Add hot reload capability for locally-managed tunnels. When a config file
is specified (without --token), cloudflared now watches for changes and
automatically reloads the configuration.
Features:
- File watching via fsnotify with 500ms debounce
- Fallback polling every 30s for symlink rotation (Kubernetes ConfigMaps)
- Manual reload via SIGHUP signal
- Graceful handling of invalid configs (keeps current config)
- Thread-safe with TryLock to skip concurrent reloads
New files:
- orchestration/local_config.go: Config file reading and validation
- orchestration/local_watcher.go: File watcher with reload logic
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
This is a cherry-pick of 157f5d1412
followed by build/CI changes so that amd64/linux FIPS compliance is
provided by new/separate binaries/artifacts/packages.
The reasoning being that FIPS compliance places excessive requirements
in the encryption algorithms used for regular users that do not care
about that. This can cause cloudflared to reject HTTPS origins that
would otherwise be accepted without FIPS checks.
This way, by having separate binaries, existing ones remain as they
were, and only FIPS-needy users will opt-in to the new FIPS binaries.
Aleksei Sviridkin
Devin Carr
Nuno Diegues
Areg Harutyunyan
Igor Postelnik
Dalton
Austin Cherry