From fbd2208044b9faa3125198b45fd8b62d1e7ddf0b Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 1 Feb 2021 17:14:44 -0800 Subject: [PATCH] Close key manager for safe reloads when a cgo module is used. --- authority/authority.go | 7 +++++++ authority/authority_test.go | 14 ++++++++++++++ ca/ca.go | 4 +++- 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/authority/authority.go b/authority/authority.go index 4518abdf..72fa081f 100644 --- a/authority/authority.go +++ b/authority/authority.go @@ -382,3 +382,10 @@ func (a *Authority) Shutdown() error { } return a.db.Shutdown() } + +// CloseForReload closes internal services, to allow a safe reload. +func (a *Authority) CloseForReload() { + if err := a.keyManager.Close(); err != nil { + log.Printf("error closing the key manager: %v", err) + } +} diff --git a/authority/authority_test.go b/authority/authority_test.go index 8b003572..e6625d6a 100644 --- a/authority/authority_test.go +++ b/authority/authority_test.go @@ -306,3 +306,17 @@ func TestNewEmbedded_GetTLSCertificate(t *testing.T) { assert.True(t, cert.Leaf.IPAddresses[0].Equal(net.ParseIP("127.0.0.1"))) assert.True(t, cert.Leaf.IPAddresses[1].Equal(net.ParseIP("::1"))) } + +func TestAuthority_CloseForReload(t *testing.T) { + tests := []struct { + name string + auth *Authority + }{ + {"ok", testAuthority(t)}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tt.auth.CloseForReload() + }) + } +} diff --git a/ca/ca.go b/ca/ca.go index 3c57b759..c43692f2 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -227,9 +227,11 @@ func (ca *CA) Reload() error { } // 1. Stop previous renewer - // 2. Replace ca properties + // 2. Close key manager + // 3. Replace ca properties // Do not replace ca.srv ca.renewer.Stop() + ca.auth.CloseForReload() ca.auth = newCA.auth ca.config = newCA.config ca.opts = newCA.opts