avoid serializing decryptKey() every 15mins (#16135)

if the certs are the same in an environment where the 
cert files are symlinks (e.g Kubernetes), then we resort
to reloading certs every 15mins - we can avoid reload
of the kes client instance. Ensure that the price to pay 
for contending with the lock must happen when necessary.
This commit is contained in:
Harshavardhana 2022-11-28 01:14:33 -08:00 committed by GitHub
parent 53cbc020b9
commit 09d4f8cd0f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -18,6 +18,7 @@
package kms
import (
"bytes"
"context"
"crypto/tls"
"crypto/x509"
@ -95,19 +96,35 @@ func NewWithConfig(config Config) (KMS, error) {
}
go func() {
for {
var prevCertificate tls.Certificate
select {
case certificate := <-config.ReloadCertEvents:
client := kes.NewClientWithConfig("", &tls.Config{
MinVersion: tls.VersionTLS12,
Certificates: []tls.Certificate{certificate},
RootCAs: config.RootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
})
client.Endpoints = endpoints
case certificate, ok := <-config.ReloadCertEvents:
if !ok {
return
}
sameCert := true
for i, b := range certificate.Certificate {
if !bytes.Equal(b, prevCertificate.Certificate[i]) {
sameCert = false
break
}
}
// Do not reload if its the same cert as before.
if !sameCert {
client := kes.NewClientWithConfig("", &tls.Config{
MinVersion: tls.VersionTLS12,
Certificates: []tls.Certificate{certificate},
RootCAs: config.RootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
})
client.Endpoints = endpoints
c.lock.Lock()
c.client = client
c.lock.Unlock()
c.lock.Lock()
c.client = client
c.lock.Unlock()
prevCertificate = certificate
}
}
}
}()