nfd-worker: support certificate rotation

Watch for changes in TLS files and re-connect to nfd-master in the event of changes.
2025-03-28 02:37:11 +00:00 · 2021-02-18 14:18:30 +02:00 · 2021-02-18 14:18:30 +02:00 · 2d20a2ff7c
commit 2d20a2ff7c
parent e771a35a21
1 changed files with 17 additions and 0 deletions
--- a/pkg/nfd-worker/nfd-worker.go
+++ b/pkg/nfd-worker/nfd-worker.go
@ -108,6 +108,7 @@ type NfdWorker interface {

 type nfdWorker struct {
 	args           Args
+	certWatch      *utils.FsWatcher
 	clientConn     *grpc.ClientConn
 	client         pb.LabelerClient
 	configFilePath string
@ -194,6 +195,12 @@ func (w *nfdWorker) Run() error {
 		return err
 	}

+	// Create watcher for TLS certificates
+	w.certWatch, err = utils.CreateFsWatcher(time.Second, w.args.CaFile, w.args.CertFile, w.args.KeyFile)
+	if err != nil {
+		return err
+	}
+
 	// Connect to NFD master
 	err = w.connect()
 	if err != nil {
@ -241,9 +248,17 @@ func (w *nfdWorker) Run() error {
 			// comes into effect even if the sleep interval is long (or infinite)
 			labelTrigger = time.After(0)

+		case <-w.certWatch.Events:
+			klog.Infof("TLS certificate update, renewing connection to nfd-master")
+			w.disconnect()
+			if err := w.connect(); err != nil {
+				return err
+			}
+
 		case <-w.stop:
 			klog.Infof("shutting down nfd-worker")
 			configWatch.Close()
+			w.certWatch.Close()
 			return nil
 		}
 	}
@ -298,6 +313,7 @@ func (w *nfdWorker) connect() error {
 	} else {
 		dialOpts = append(dialOpts, grpc.WithInsecure())
 	}
+	klog.Infof("connecting to nfd-master at %s ...", w.args.Server)
 	conn, err := grpc.DialContext(dialCtx, w.args.Server, dialOpts...)
 	if err != nil {
 		return err
@ -311,6 +327,7 @@ func (w *nfdWorker) connect() error {
 // disconnect closes the connection to NFD master
 func (w *nfdWorker) disconnect() {
 	if w.clientConn != nil {
+		klog.Infof("closing connection to nfd-master ...")
 		w.clientConn.Close()
 	}
 	w.clientConn = nil