(err)
}

if err := reloader.Start(context.Background()); err != nil {
	log.Fatal(err)
}
defer reloader.Stop(context.Background()) //nolint:errcheck

httpclient := &http.Client{
	Transport: &http.Transport{
		TLSClientConfig: &tls.Config{
			GetClientCertificate: reloader.GetClientCertificate,
		},
	},
}

_ = httpclient
// httpclient..Get("https://example.com")

func (*CertReloader) Start ¶

func (c *CertReloader) Start(ctx context.Context) error

Start spawns a go routine that periodically reloads a KeyPair

func (*CertReloader) Stop ¶

func (c *CertReloader) Stop(ctx context.Context) error

Stop stops the reloader and cleans up any resources

type CertReloaderConfig ¶

type CertReloaderConfig struct {
	// CertFile is the path to a pem encoded certificate
	CertFile string
	// KeyFile is the path to a pem encoded private key
	KeyFile string
	// The time minimum time between 2 reloads
	ReloadInterval time.Duration `default:"1h"`
}

func (*CertReloaderConfig) MarshalLogObject ¶

func (c *CertReloaderConfig) MarshalLogObject(enc zapcore.ObjectEncoder) error

Source Files ¶

View all Source files

cert-reloader.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL