fix: ensure certificate gets updated on reload (argoproj#12076)

* fix: ensure certificate gets updated on reload Fixes argoproj#10707. `GetCertificate` ensures that the most current version of `a.settings.Certificate` is used. It's still a bit of a mystery to me as to why the reloading of the server does not work for this, since it should fulfill the same function. Signed-off-by: Blake Pettersson <[email protected]> * fix: remove break from cert changes With 3553ef8, there's no longer any need to break out of the loop. The webhook reloading logic needs another look (since it likely no longer works), but can be handled in another PR. Signed-off-by: Blake Pettersson <[email protected]> --------- Signed-off-by: Blake Pettersson <[email protected]>
tkasuz · Mar 2, 2023 · 710a0d8 · 710a0d8
1 parent f3a3a57
commit 710a0d8
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/server/server.go b/server/server.go
@@ -468,8 +468,9 @@ func (a *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) {
 
 		// If not matched, we assume that its TLS.
 		tlsl := tcpm.Match(cmux.Any())
-		tlsConfig := tls.Config{
-			Certificates: []tls.Certificate{*a.settings.Certificate},
+		tlsConfig := tls.Config{}
+		tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			return a.settings.Certificate, nil
 		}
 		if a.TLSConfigCustomizer != nil {
 			a.TLSConfigCustomizer(&tlsConfig)
@@ -612,8 +613,8 @@ func (a *ArgoCDServer) watchSettings() {
 				newCert, newCertKey = tlsutil.EncodeX509KeyPairString(*a.settings.Certificate)
 			}
 			if newCert != prevCert || newCertKey != prevCertKey {
-				log.Infof("tls certificate modified. restarting")
-				break
+				log.Infof("tls certificate modified. reloading certificate")
+				// No need to break out of this loop since TlsConfig.GetCertificate will automagically reload the cert.
 			}
 		}
 	}