Load certificates for each TLS Hello

2026-01-15 00:03:51 +01:00 · 2021-04-02 21:47:00 +02:00
parent d770d27a67
commit 44e4d33fba
1 changed files with 7 additions and 13 deletions
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -58,22 +58,16 @@ func main() {

 	glog.Infof("Running with config: %+v", parameters)

-	//sidecarConfig, err := loadConfig(parameters.sidecarCfgFile)
-	//if err != nil {
-	//	glog.Errorf("Failed to load configuration: %v", err)
-	//}
-
-	pair, err := tls.LoadX509KeyPair(parameters.certFile, parameters.keyFile)
-	if err != nil {
-		glog.Errorf("Failed to load key pair: %v", err)
-	}
-
 	whsvr := &WebhookServer{
 		config: &parameters,
 		server: &http.Server{
-			Addr:      fmt.Sprintf(":%v", parameters.port),
-			// TODO: rewrite using GetCertificate
-			TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}},
+			Addr: fmt.Sprintf(":%v", parameters.port),
+			// This is quite inefficient as it loads file contents on every TLS ClientHello, but ¯\_(ツ)_/¯
+			TLSConfig: &tls.Config{GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+				glog.Infof("Loading certificates")
+				cert, err := tls.LoadX509KeyPair(parameters.certFile, parameters.keyFile)
+				return &cert, err
+			}},
 		},
 	}