From f055f6b01b05d14786e4307aad156faa31e3f884 Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Sat, 16 Jun 2018 09:56:09 +0200 Subject: [PATCH] Reload TLS certificates when needed Fixes https://github.com/prometheus/prometheus/issues/4155 Signed-off-by: Julien Pivotto --- config/http_config.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/config/http_config.go b/config/http_config.go index da5d59014..8970acffb 100644 --- a/config/http_config.go +++ b/config/http_config.go @@ -20,6 +20,7 @@ import ( "io/ioutil" "net/http" "net/url" + "reflect" "strings" "time" @@ -146,6 +147,8 @@ func NewRoundTripperFromConfig(cfg HTTPClientConfig, name string) (http.RoundTri ), } + rt = NewTLSConfigRoundTripper(cfg, tlsConfig, name, rt) + // If a bearer token is provided, create a round tripper that will set the // Authorization header correctly on each request. if len(cfg.BearerToken) > 0 { @@ -162,6 +165,33 @@ func NewRoundTripperFromConfig(cfg HTTPClientConfig, name string) (http.RoundTri return rt, nil } +type tlsConfigRoundTripper struct { + cfg HTTPClientConfig + tlsConfig *tls.Config + name string + rt http.RoundTripper +} + +// NewTLSConfigRoundTripper reads the tls configuration upton each request +// and updates the TLS configuration as needed +func NewTLSConfigRoundTripper(cfg HTTPClientConfig, tlsConfig *tls.Config, name string, rt http.RoundTripper) http.RoundTripper { + return &tlsConfigRoundTripper{cfg, tlsConfig, name, rt} +} + +func (rt *tlsConfigRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { + tlsConfig, err := NewTLSConfig(&rt.cfg.TLSConfig) + if err != nil { + return nil, err + } + if !reflect.DeepEqual(tlsConfig, rt.tlsConfig) { + rt.rt, err = NewRoundTripperFromConfig(rt.cfg, rt.name) + if err != nil { + return nil, err + } + } + return rt.rt.RoundTrip(req) +} + type bearerAuthRoundTripper struct { bearerToken Secret rt http.RoundTripper