From 4c1ac9bd4b02b16fe565bfe8e14bcef892dcc515 Mon Sep 17 00:00:00 2001
From: Kevin Joiner <kevinjoiner@users.noreply.github.com>
Date: Thu, 28 Jul 2022 12:40:33 -0400
Subject: [PATCH] Removes wait loop for listener certs.

---
 listener.go | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/listener.go b/listener.go
index 14f074e..3804e2f 100644
--- a/listener.go
+++ b/listener.go
@@ -58,6 +58,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 			ExpirationDaysCheck: config.ExpirationDaysCheck,
 		},
 		Listener:  l,
+		certReady: make(chan struct{}),
 		storage:   &nonNil{storage: storage},
 		sans:      config.SANs,
 		maxSANs:   config.MaxSANs,
@@ -154,6 +155,7 @@ type listener struct {
 	version   string
 	tlsConfig *tls.Config
 	cert      *tls.Certificate
+	certReady chan struct{}
 	sans      []string
 	maxSANs   int
 	init      sync.Once
@@ -162,9 +164,12 @@ type listener struct {
 func (l *listener) WrapExpiration(days int) net.Listener {
 	ctx, cancel := context.WithCancel(context.Background())
 	go func() {
-		// loop on short sleeps until certificate preload completes
-		for l.cert == nil {
-			time.Sleep(time.Millisecond)
+
+		// wait for cert to be set, this will unblock when the channel is closed
+		select {
+		case <-ctx.Done():
+			return
+		case <-l.certReady:
 		}
 
 		for {
@@ -448,7 +453,12 @@ func (l *listener) loadCert(currentConn net.Conn) (*tls.Certificate, error) {
 		l.connLock.Unlock()
 	}
 
+	// we can only close the ready channel once when the cert is first assigned
+	canClose := l.cert == nil
 	l.cert = &cert
+	if canClose {
+		close(l.certReady)
+	}
 	l.version = secret.ResourceVersion
 	return l.cert, nil
 }