use dynamic serving cert controller

DavidHurta · DavidHurta · commit cb7083d67139 · 2025-12-11T18:38:50.000+01:00
diff --git a/pkg/cvo/metrics.go b/pkg/cvo/metrics.go
@@ -3,7 +3,6 @@ package cvo
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"errors"
 	"fmt"
 	"net"
@@ -211,13 +210,13 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, lis
 	}
 
 	// Create a dynamic serving cert/key controller to watch for serving certificate changes from files.
-	servingCertController, err := dynamiccertificates.NewDynamicServingContentFromFiles("metrics-serving-cert", certFile, keyFile)
+	servingContentController, err := dynamiccertificates.NewDynamicServingContentFromFiles("metrics-serving-cert", certFile, keyFile)
 	if err != nil {
 		return fmt.Errorf("failed to create serving certificate controller: %w", err)
 	}
 
 	// Start the serving cert controller to begin watching the cert and key files
-	go servingCertController.Run(runContext, 1)
+	go servingContentController.Run(runContext, 1)
 
 	// Create a dynamic CA controller to watch for client CA changes from a ConfigMap.
 	kubeClient, err := kubernetes.NewForConfig(restConfig)
@@ -238,19 +237,30 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, lis
 	// Start the client CA controller to begin watching the ConfigMap
 	go clientCAController.Run(runContext, 1)
 
-	// Create TLS config using the controllers. The config uses callbacks to dynamically
-	// fetch the latest certificates and CA bundles on each connection, so no server
-	// restart is needed when certificates change.
-	tlsConfig, err := makeTLSConfig(servingCertController, clientCAController)
-	if err != nil {
-		return fmt.Errorf("failed to create TLS config: %w", err)
+	servingCertController := dynamiccertificates.NewDynamicServingCertificateController(
+		crypto.SecureTLSConfig(&tls.Config{
+			ClientAuth: tls.RequireAndVerifyClientCert,
+		}),
+		clientCAController,
+		servingContentController,
+		nil,
+		nil,
+	)
+	if err := servingCertController.RunOnce(); err != nil {
+		return fmt.Errorf("failed to initialize serving certificate controller: %w", err)
 	}
 
+	clientCAController.AddListener(servingCertController)
+	servingContentController.AddListener(servingCertController)
+
+	go servingCertController.Run(1, runContext.Done())
+
 	server := createHttpServer(disableMetricsAuth)
 
 	resultChannel := make(chan asyncResult, 1)
 	resultChannelCount := 1
 
+	tlsConfig := &tls.Config{GetConfigForClient: servingCertController.GetConfigForClient}
 	go startListening(server, tlsConfig, listenAddress, resultChannel)
 
 	// Wait for server to exit or shutdown signal
@@ -608,65 +618,3 @@ func mostRecentTimestamp(cv *configv1.ClusterVersion) int64 {
 	}
 	return latest.Unix()
 }
-
-func makeTLSConfig(servingCertController dynamiccertificates.CertKeyContentProvider, clientCAController dynamiccertificates.CAContentProvider) (*tls.Config, error) {
-	// Get the current certificate and key content from the controller for validation.
-	_, err := tls.X509KeyPair(servingCertController.CurrentCertKeyContent())
-	if err != nil {
-		return nil, fmt.Errorf("failed to create X509 key pair: %w", err)
-	}
-
-	tlsConfig := crypto.SecureTLSConfig(&tls.Config{
-		GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			// Always get the latest certificate from the controller on each TLS handshake.
-			// This ensures that certificate rotations are picked up immediately without server restart.
-			cert, err := tls.X509KeyPair(servingCertController.CurrentCertKeyContent())
-			if err != nil {
-				// SECURITY: Never return a stale/cached certificate on error.
-				// Fail the connection rather than risk using an expired or invalid certificate.
-				klog.Errorf("Failed to load current serving certificate, rejecting connection: %v", err)
-				return nil, fmt.Errorf("invalid serving certificate: %w", err)
-			}
-			return &cert, nil
-		},
-		GetConfigForClient: func(_ *tls.ClientHelloInfo) (*tls.Config, error) {
-			// Create a fresh config with the latest CA bundle for each client connection.
-			// This ensures CA bundle updates are picked up immediately without server restart.
-			caBundle := clientCAController.CurrentCABundleContent()
-			if len(caBundle) == 0 {
-				// SECURITY: If CA bundle is not available, reject connections.
-				// This enforces mTLS and prevents the server from operating in an insecure mode.
-				klog.Errorf("No client CA bundle available, rejecting connection to enforce mTLS")
-				return nil, fmt.Errorf("client CA bundle not available")
-			}
-
-			certPool := x509.NewCertPool()
-			if !certPool.AppendCertsFromPEM(caBundle) {
-				// SECURITY: If CA bundle is present but invalid, reject the connection.
-				// This prevents a downgrade attack where corrupted CA data disables mTLS.
-				klog.Errorf("Failed to parse client CA bundle, rejecting connection to enforce mTLS")
-				return nil, fmt.Errorf("invalid client CA bundle")
-			}
-
-			return &tls.Config{
-				ClientCAs:  certPool,
-				ClientAuth: tls.RequireAndVerifyClientCert,
-			}, nil
-		},
-	})
-
-	// Log the initial mTLS state
-	caBundle := clientCAController.CurrentCABundleContent()
-	if len(caBundle) > 0 {
-		certPool := x509.NewCertPool()
-		if certPool.AppendCertsFromPEM(caBundle) {
-			klog.Infof("Configured mTLS with dynamic client CA verification")
-		} else {
-			klog.Warningf("Client CA bundle present but invalid, mTLS will reject all connections until fixed")
-		}
-	} else {
-		klog.Warningf("No client CA bundle available yet, mTLS will reject all connections until ConfigMap is created")
-	}
-
-	return tlsConfig, nil
-}
