diff options
| author | Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com> | 2023-06-05 02:27:56 +0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-06-04 14:27:56 -0700 |
| commit | a0931be0c0d0cbb7ea5fe778ff6279fd603c06b8 (patch) | |
| tree | 2b5598e18ddeab339345de73bbec9f70e305ab1d /weed/command/s3.go | |
| parent | 5aec6da8a3e0f815eff853784d5200c781722a57 (diff) | |
| download | seaweedfs-a0931be0c0d0cbb7ea5fe778ff6279fd603c06b8.tar.xz seaweedfs-a0931be0c0d0cbb7ea5fe778ff6279fd603c06b8.zip | |
S3 TLS credentials Refreshing (#4506)
* S3 TLS credentials Refreshing
* fix: logging
---------
Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
Diffstat (limited to 'weed/command/s3.go')
| -rw-r--r-- | weed/command/s3.go | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/weed/command/s3.go b/weed/command/s3.go index 8f82ac946..7a599cc86 100644 --- a/weed/command/s3.go +++ b/weed/command/s3.go @@ -2,8 +2,11 @@ package command import ( "context" + "crypto/tls" "fmt" "github.com/seaweedfs/seaweedfs/weed/s3api/s3err" + "google.golang.org/grpc/credentials/tls/certprovider" + "google.golang.org/grpc/credentials/tls/certprovider/pemfile" "google.golang.org/grpc/reflection" "net/http" "time" @@ -40,6 +43,7 @@ type S3Options struct { auditLogConfig *string localFilerSocket *string dataCenter *string + certProvider certprovider.Provider } func init() { @@ -150,6 +154,12 @@ func runS3(cmd *Command, args []string) bool { } +// GetCertificateWithUpdate Auto refreshing TSL certificate +func (S3opt *S3Options) GetCertificateWithUpdate(*tls.ClientHelloInfo) (*tls.Certificate, error) { + certs, err := S3opt.certProvider.KeyMaterial(context.Background()) + return &certs.Certs[0], err +} + func (s3opt *S3Options) startS3Server() bool { filerAddress := pb.ServerAddress(*s3opt.filer) @@ -245,15 +255,24 @@ func (s3opt *S3Options) startS3Server() bool { go grpcS.Serve(grpcL) if *s3opt.tlsPrivateKey != "" { + pemfileOptions := pemfile.Options{ + CertFile: *s3opt.tlsCertificate, + KeyFile: *s3opt.tlsPrivateKey, + RefreshDuration: security.CredRefreshingInterval, + } + if s3opt.certProvider, err = pemfile.NewProvider(pemfileOptions); err != nil { + glog.Fatalf("pemfile.NewProvider(%v) failed: %v", pemfileOptions, err) + } + httpS.TLSConfig = &tls.Config{GetCertificate: s3opt.GetCertificateWithUpdate} glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) if s3ApiLocalListener != nil { go func() { - if err = httpS.ServeTLS(s3ApiLocalListener, *s3opt.tlsCertificate, *s3opt.tlsPrivateKey); err != nil { + if err = httpS.ServeTLS(s3ApiLocalListener, "", ""); err != nil { glog.Fatalf("S3 API Server Fail to serve: %v", err) } }() } - if err = httpS.ServeTLS(s3ApiListener, *s3opt.tlsCertificate, *s3opt.tlsPrivateKey); err != nil { + if err = httpS.ServeTLS(s3ApiListener, "", ""); err != nil { glog.Fatalf("S3 API Server Fail to serve: %v", err) } } else { |