@@ -17,58 +17,55 @@ limitations under the License.
1717package certwatcher
1818
1919import (
20+ "bytes"
2021 "context"
2122 "crypto/tls"
22- "fmt "
23+ "os "
2324 "sync"
2425 "time"
2526
26- "github.com/fsnotify/fsnotify"
27- kerrors "k8s.io/apimachinery/pkg/util/errors"
28- "k8s.io/apimachinery/pkg/util/sets"
29- "k8s.io/apimachinery/pkg/util/wait"
3027 "sigs.k8s.io/controller-runtime/pkg/certwatcher/metrics"
3128 logf "sigs.k8s.io/controller-runtime/pkg/internal/log"
3229)
3330
3431var log = logf .RuntimeLog .WithName ("certwatcher" )
3532
36- // CertWatcher watches certificate and key files for changes. When either file
37- // changes, it reads and parses both and calls an optional callback with the new
38- // certificate.
33+ const defaultWatchInterval = 10 * time .Second
34+
35+ // CertWatcher watches certificate and key files for changes.
36+ // It always returns the cached version,
37+ // but periodically reads and parses certificate and key for changes
38+ // and calls an optional callback with the new certificate.
3939type CertWatcher struct {
4040 sync.RWMutex
4141
4242 currentCert * tls.Certificate
43- watcher * fsnotify. Watcher
43+ interval time. Duration
4444
4545 certPath string
4646 keyPath string
4747
48+ cachedKeyPEMBlock []byte
49+
4850 // callback is a function to be invoked when the certificate changes.
4951 callback func (tls.Certificate )
5052}
5153
5254// New returns a new CertWatcher watching the given certificate and key.
5355func New (certPath , keyPath string ) (* CertWatcher , error ) {
54- var err error
55-
5656 cw := & CertWatcher {
5757 certPath : certPath ,
5858 keyPath : keyPath ,
59+ interval : defaultWatchInterval ,
5960 }
6061
61- // Initial read of certificate and key.
62- if err := cw .ReadCertificate (); err != nil {
63- return nil , err
64- }
65-
66- cw .watcher , err = fsnotify .NewWatcher ()
67- if err != nil {
68- return nil , err
69- }
62+ return cw , cw .ReadCertificate ()
63+ }
7064
71- return cw , nil
65+ // WithWatchInterval sets the watch interval and returns the CertWatcher pointer
66+ func (cw * CertWatcher ) WithWatchInterval (interval time.Duration ) * CertWatcher {
67+ cw .interval = interval
68+ return cw
7269}
7370
7471// RegisterCallback registers a callback to be invoked when the certificate changes.
@@ -91,72 +88,71 @@ func (cw *CertWatcher) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate,
9188
9289// Start starts the watch on the certificate and key files.
9390func (cw * CertWatcher ) Start (ctx context.Context ) error {
94- files := sets .New (cw .certPath , cw .keyPath )
95-
96- {
97- var watchErr error
98- if err := wait .PollUntilContextTimeout (ctx , 1 * time .Second , 10 * time .Second , true , func (ctx context.Context ) (done bool , err error ) {
99- for _ , f := range files .UnsortedList () {
100- if err := cw .watcher .Add (f ); err != nil {
101- watchErr = err
102- return false , nil //nolint:nilerr // We want to keep trying.
103- }
104- // We've added the watch, remove it from the set.
105- files .Delete (f )
106- }
107- return true , nil
108- }); err != nil {
109- return fmt .Errorf ("failed to add watches: %w" , kerrors .NewAggregate ([]error {err , watchErr }))
110- }
111- }
112-
113- go cw .Watch ()
91+ ticker := time .NewTicker (cw .interval )
92+ defer ticker .Stop ()
11493
11594 log .Info ("Starting certificate watcher" )
116-
117- // Block until the context is done.
118- <- ctx .Done ()
119-
120- return cw .watcher .Close ()
121- }
122-
123- // Watch reads events from the watcher's channel and reacts to changes.
124- func (cw * CertWatcher ) Watch () {
12595 for {
12696 select {
127- case event , ok := <- cw .watcher .Events :
128- // Channel is closed.
129- if ! ok {
130- return
97+ case <- ctx .Done ():
98+ return nil
99+ case <- ticker .C :
100+ if err := cw .ReadCertificate (); err != nil {
101+ log .Error (err , "failed read certificate" )
131102 }
103+ }
104+ }
105+ }
132106
133- cw .handleEvent (event )
107+ // Watch used to read events from the watcher's channel and reacts to changes,
108+ // it has currently no function and it's left here for backward compatibility until a future release.
109+ //
110+ // Deprecated: fsnotify has been removed and Start() is now polling instead.
111+ func (cw * CertWatcher ) Watch () {
112+ }
134113
135- case err , ok := <- cw . watcher . Errors :
136- // Channel is closed.
137- if ! ok {
138- return
139- }
114+ // updateCachedCertificate checks if the new certificate differs from the cache,
115+ // updates it and returns the result if it was updated or not
116+ func ( cw * CertWatcher ) updateCachedCertificate ( cert * tls. Certificate , keyPEMBlock [] byte ) bool {
117+ cw . Lock ()
118+ defer cw . Unlock ()
140119
141- log .Error (err , "certificate watch error" )
142- }
120+ if cw .currentCert != nil &&
121+ bytes .Equal (cw .currentCert .Certificate [0 ], cert .Certificate [0 ]) &&
122+ bytes .Equal (cw .cachedKeyPEMBlock , keyPEMBlock ) {
123+ log .V (7 ).Info ("certificate already cached" )
124+ return false
143125 }
126+ cw .currentCert = cert
127+ cw .cachedKeyPEMBlock = keyPEMBlock
128+ return true
144129}
145130
146131// ReadCertificate reads the certificate and key files from disk, parses them,
147- // and updates the current certificate on the watcher. If a callback is set, it
132+ // and updates the current certificate on the watcher if updated. If a callback is set, it
148133// is invoked with the new certificate.
149134func (cw * CertWatcher ) ReadCertificate () error {
150135 metrics .ReadCertificateTotal .Inc ()
151- cert , err := tls .LoadX509KeyPair (cw .certPath , cw .keyPath )
136+ certPEMBlock , err := os .ReadFile (cw .certPath )
137+ if err != nil {
138+ metrics .ReadCertificateErrors .Inc ()
139+ return err
140+ }
141+ keyPEMBlock , err := os .ReadFile (cw .keyPath )
152142 if err != nil {
153143 metrics .ReadCertificateErrors .Inc ()
154144 return err
155145 }
156146
157- cw .Lock ()
158- cw .currentCert = & cert
159- cw .Unlock ()
147+ cert , err := tls .X509KeyPair (certPEMBlock , keyPEMBlock )
148+ if err != nil {
149+ metrics .ReadCertificateErrors .Inc ()
150+ return err
151+ }
152+
153+ if ! cw .updateCachedCertificate (& cert , keyPEMBlock ) {
154+ return nil
155+ }
160156
161157 log .Info ("Updated current TLS certificate" )
162158
@@ -170,39 +166,3 @@ func (cw *CertWatcher) ReadCertificate() error {
170166 }
171167 return nil
172168}
173-
174- func (cw * CertWatcher ) handleEvent (event fsnotify.Event ) {
175- // Only care about events which may modify the contents of the file.
176- if ! (isWrite (event ) || isRemove (event ) || isCreate (event ) || isChmod (event )) {
177- return
178- }
179-
180- log .V (1 ).Info ("certificate event" , "event" , event )
181-
182- // If the file was removed or renamed, re-add the watch to the previous name
183- if isRemove (event ) || isChmod (event ) {
184- if err := cw .watcher .Add (event .Name ); err != nil {
185- log .Error (err , "error re-watching file" )
186- }
187- }
188-
189- if err := cw .ReadCertificate (); err != nil {
190- log .Error (err , "error re-reading certificate" )
191- }
192- }
193-
194- func isWrite (event fsnotify.Event ) bool {
195- return event .Op .Has (fsnotify .Write )
196- }
197-
198- func isCreate (event fsnotify.Event ) bool {
199- return event .Op .Has (fsnotify .Create )
200- }
201-
202- func isRemove (event fsnotify.Event ) bool {
203- return event .Op .Has (fsnotify .Remove )
204- }
205-
206- func isChmod (event fsnotify.Event ) bool {
207- return event .Op .Has (fsnotify .Chmod )
208- }
0 commit comments