From 87e99625e649cdf994b19ef98e5aa6eafa552195 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 23 Dec 2021 00:38:49 +0100
Subject: [PATCH] internal: update tenant certificates on outpost refresh

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 cmd/server/main.go                    |  3 +++
 internal/outpost/ak/api.go            | 12 +++++++++++-
 internal/web/tenant_tls/tenant_tls.go |  1 +
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 232fe6c04..090dfa8ee 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -116,6 +116,9 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
 		tw := tenant_tls.NewWatcher(ac.Client)
 		go tw.Start()
 		ws.TenantTLS = tw
+		ac.AddRefreshHandler(func() {
+			tw.Check()
+		})
 
 		srv := proxyv2.NewProxyServer(ac, 0)
 		ws.ProxyServer = srv
diff --git a/internal/outpost/ak/api.go b/internal/outpost/ak/api.go
index 76faf434f..c6812a536 100644
--- a/internal/outpost/ak/api.go
+++ b/internal/outpost/ak/api.go
@@ -41,6 +41,7 @@ type APIController struct {
 	lastWsReconnect     time.Time
 	wsIsReconnecting    bool
 	wsBackoffMultiplier int
+	refreshHandlers     []func()
 
 	instanceUUID uuid.UUID
 }
@@ -95,6 +96,7 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 		instanceUUID:        uuid.New(),
 		Outpost:             outpost,
 		wsBackoffMultiplier: 1,
+		refreshHandlers:     make([]func(), 0),
 	}
 	ac.logger.WithField("offset", ac.reloadOffset.String()).Debug("HA Reload offset")
 	err = ac.initWS(akURL, outpost.Pk)
@@ -139,6 +141,10 @@ func (a *APIController) configureRefreshSignal() {
 	a.logger.Debug("Enabled USR1 hook to reload")
 }
 
+func (a *APIController) AddRefreshHandler(handler func()) {
+	a.refreshHandlers = append(a.refreshHandlers, handler)
+}
+
 func (a *APIController) OnRefresh() error {
 	// Because we don't know the outpost UUID, we simply do a list and pick the first
 	// The service account this token belongs to should only have access to a single outpost
@@ -152,7 +158,11 @@ func (a *APIController) OnRefresh() error {
 
 	a.logger.WithField("name", a.Outpost.Name).Debug("Fetched outpost configuration")
 	doGlobalSetup(a.Outpost, a.GlobalConfig)
-	return a.Server.Refresh()
+	err = a.Server.Refresh()
+	for _, handler := range a.refreshHandlers {
+		handler()
+	}
+	return err
 }
 
 func (a *APIController) StartBackgorundTasks() error {
diff --git a/internal/web/tenant_tls/tenant_tls.go b/internal/web/tenant_tls/tenant_tls.go
index f8048b2b8..f06121e91 100644
--- a/internal/web/tenant_tls/tenant_tls.go
+++ b/internal/web/tenant_tls/tenant_tls.go
@@ -44,6 +44,7 @@ func (w *Watcher) Start() {
 }
 
 func (w *Watcher) Check() {
+	w.log.Info("updating tenant certificates")
 	tenants, _, err := w.client.CoreApi.CoreTenantsListExecute(api.ApiCoreTenantsListRequest{})
 	if err != nil {
 		w.log.WithError(err).Warning("failed to get tenants")