Support connection reset when changes detected in TLS cert files (#1004)

sean-breen · web-flow · commit 2726ad62eba2 · 2025-03-06T16:54:14.000Z
* add command.tls paths to credential watcher if present

* Add unit tests for tls cert paths

* update tests
diff --git a/internal/watcher/credentials/credential_watcher_service.go b/internal/watcher/credentials/credential_watcher_service.go
@@ -107,11 +107,6 @@ func (cws *CredentialWatcherService) addWatcher(ctx context.Context, filePath st
 
 	if err := cws.watcher.Add(filePath); err != nil {
 		slog.ErrorContext(ctx, "Failed to add credential watcher", "path", filePath, "error", err)
-		removeError := cws.watcher.Remove(filePath)
-		if removeError != nil {
-			slog.ErrorContext(
-				ctx, "Failed to remove credential watcher", "path", filePath, "error", removeError)
-		}
 
 		return
 	}
@@ -183,6 +178,19 @@ func credentialPaths(agentConfig *config.Config) []string {
 		}
 	}
 
+	// agent's tls certs
+	if agentConfig.Command.TLS != nil {
+		if agentConfig.Command.TLS.Ca != "" {
+			paths = append(paths, agentConfig.Command.TLS.Ca)
+		}
+		if agentConfig.Command.TLS.Cert != "" {
+			paths = append(paths, agentConfig.Command.TLS.Cert)
+		}
+		if agentConfig.Command.TLS.Key != "" {
+			paths = append(paths, agentConfig.Command.TLS.Key)
+		}
+	}
+
 	return paths
 }
 
diff --git a/internal/watcher/credentials/credential_watcher_service_test.go b/internal/watcher/credentials/credential_watcher_service_test.go
@@ -211,6 +211,9 @@ func Test_credentialPaths(t *testing.T) {
 			agentConfig: types.AgentConfig(),
 			want: []string{
 				"/tmp/token",
+				"ca.pem",
+				"cert.pem",
+				"key.pem",
 			},
 		},
 		{
@@ -224,6 +227,27 @@ func Test_credentialPaths(t *testing.T) {
 			},
 			want: nil,
 		},
+		{
+			name: "Test 3: Add TLS paths if Command TLS is set",
+			agentConfig: &config.Config{
+				Command: &config.Command{
+					Server: nil,
+					Auth:   nil,
+					TLS: &config.TLSConfig{
+						Cert:       "/tmp-ca",
+						Key:        "/tmp-token",
+						Ca:         "/tmp-key",
+						ServerName: "my-server",
+						SkipVerify: false,
+					},
+				},
+			},
+			want: []string{
+				"/tmp-key",
+				"/tmp-ca",
+				"/tmp-token",
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
