certreloader

package

v0.80.2 Latest Latest Go to latest Published: Jun 16, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/DataDog/datadog-agent

Links

Open Source Insights

Documentation ¶

Overview ¶

Package certreloader provides automatic TLS certificate reloading from disk. It periodically checks and reloads cert/key pairs so that certificate rotation does not require a process restart.

Index ¶

type CAReloader
- func NewCAReloader(ctx context.Context, caFile string, clock Clock) *CAReloader
- func (r *CAReloader) GetPool() (*x509.CertPool, error)
type CertReloader
- func New(ctx context.Context, certFile, keyFile string, clock Clock) *CertReloader
- func (r *CertReloader) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (r *CertReloader) GetClientCertificate(_ *tls.CertificateRequestInfo) (*tls.Certificate, error)
type Clock
- func RealClock() Clock

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CAReloader ¶

type CAReloader struct {
	// contains filtered or unexported fields
}

CAReloader manages a CA certificate pool with automatic periodic reloading from disk. It is safe for concurrent use.

On reload failure, the last successfully loaded pool is preserved and continues to be used for client certificate verification.

func NewCAReloader ¶

func NewCAReloader(ctx context.Context, caFile string, clock Clock) *CAReloader

NewCAReloader creates a CAReloader that immediately loads the CA certificates from disk and starts a background goroutine to periodically reload them. The background goroutine exits when ctx is cancelled.

func (*CAReloader) GetPool ¶

func (r *CAReloader) GetPool() (*x509.CertPool, error)

GetPool returns the current CA certificate pool.

type CertReloader ¶

type CertReloader struct {
	// contains filtered or unexported fields
}

CertReloader manages a single certificate/key pair with automatic periodic reloading. It is safe for concurrent use.

On reload failure, the last successfully loaded certificate is preserved and continues to be served. This follows the same pattern used by gRPC-Go's advancedtls pemfile watcher, nginx, and Envoy: a transient disk error should not take down TLS serving when a valid certificate is already in memory.

func New ¶

func New(ctx context.Context, certFile, keyFile string, clock Clock) *CertReloader

New creates a CertReloader that immediately loads the cert/key pair from disk and starts a background goroutine to periodically reload it. The background goroutine exits when ctx is cancelled.

func (*CertReloader) GetCertificate ¶

func (r *CertReloader) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns the current certificate for use as a tls.Config.GetCertificate callback (server-side).

func (*CertReloader) GetClientCertificate ¶

func (r *CertReloader) GetClientCertificate(_ *tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate returns the current certificate for use as a tls.Config.GetClientCertificate callback (client-side).

type Clock ¶

type Clock interface {
	Now() time.Time
}

Clock provides the current time. It is satisfied by k8s.io/utils/clock.Clock and clocktesting.FakeClock without introducing that dependency.

func RealClock ¶

func RealClock() Clock

RealClock returns a Clock backed by time.Now.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL