Implement auto cert reloading (#5963)

2025-11-12 23:01:39 -05:00 · 2018-05-31 12:30:15 -07:00
parent 487ecedc51
commit 74328c3061
56 changed files with 5204 additions and 56 deletions
--- a/cmd/gateway-main.go
+++ b/cmd/gateway-main.go
@@ -31,6 +31,7 @@ import (
 	"github.com/minio/cli"
 	xhttp "github.com/minio/minio/cmd/http"
 	"github.com/minio/minio/cmd/logger"
+	"github.com/minio/minio/pkg/certs"
 )

 func init() {
@@ -164,7 +165,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) {

 	// Check and load SSL certificates.
 	var err error
-	globalPublicCerts, globalRootCAs, globalTLSCertificate, globalIsSSL, err = getSSLConfig()
+	globalPublicCerts, globalRootCAs, globalTLSCerts, globalIsSSL, err = getSSLConfig()
 	logger.FatalIf(err, "Invalid SSL certificate file")

 	// Set system resources to maximum.
@@ -179,9 +180,6 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
 	// Create new policy system.
 	globalPolicySys = NewPolicySys()

-	newObject, err := gw.NewGatewayLayer(globalServerConfig.GetCredential())
-	logger.FatalIf(err, "Unable to initialize gateway layer")
-
 	router := mux.NewRouter().SkipClean(true)

 	// Add healthcheck router
@@ -198,17 +196,31 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
 	// Add API router.
 	registerAPIRouter(router)

-	globalHTTPServer = xhttp.NewServer([]string{gatewayAddr}, registerHandlers(router, globalHandlers...), globalTLSCertificate)
+	var getCert certs.GetCertificateFunc
+	if globalTLSCerts != nil {
+		getCert = globalTLSCerts.GetCertificate
+	}
+
+	globalHTTPServer = xhttp.NewServer([]string{gatewayAddr}, registerHandlers(router, globalHandlers...), getCert)
+	globalHTTPServer.ReadTimeout = globalConnReadTimeout
+	globalHTTPServer.WriteTimeout = globalConnWriteTimeout
 	globalHTTPServer.UpdateBytesReadFunc = globalConnStats.incInputBytes
 	globalHTTPServer.UpdateBytesWrittenFunc = globalConnStats.incOutputBytes
-
-	// Start server, automatically configures TLS if certs are available.
 	go func() {
 		globalHTTPServerErrorCh <- globalHTTPServer.Start()
 	}()

 	signal.Notify(globalOSSignalCh, os.Interrupt, syscall.SIGTERM)

+	newObject, err := gw.NewGatewayLayer(globalServerConfig.GetCredential())
+	if err != nil {
+		// Stop watching for any certificate changes.
+		globalTLSCerts.Stop()
+
+		globalHTTPServer.Shutdown()
+		logger.FatalIf(err, "Unable to initialize gateway backend")
+	}
+
 	// Once endpoints are finalized, initialize the new object api.
 	globalObjLayerMutex.Lock()
 	globalObjectAPI = newObject