feat: add support for reloading certs when renewed

Author: afrancis101

cmd/root.go

@@ -23,6 +23,7 @@ package cmd
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"os"
@@ -151,7 +152,10 @@ A mutating webhook for Kubernetes, pointing the images to a new location.`,
 			log.Info().Msgf("Listening on %v", cfg.ListenAddress)
 			//err = http.ListenAndServeTLS(":8080", cfg.certFile, cfg.keyFile, whHandler)
 			if cfg.TLSCertFile != "" && cfg.TLSKeyFile != "" {
-				if err := srv.ListenAndServeTLS(cfg.TLSCertFile, cfg.TLSKeyFile); err != nil {
+				srv.TLSConfig = &tls.Config{
+					GetCertificate: getCertificate,
+				}
+				if err := srv.ListenAndServeTLS("", ""); err != nil {
 					log.Err(err).Msg("error serving webhook")
 					os.Exit(1)
 				}
@@ -278,6 +282,15 @@ func initLogger() {
 	}
 }
 
+func getCertificate(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	caFiles, err := tls.LoadX509KeyPair(cfg.TLSCertFile, cfg.TLSKeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return &caFiles, nil
+}
+
 // setupImagePullSecretsProvider configures the provider handling secrets
 func setupImagePullSecretsProvider() secrets.ImagePullSecretsProvider {
 	config, err := rest.InClusterConfig()