Update GitHub Actions

Update module github.com/stretchr/testify to v1.10.0 (#152 )
Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>
2025-09-02 13:44:26 +00:00 · 2025-08-12 04:40:01 +00:00 · 2025-02-19 19:36:50 -08:00 · 2025-02-19 12:01:02 -08:00 · 2025-02-19 12:00:50 -08:00 · 2025-02-19 12:00:16 -08:00
24 changed files with 1761 additions and 304 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -0,0 +1,15 @@
+---
+
+kind: pipeline
+name: fossa
+
+steps:
+- name: fossa
+  image: rancher/drone-fossa:latest
+  settings:
+    api_key:
+      from_secret: FOSSA_API_KEY
+  when:
+    instance:
+      - drone-publish.rancher.io
+
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -0,0 +1,9 @@
+{
+  "extends": [
+    "github>rancher/renovate-config#release"
+  ],
+  "baseBranches": [
+    "master"
+  ],
+  "prHourlyLimit": 2
+}
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,20 @@
+name: CI
+on:
+  pull_request:
+  push:
+    branches:
+    - 'master'
+    - 'release/*'
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      # https://github.com/actions/checkout/releases/tag/v4.1.1
+      uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+    - name: Install Go
+      # https://github.com/actions/setup-go/releases/tag/v5.0.0
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      with:
+        go-version-file: 'go.mod'
+    - run: go test -race -cover ./...
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,25 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name : Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+
+      - name: Create release on Github
+        run: |
+          if [[ "${{ github.ref_name }}" == *-rc* ]]; then
+            gh --repo "${{ github.repository }}" release create ${{ github.ref_name }} --verify-tag --generate-notes --prerelease
+          else
+            gh --repo "${{ github.repository }}" release create ${{ github.ref_name }} --verify-tag --generate-notes
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,25 @@
+name: Renovate
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Override default log level"
+        required: false
+        default: "info"
+        type: string
+      overrideSchedule:
+        description: "Override all schedules"
+        required: false
+        default: "false"
+        type: string
+  # Run twice in the early morning (UTC) for initial and follow up steps (create pull request and merge)
+  schedule:
+    - cron: '30 4,6 * * *'
+
+jobs:
+  call-workflow:
+    uses: rancher/renovate-config/.github/workflows/renovate.yml@release
+    with:
+      logLevel: ${{ inputs.logLevel || 'info' }}
+      overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
+    secrets: inherit
--- a/README.md
+++ b/README.md
@@ -0,0 +1,10 @@
+# [dynamiclistener](https://github.com/rancher/dynamiclistener)
+
+This `README` is a work in progress; aimed towards providing information for navigating the contents of this repository.
+
+## Changing the Expiration Days for Newly Signed Certificates
+
+By default, a newly signed certificate is set to expire 365 days (1 year) after its creation time and date.
+You can use the `CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS` environment variable to change this value.
+
+**Please note:** the value for the aforementioned variable must be a string representing an unsigned integer corresponding to the number of days until expiration (i.e. X509 "NotAfter" value).
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -33,7 +33,9 @@ import (
 	"math"
 	"math/big"
 	"net"
-	"path"
+	"os"
+	"path/filepath"
+	"strconv"
 	"strings"
 	"time"

@@ -45,12 +47,15 @@ const (
 	duration365d = time.Hour * 24 * 365
 )

-// Config contains the basic fields required for creating a certificate
+var ErrStaticCert = errors.New("cannot renew static certificate")
+
+// Config contains the basic fields required for creating a certificate.
 type Config struct {
 	CommonName   string
 	Organization []string
 	AltNames     AltNames
 	Usages       []x509.ExtKeyUsage
+	ExpiresAt    time.Duration
 }

 // AltNames contains the domain names and IP addresses that will be added
@@ -86,10 +91,15 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 	if err != nil {
 		return nil, err
 	}
+
+	logrus.Infof("generated self-signed CA certificate %s: notBefore=%s notAfter=%s",
+		tmpl.Subject, tmpl.NotBefore, tmpl.NotAfter)
+
 	return x509.ParseCertificate(certDERBytes)
 }

-// NewSignedCert creates a signed certificate using the given CA certificate and key
+// NewSignedCert creates a signed certificate using the given CA certificate and key based
+// on the given configuration.
 func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
 	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
 	if err != nil {
@@ -101,6 +111,19 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 	if len(cfg.Usages) == 0 {
 		return nil, errors.New("must specify at least one ExtKeyUsage")
 	}
+	expiresAt := duration365d
+	if cfg.ExpiresAt > 0 {
+		expiresAt = time.Duration(cfg.ExpiresAt)
+	} else {
+		envExpirationDays := os.Getenv("CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS")
+		if envExpirationDays != "" {
+			if envExpirationDaysInt, err := strconv.Atoi(envExpirationDays); err != nil {
+				logrus.Infof("[NewSignedCert] expiration days from ENV (%s) could not be converted to int (falling back to default value: %d)", envExpirationDays, expiresAt)
+			} else {
+				expiresAt = time.Hour * 24 * time.Duration(envExpirationDaysInt)
+			}
+		}
+	}

 	certTmpl := x509.Certificate{
 		Subject: pkix.Name{
@@ -111,7 +134,7 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 		IPAddresses:  cfg.AltNames.IPs,
 		SerialNumber: serial,
 		NotBefore:    caCert.NotBefore,
-		NotAfter:     time.Now().Add(duration365d).UTC(),
+		NotAfter:     time.Now().Add(expiresAt).UTC(),
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:  cfg.Usages,
 	}
@@ -119,7 +142,13 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 	if err != nil {
 		return nil, err
 	}
-	return x509.ParseCertificate(certDERBytes)
+
+	parsedCert, err := x509.ParseCertificate(certDERBytes)
+	if err == nil {
+		logrus.Infof("certificate %s signed by %s: notBefore=%s notAfter=%s",
+			parsedCert.Subject, caCert.Subject, parsedCert.NotBefore, parsedCert.NotAfter)
+	}
+	return parsedCert, err
 }

 // MakeEllipticPrivateKeyPEM creates an ECDSA private key
@@ -161,8 +190,8 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 	maxAge := time.Hour * 24 * 365          // one year self-signed certs

 	baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
-	certFixturePath := path.Join(fixtureDirectory, baseName+".crt")
-	keyFixturePath := path.Join(fixtureDirectory, baseName+".key")
+	certFixturePath := filepath.Join(fixtureDirectory, baseName+".crt")
+	keyFixturePath := filepath.Join(fixtureDirectory, baseName+".key")
 	if len(fixtureDirectory) > 0 {
 		cert, err := ioutil.ReadFile(certFixturePath)
 		if err == nil {
@@ -271,11 +300,11 @@ func ipsToStrings(ips []net.IP) []string {
 }

 // IsCertExpired checks if the certificate about to expire
-func IsCertExpired(cert *x509.Certificate) bool {
+func IsCertExpired(cert *x509.Certificate, days int) bool {
 	expirationDate := cert.NotAfter
-	diffDays := expirationDate.Sub(time.Now()).Hours() / 24.0
-	if diffDays <= 90 {
-		logrus.Infof("certificate will expire in %f days", diffDays)
+	diffDays := time.Until(expirationDate).Hours() / 24.0
+	if diffDays <= float64(days) {
+		logrus.Infof("certificate %s will expire in %f days at %s", cert.Subject, diffDays, cert.NotAfter)
 		return true
 	}
 	return false
--- a/cert/io.go
+++ b/cert/io.go
@@ -34,15 +34,15 @@ func CanReadCertAndKey(certPath, keyPath string) (bool, error) {
 	certReadable := canReadFile(certPath)
 	keyReadable := canReadFile(keyPath)

-	if certReadable == false && keyReadable == false {
+	if !certReadable && !keyReadable {
 		return false, nil
 	}

-	if certReadable == false {
+	if !certReadable {
 		return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", certPath)
 	}

-	if keyReadable == false {
+	if !keyReadable {
 		return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", keyPath)
 	}

--- a/cert/secret.go
+++ b/cert/secret.go
@@ -0,0 +1,16 @@
+package cert
+
+import v1 "k8s.io/api/core/v1"
+
+func IsValidTLSSecret(secret *v1.Secret) bool {
+	if secret == nil {
+		return false
+	}
+	if _, ok := secret.Data[v1.TLSCertKey]; !ok {
+		return false
+	}
+	if _, ok := secret.Data[v1.TLSPrivateKeyKey]; !ok {
+		return false
+	}
+	return true
+}
--- a/factory/ca.go
+++ b/factory/ca.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"time"

 	"github.com/rancher/dynamiclistener/cert"
 )
@@ -16,7 +17,7 @@ func GenCA() (*x509.Certificate, crypto.Signer, error) {
 		return nil, nil, err
 	}

-	caCert, err := NewSelfSignedCACert(caKey, "dynamiclistener-ca", "dynamiclistener-org")
+	caCert, err := NewSelfSignedCACert(caKey, fmt.Sprintf("dynamiclistener-ca@%d", time.Now().Unix()), "dynamiclistener-org")
 	if err != nil {
 		return nil, nil, err
 	}
@@ -24,18 +25,28 @@ func GenCA() (*x509.Certificate, crypto.Signer, error) {
 	return caCert, caKey, nil
 }

+// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
 func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
-	cert, key, err := loadCA()
-	if err == nil {
-		return cert, key, nil
-	}
-
-	cert, key, err = GenCA()
+	chain, signer, err := LoadOrGenCAChain()
 	if err != nil {
 		return nil, nil, err
 	}
+	return chain[0], signer, err
+}

-	certBytes, keyBytes, err := Marshal(cert, key)
+func LoadOrGenCAChain() ([]*x509.Certificate, crypto.Signer, error) {
+	certs, key, err := loadCA()
+	if err == nil {
+		return certs, key, nil
+	}
+
+	cert, key, err := GenCA()
+	if err != nil {
+		return nil, nil, err
+	}
+	certs = []*x509.Certificate{cert}
+
+	certBytes, keyBytes, err := MarshalChain(key, certs...)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -52,23 +63,22 @@ func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
 		return nil, nil, err
 	}

-	return cert, key, nil
+	return certs, key, nil
 }

-func loadCA() (*x509.Certificate, crypto.Signer, error) {
-	return LoadCerts("./certs/ca.pem", "./certs/ca.key")
+func loadCA() ([]*x509.Certificate, crypto.Signer, error) {
+	return LoadCertsChain("./certs/ca.pem", "./certs/ca.key")
 }

-func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {
-	caPem, err := ioutil.ReadFile(certFile)
-	if err != nil {
-		return nil, nil, err
-	}
-	caKey, err := ioutil.ReadFile(keyFile)
+func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadCAChain(caPem, caKey)
 	if err != nil {
 		return nil, nil, err
 	}
+	return chain[0], signer, nil
+}

+func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error) {
 	key, err := cert.ParsePrivateKeyPEM(caKey)
 	if err != nil {
 		return nil, nil, err
@@ -78,10 +88,32 @@ func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, erro
 		return nil, nil, fmt.Errorf("key is not a crypto.Signer")
 	}

-	cert, err := ParseCertPEM(caPem)
+	certs, err := cert.ParseCertsPEM(caPem)
 	if err != nil {
 		return nil, nil, err
 	}

-	return cert, signer, nil
+	return certs, signer, nil
+}
+
+// Deprecated: Use LoadCertsChain instead as it supports intermediate CAs
+func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadCertsChain(certFile, keyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, err
+}
+
+func LoadCertsChain(certFile, keyFile string) ([]*x509.Certificate, crypto.Signer, error) {
+	caPem, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		return nil, nil, err
+	}
+	caKey, err := ioutil.ReadFile(keyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return LoadCAChain(caPem, caKey)
 }
--- a/factory/cert_utils.go
+++ b/factory/cert_utils.go
@@ -10,11 +10,17 @@ import (
 	"math"
 	"math/big"
 	"net"
+	"os"
+	"strconv"
+	"strings"
 	"time"
+
+	"github.com/sirupsen/logrus"
 )

 const (
-	CertificateBlockType = "CERTIFICATE"
+	CertificateBlockType               = "CERTIFICATE"
+	defaultNewSignedCertExpirationDays = 365
 )

 func NewSelfSignedCACert(key crypto.Signer, cn string, org ...string) (*x509.Certificate, error) {
@@ -37,9 +43,43 @@ func NewSelfSignedCACert(key crypto.Signer, cn string, org ...string) (*x509.Cer
 		return nil, err
 	}

+	logrus.Infof("generated self-signed CA certificate %s: notBefore=%s notAfter=%s",
+		tmpl.Subject, tmpl.NotBefore, tmpl.NotAfter)
+
 	return x509.ParseCertificate(certDERBytes)
 }

+func NewSignedClientCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, cn string) (*x509.Certificate, error) {
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+
+	parent := x509.Certificate{
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		NotAfter:     time.Now().Add(time.Hour * 24 * 365).UTC(),
+		NotBefore:    caCert.NotBefore,
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: cn,
+		},
+	}
+
+	parts := strings.Split(cn, ",o=")
+	if len(parts) > 1 {
+		parent.Subject.CommonName = parts[0]
+		parent.Subject.Organization = parts[1:]
+	}
+
+	cert, err := x509.CreateCertificate(rand.Reader, &parent, caCert, signer.Public(), caKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return x509.ParseCertificate(cert)
+}
+
 func NewSignedCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, cn string, orgs []string,
 	domains []string, ips []net.IP) (*x509.Certificate, error) {

@@ -48,12 +88,22 @@ func NewSignedCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.
 		return nil, err
 	}

+	expirationDays := defaultNewSignedCertExpirationDays
+	envExpirationDays := os.Getenv("CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS")
+	if envExpirationDays != "" {
+		if envExpirationDaysInt, err := strconv.Atoi(envExpirationDays); err != nil {
+			logrus.Infof("[NewSignedCert] expiration days from ENV (%s) could not be converted to int (falling back to default value: %d)", envExpirationDays, defaultNewSignedCertExpirationDays)
+		} else {
+			expirationDays = envExpirationDaysInt
+		}
+	}
+
 	parent := x509.Certificate{
 		DNSNames:     domains,
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		IPAddresses:  ips,
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		NotAfter:     time.Now().Add(time.Hour * 24 * 365).UTC(),
+		NotAfter:     time.Now().Add(time.Hour * 24 * time.Duration(expirationDays)).UTC(),
 		NotBefore:    caCert.NotBefore,
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{
@@ -67,7 +117,12 @@ func NewSignedCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.
 		return nil, err
 	}

-	return x509.ParseCertificate(cert)
+	parsedCert, err := x509.ParseCertificate(cert)
+	if err == nil {
+		logrus.Infof("certificate %s signed by %s: notBefore=%s notAfter=%s",
+			parsedCert.Subject, caCert.Subject, parsedCert.NotBefore, parsedCert.NotAfter)
+	}
+	return parsedCert, err
 }

 func ParseCertPEM(pemCerts []byte) (*x509.Certificate, error) {
--- a/factory/gen.go
+++ b/factory/gen.go
@@ -5,32 +5,46 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/pem"
+	"fmt"
 	"net"
+	"regexp"
 	"sort"
 	"strings"
+	"time"

 	"github.com/rancher/dynamiclistener/cert"
+	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
 )

 const (
-	cnPrefix = "listener.cattle.io/cn-"
-	static   = "listener.cattle.io/static"
-	hashKey  = "listener.cattle.io/hash"
+	cnPrefix    = "listener.cattle.io/cn-"
+	Static      = "listener.cattle.io/static"
+	fingerprint = "listener.cattle.io/fingerprint"
+)
+
+var (
+	cnRegexp = regexp.MustCompile("^([A-Za-z0-9:][-A-Za-z0-9_.:]*)?[A-Za-z0-9:]$")
 )

 type TLS struct {
-	CACert       *x509.Certificate
-	CAKey        crypto.Signer
-	CN           string
-	Organization []string
+	CACert              []*x509.Certificate
+	CAKey               crypto.Signer
+	CN                  string
+	Organization        []string
+	FilterCN            func(...string) []string
+	ExpirationDaysCheck int
 }

 func cns(secret *v1.Secret) (cns []string) {
+	if secret == nil {
+		return nil
+	}
 	for k, v := range secret.Annotations {
 		if strings.HasPrefix(k, cnPrefix) {
 			cns = append(cns, v)
@@ -39,16 +53,14 @@ func cns(secret *v1.Secret) (cns []string) {
 	return
 }

-func collectCNs(secret *v1.Secret) (domains []string, ips []net.IP, hash string, err error) {
+func collectCNs(secret *v1.Secret) (domains []string, ips []net.IP, err error) {
 	var (
-		cns    = cns(secret)
-		digest = sha256.New()
+		cns = cns(secret)
 	)

 	sort.Strings(cns)

 	for _, v := range cns {
-		digest.Write([]byte(v))
 		ip := net.ParseIP(v)
 		if ip == nil {
 			domains = append(domains, v)
@@ -57,22 +69,97 @@ func collectCNs(secret *v1.Secret) (domains []string, ips []net.IP, hash string,
 		}
 	}

-	hash = hex.EncodeToString(digest.Sum(nil))
 	return
 }

-func (t *TLS) Merge(secret, other *v1.Secret) (*v1.Secret, bool, error) {
-	return t.AddCN(secret, cns(other)...)
+// Merge combines the SAN lists from the target and additional Secrets, and
+// returns a potentially modified Secret, along with a bool indicating if the
+// returned Secret is not the same as the target Secret. Secrets with expired
+// certificates will never be returned.
+//
+// If the merge would not add any CNs to the additional Secret, the additional
+// Secret is returned, to allow for certificate rotation/regeneration.
+//
+// If the merge would not add any CNs to the target Secret, the target Secret is
+// returned; no merging is necessary.
+//
+// If neither certificate is acceptable as-is, a new certificate containing
+// the union of the two lists is generated, using the private key from the
+// first Secret. The returned Secret will contain the updated cert.
+func (t *TLS) Merge(target, additional *v1.Secret) (*v1.Secret, bool, error) {
+	// static secrets can't be altered, don't bother trying
+	if IsStatic(target) {
+		return target, false, nil
+	}
+
+	mergedCNs := append(cns(target), cns(additional)...)
+
+	// if the additional secret already has all the CNs, use it in preference to the
+	// current one. This behavior is required to allow for renewal or regeneration.
+	if !NeedsUpdate(0, additional, mergedCNs...) && !t.IsExpired(additional) {
+		return additional, true, nil
+	}
+
+	// if the target secret already has all the CNs, continue using it. The additional
+	// cert had only a subset of the current CNs, so nothing needs to be added.
+	if !NeedsUpdate(0, target, mergedCNs...) && !t.IsExpired(target) {
+		return target, false, nil
+	}
+
+	// neither cert currently has all the necessary CNs or is unexpired; generate a new one.
+	return t.generateCert(target, mergedCNs...)
 }

-func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
-	var (
-		err error
-	)
+// Renew returns a copy of the given certificate that has been re-signed
+// to extend the NotAfter date. It is an error to attempt to renew
+// a static (user-provided) certificate.
+func (t *TLS) Renew(secret *v1.Secret) (*v1.Secret, error) {
+	if IsStatic(secret) {
+		return secret, cert.ErrStaticCert
+	}
+	cns := cns(secret)
+	secret = secret.DeepCopy()
+	secret.Annotations = map[string]string{}
+	secret, _, err := t.generateCert(secret, cns...)
+	return secret, err
+}

-	if !NeedsUpdate(secret, cn...) {
+// Filter ensures that the CNs are all valid accorting to both internal logic, and any filter callbacks.
+// The returned list will contain only approved CN entries.
+func (t *TLS) Filter(cn ...string) []string {
+	if len(cn) == 0 || t.FilterCN == nil {
+		return cn
+	}
+	return t.FilterCN(cn...)
+}
+
+// AddCN attempts to add a list of CN strings to a given Secret, returning the potentially-modified
+// Secret along with a bool indicating whether or not it has been updated. The Secret will not be changed
+// if it has an attribute indicating that it is static (aka user-provided), or if no new CNs were added.
+func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
+	cn = t.Filter(cn...)
+
+	if IsStatic(secret) || !NeedsUpdate(0, secret, cn...) {
 		return secret, false, nil
 	}
+	return t.generateCert(secret, cn...)
+}
+
+func (t *TLS) Regenerate(secret *v1.Secret) (*v1.Secret, error) {
+	cns := cns(secret)
+	secret, _, err := t.generateCert(nil, cns...)
+	return secret, err
+}
+
+func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
+	secret = secret.DeepCopy()
+	if secret == nil {
+		secret = &v1.Secret{}
+	}
+
+	if err := t.Verify(secret); err != nil {
+		logrus.Warnf("unable to verify existing certificate: %v - signing operation may change certificate issuer", err)
+	}

 	secret = populateCN(secret, cn...)

@@ -81,7 +168,7 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
 		return nil, false, err
 	}

-	domains, ips, hash, err := collectCNs(secret)
+	domains, ips, err := collectCNs(secret)
 	if err != nil {
 		return nil, false, err
 	}
@@ -91,7 +178,7 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
 		return nil, false, err
 	}

-	certBytes, keyBytes, err := Marshal(newCert, privateKey)
+	keyBytes, certBytes, err := MarshalChain(privateKey, append([]*x509.Certificate{newCert}, t.CACert...)...)
 	if err != nil {
 		return nil, false, err
 	}
@@ -99,15 +186,56 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
 	if secret.Data == nil {
 		secret.Data = map[string][]byte{}
 	}
+	secret.Type = v1.SecretTypeTLS
 	secret.Data[v1.TLSCertKey] = certBytes
 	secret.Data[v1.TLSPrivateKeyKey] = keyBytes
-	secret.Annotations[hashKey] = hash
+	secret.Annotations[fingerprint] = fmt.Sprintf("SHA1=%X", sha1.Sum(newCert.Raw))

 	return secret, true, nil
 }

+func (t *TLS) IsExpired(secret *v1.Secret) bool {
+	certsPem := secret.Data[v1.TLSCertKey]
+	if len(certsPem) == 0 {
+		return false
+	}
+
+	certificates, err := cert.ParseCertsPEM(certsPem)
+	if err != nil || len(certificates) == 0 {
+		return false
+	}
+
+	expirationDays := time.Duration(t.ExpirationDaysCheck) * time.Hour * 24
+	return time.Now().Add(expirationDays).After(certificates[0].NotAfter)
+}
+
+func (t *TLS) Verify(secret *v1.Secret) error {
+	certsPem := secret.Data[v1.TLSCertKey]
+	if len(certsPem) == 0 {
+		return nil
+	}
+
+	certificates, err := cert.ParseCertsPEM(certsPem)
+	if err != nil || len(certificates) == 0 {
+		return err
+	}
+
+	verifyOpts := x509.VerifyOptions{
+		Roots: x509.NewCertPool(),
+		KeyUsages: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageAny,
+		},
+	}
+	for _, c := range t.CACert {
+		verifyOpts.Roots.AddCert(c)
+	}
+
+	_, err = certificates[0].Verify(verifyOpts)
+	return err
+}
+
 func (t *TLS) newCert(domains []string, ips []net.IP, privateKey crypto.Signer) (*x509.Certificate, error) {
-	return NewSignedCert(privateKey, t.CACert, t.CAKey, t.CN, t.Organization, domains, ips)
+	return NewSignedCert(privateKey, t.CACert[0], t.CAKey, t.CN, t.Organization, domains, ips)
 }

 func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
@@ -116,18 +244,38 @@ func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
 		secret.Annotations = map[string]string{}
 	}
 	for _, cn := range cn {
-		secret.Annotations[cnPrefix+cn] = cn
+		if cnRegexp.MatchString(cn) {
+			secret.Annotations[getAnnotationKey(cn)] = cn
+		} else {
+			logrus.Errorf("dropping invalid CN: %s", cn)
+		}
 	}
 	return secret
 }

-func NeedsUpdate(secret *v1.Secret, cn ...string) bool {
-	if secret.Annotations[static] == "true" {
-		return false
+// IsStatic returns true if the Secret has an attribute indicating that it contains
+// a static (aka user-provided) certificate, which should not be modified.
+func IsStatic(secret *v1.Secret) bool {
+	if secret != nil && secret.Annotations != nil {
+		return secret.Annotations[Static] == "true"
+	}
+	return false
+}
+
+// NeedsUpdate returns true if any of the CNs are not currently present on the
+// secret's Certificate, as recorded in the cnPrefix annotations. It will return
+// false if all requested CNs are already present, or if maxSANs is non-zero and has
+// been exceeded.
+func NeedsUpdate(maxSANs int, secret *v1.Secret, cn ...string) bool {
+	if secret == nil {
+		return true
 	}

 	for _, cn := range cn {
-		if secret.Annotations[cnPrefix+cn] == "" {
+		if secret.Annotations[getAnnotationKey(cn)] == "" {
+			if maxSANs > 0 && len(cns(secret)) >= maxSANs {
+				return false
+			}
 			return true
 		}
 	}
@@ -149,13 +297,33 @@ func getPrivateKey(secret *v1.Secret) (crypto.Signer, error) {
 	return NewPrivateKey()
 }

-func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) ([]byte, []byte, error) {
+// MarshalChain returns given key and certificates as byte slices.
+func MarshalChain(privateKey crypto.Signer, certs ...*x509.Certificate) (keyBytes, certChainBytes []byte, err error) {
+	keyBytes, err = cert.MarshalPrivateKeyToPEM(privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for _, cert := range certs {
+		if cert != nil {
+			certBlock := pem.Block{
+				Type:  CertificateBlockType,
+				Bytes: cert.Raw,
+			}
+			certChainBytes = append(certChainBytes, pem.EncodeToMemory(&certBlock)...)
+		}
+	}
+	return keyBytes, certChainBytes, nil
+}
+
+// Marshal returns the given cert and key as byte slices.
+func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) (certBytes, keyBytes []byte, err error) {
 	certBlock := pem.Block{
 		Type:  CertificateBlockType,
 		Bytes: x509Cert.Raw,
 	}

-	keyBytes, err := cert.MarshalPrivateKeyToPEM(privateKey)
+	keyBytes, err = cert.MarshalPrivateKeyToPEM(privateKey)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -163,6 +331,26 @@ func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) ([]byte, []by
 	return pem.EncodeToMemory(&certBlock), keyBytes, nil
 }

+// NewPrivateKey returnes a new ECDSA key
 func NewPrivateKey() (crypto.Signer, error) {
 	return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 }
+
+// getAnnotationKey return the key to use for a given CN. IPv4 addresses and short hostnames
+// are safe to store as-is, but longer hostnames and IPv6 address must be truncated and/or undergo
+// character replacement in order to be used as an annotation key. If the CN requires modification,
+// a portion of the SHA256 sum of the original value is used as the suffix, to reduce the likelihood
+// of collisions in modified values.
+func getAnnotationKey(cn string) string {
+	cn = cnPrefix + cn
+	cnLen := len(cn)
+	if cnLen < 64 && !strings.ContainsRune(cn, ':') {
+		return cn
+	}
+	digest := sha256.Sum256([]byte(cn))
+	cn = strings.ReplaceAll(cn, ":", "_")
+	if cnLen > 56 {
+		cnLen = 56
+	}
+	return cn[0:cnLen] + "-" + hex.EncodeToString(digest[0:])[0:6]
+}
--- a/filter.go
+++ b/filter.go
@@ -0,0 +1,12 @@
+package dynamiclistener
+
+func OnlyAllow(str string) func(...string) []string {
+	return func(s2 ...string) []string {
+		for _, s := range s2 {
+			if s == str {
+				return []string{s}
+			}
+		}
+		return nil
+	}
+}
--- a/go.mod
+++ b/go.mod
@@ -1,11 +1,63 @@
 module github.com/rancher/dynamiclistener

-go 1.12
+go 1.22

 require (
-	github.com/rancher/wrangler v0.1.4
-	github.com/rancher/wrangler-api v0.2.0
-	github.com/sirupsen/logrus v1.4.1
-	k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b
-	k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d
+	github.com/rancher/wrangler/v2 v2.2.0-rc6
+	github.com/sirupsen/logrus v1.9.3
+	github.com/stretchr/testify v1.10.0
+	golang.org/x/crypto v0.33.0
+	k8s.io/api v0.29.3
+	k8s.io/apimachinery v0.29.3
+	k8s.io/client-go v0.29.3
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.16.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/rancher/lasso v0.0.0-20240424194130-d87ec407d941 // indirect
+	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/oauth2 v0.16.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,132 +1,184 @@
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
-github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef h1:veQD95Isof8w9/WXiA+pa3tz3fJXkt5B7QaRBrM62gk=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
+github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-containerregistry v0.0.0-20190617215043-876b8855d23c/go.mod h1:yZAFP63pRshzrEYLXLGPmUt0Ay+2zdjmMN1loCnRLUk=
-github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
-github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/googleapis/gnostic v0.0.0-20170426233943-68f4ded48ba9/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.2.0 h1:l6N3VoaVzTncYYW+9yOz2LJJammFZGBO13sqgEhpy9g=
-github.com/googleapis/gnostic v0.2.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/jetstack/cert-manager v0.7.2/go.mod h1:nbddmhjWxYGt04bxvwVGUSeLhZ2PCyNvd7MpXdq+yWY=
-github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
-github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/knative/build v0.6.0/go.mod h1:/sU74ZQkwlYA5FwYDJhYTy61i/Kn+5eWfln2jDbw3Qo=
-github.com/knative/pkg v0.0.0-20190514205332-5e4512dcb2ca/go.mod h1:7Ijfhw7rfB+H9VtosIsDYvZQ+qYTz7auK3fHW/5z4ww=
-github.com/knative/serving v0.6.1/go.mod h1:ljvMfwQy2qanaM/8xnBSK4Mz3Vv2NawC2fo5kFRJS1A=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/matryer/moq v0.0.0-20190312154309-6cfb0558e1bd/go.mod h1:9ELz6aaclSIGnZBoaSLZ3NAl1VTufbOrXBPvtcy6WiQ=
-github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a/go.mod h1:M1qoD/MqPgTZIk0EWKB38wE28ACRfVcn+cU08jyArI0=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
+github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
+github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
+github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rancher/wrangler v0.1.4 h1:bdzBw4H9JKQhXPBPNp4eHbmrkA24+VII865VLiVWcw8=
-github.com/rancher/wrangler v0.1.4/go.mod h1:EYP7cqpg42YqElaCm+U9ieSrGQKAXxUH5xsr+XGpWyE=
-github.com/rancher/wrangler-api v0.2.0 h1:VR7hLNnDrKykKLqthtwZ58pDDtUa9ijSNToPaJLEkWc=
-github.com/rancher/wrangler-api v0.2.0/go.mod h1:zTPdNLZO07KvRaVOx6XQbKBSV55Fnn4s7nqmrMPJqd8=
-github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff h1:VARhShG49tiji6mdRNp7JTNDtJ0FhuprF93GBQ37xGU=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8=
+github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
+github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
+github.com/rancher/lasso v0.0.0-20240424194130-d87ec407d941 h1:1SvuoeyfANRvKVJUSzHWa1P781iuH8ktUjW9cPOxAAk=
+github.com/rancher/lasso v0.0.0-20240424194130-d87ec407d941/go.mod h1:pYKOe2r/5O0w3ypoc7xHQF8LvWCp5PsNRea1Jpq3vBU=
+github.com/rancher/wrangler/v2 v2.2.0-rc6 h1:jMsuOVl7nBuQ5QJqdNkR2yHEf1+rYiyd1gN+mQzIcag=
+github.com/rancher/wrangler/v2 v2.2.0-rc6/go.mod h1:rFxhBR+PpC1MuJli+JeMpxoGxfV7XdFWtpdLC8s+oWQ=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/tektoncd/pipeline v0.4.0/go.mod h1:IZzJdiX9EqEMuUcgdnElozdYYRh0/ZRC+NKMLj1K3Yw=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA=
-golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
+golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
+golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b h1:aBGgKJUM9Hk/3AE8WaZIApnTxG35kbuQba2w+SXqezo=
-k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
-k8s.io/apiextensions-apiserver v0.0.0-20190409022649-727a075fdec8/go.mod h1:IxkesAMoaCRoLrPJdZNZUQp9NfZnzqaVzLhb2VEQzXE=
-k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d h1:Jmdtdt1ZnoGfWWIIik61Z7nKYgO3J+swQJtPYsP9wHA=
-k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
-k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible h1:U5Bt+dab9K8qaUmXINrkXO135kA11/i5Kg1RUydgaMQ=
-k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
-k8s.io/code-generator v0.0.0-20190311093542-50b561225d70/go.mod h1:MYiN+ZJZ9HkETbgVZdWw2AsuAi9PZ4V80cwfuf2axe8=
-k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20190327210449-e17681d19d3a/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.3.0 h1:0VPpR+sizsiivjIfIAQH/rl8tan6jvWkS7lU+0di3lE=
-k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/kube-openapi v0.0.0-20190502190224-411b2483e503/go.mod h1:iU+ZGYsNlvU9XKUSso6SQfKTCCw7lFduMZy26Mgr2Fw=
-k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5 h1:VBM/0P5TWxwk+Nw6Z+lAw3DKgO76g90ETOiA6rfLV1Y=
-k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-sigs.k8s.io/structured-merge-diff v0.0.0-20190426204423-ea680f03cc65/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
-sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw=
+k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80=
+k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU=
+k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU=
+k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg=
+k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0=
+k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
+k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
+k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
+k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
--- a/listener.go
+++ b/listener.go
@@ -1,6 +1,7 @@
 package dynamiclistener

 import (
+	"context"
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
@@ -8,7 +9,9 @@ import (
 	"net/http"
 	"strings"
 	"sync"
+	"time"

+	"github.com/rancher/dynamiclistener/cert"
 	"github.com/rancher/dynamiclistener/factory"
 	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
@@ -19,63 +22,268 @@ type TLSStorage interface {
 	Update(secret *v1.Secret) error
 }

+type TLSFactory interface {
+	Renew(secret *v1.Secret) (*v1.Secret, error)
+	AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error)
+	Merge(target *v1.Secret, additional *v1.Secret) (*v1.Secret, bool, error)
+	Filter(cn ...string) []string
+	Regenerate(secret *v1.Secret) (*v1.Secret, error)
+}
+
 type SetFactory interface {
-	SetFactory(tls *factory.TLS)
-}
-
-type Config struct {
-	CN           string
-	Organization []string
-	TLSConfig    tls.Config
-	SANs         []string
+	SetFactory(tls TLSFactory)
 }

+// Deprecated: Use NewListenerWithChain instead as it supports intermediate CAs
 func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {
+	return NewListenerWithChain(l, storage, []*x509.Certificate{caCert}, caKey, config)
+}
+
+func NewListenerWithChain(l net.Listener, storage TLSStorage, caCert []*x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {
 	if config.CN == "" {
 		config.CN = "dynamic"
 	}
 	if len(config.Organization) == 0 {
 		config.Organization = []string{"dynamic"}
 	}
+	if config.TLSConfig == nil {
+		config.TLSConfig = &tls.Config{}
+	}
+	if config.ExpirationDaysCheck == 0 {
+		config.ExpirationDaysCheck = 90
+	}

 	dynamicListener := &listener{
 		factory: &factory.TLS{
-			CACert:       caCert,
-			CAKey:        caKey,
-			CN:           config.CN,
-			Organization: config.Organization,
+			CACert:              caCert,
+			CAKey:               caKey,
+			CN:                  config.CN,
+			Organization:        config.Organization,
+			FilterCN:            allowDefaultSANs(config.SANs, config.FilterCN),
+			ExpirationDaysCheck: config.ExpirationDaysCheck,
 		},
 		Listener:  l,
+		certReady: make(chan struct{}),
 		storage:   &nonNil{storage: storage},
 		sans:      config.SANs,
+		maxSANs:   config.MaxSANs,
 		tlsConfig: config.TLSConfig,
 	}
+	if dynamicListener.tlsConfig == nil {
+		dynamicListener.tlsConfig = &tls.Config{}
+	}
 	dynamicListener.tlsConfig.GetCertificate = dynamicListener.getCertificate

+	if config.CloseConnOnCertChange {
+		if len(dynamicListener.tlsConfig.Certificates) == 0 {
+			dynamicListener.tlsConfig.NextProtos = []string{"http/1.1"}
+		}
+		dynamicListener.conns = map[int]*closeWrapper{}
+	}
+
 	if setter, ok := storage.(SetFactory); ok {
 		setter.SetFactory(dynamicListener.factory)
 	}

-	return tls.NewListener(dynamicListener, &dynamicListener.tlsConfig), dynamicListener.cacheHandler(), nil
+	if config.RegenerateCerts != nil && config.RegenerateCerts() {
+		if err := dynamicListener.regenerateCerts(); err != nil {
+			return nil, nil, err
+		}
+	}
+
+	tlsListener := tls.NewListener(dynamicListener.WrapExpiration(config.ExpirationDaysCheck), dynamicListener.tlsConfig)
+
+	return tlsListener, dynamicListener.cacheHandler(), nil
+}
+
+func allowDefaultSANs(sans []string, next func(...string) []string) func(...string) []string {
+	if next == nil {
+		return nil
+	} else if len(sans) == 0 {
+		return next
+	}
+
+	sanMap := map[string]bool{}
+	for _, san := range sans {
+		sanMap[san] = true
+	}
+
+	return func(s ...string) []string {
+		var (
+			good    []string
+			unknown []string
+		)
+		for _, s := range s {
+			if sanMap[s] {
+				good = append(good, s)
+			} else {
+				unknown = append(unknown, s)
+			}
+		}
+
+		return append(good, next(unknown...)...)
+	}
+}
+
+type cancelClose struct {
+	cancel func()
+	net.Listener
+}
+
+func (c *cancelClose) Close() error {
+	c.cancel()
+	return c.Listener.Close()
+}
+
+type Config struct {
+	CN                    string
+	Organization          []string
+	TLSConfig             *tls.Config
+	SANs                  []string
+	MaxSANs               int
+	ExpirationDaysCheck   int
+	CloseConnOnCertChange bool
+	RegenerateCerts       func() bool
+	FilterCN              func(...string) []string
 }

 type listener struct {
 	sync.RWMutex
 	net.Listener

-	factory   *factory.TLS
+	conns    map[int]*closeWrapper
+	connID   int
+	connLock sync.Mutex
+
+	factory   TLSFactory
 	storage   TLSStorage
 	version   string
-	tlsConfig tls.Config
+	tlsConfig *tls.Config
 	cert      *tls.Certificate
+	certReady chan struct{}
 	sans      []string
+	maxSANs   int
 	init      sync.Once
 }

+func (l *listener) WrapExpiration(days int) net.Listener {
+	ctx, cancel := context.WithCancel(context.Background())
+	go func() {
+
+		// wait for cert to be set, this will unblock when the channel is closed
+		select {
+		case <-ctx.Done():
+			return
+		case <-l.certReady:
+		}
+
+		for {
+			wait := 6 * time.Hour
+			if err := l.checkExpiration(days); err != nil {
+				logrus.Errorf("dynamiclistener %s: failed to check and renew dynamic cert: %v", l.Addr(), err)
+				// Don't go into short retry loop if we're using a static (user-provided) cert.
+				// We will still check and print an error every six hours until the user updates the secret with
+				// a cert that is not about to expire. Hopefully this will prompt them to take action.
+				if err != cert.ErrStaticCert {
+					wait = 5 * time.Minute
+				}
+			}
+			select {
+			case <-ctx.Done():
+				return
+			case <-time.After(wait):
+			}
+		}
+	}()
+
+	return &cancelClose{
+		cancel:   cancel,
+		Listener: l,
+	}
+}
+
+// regenerateCerts regenerates the used certificates and
+// updates the secret.
+func (l *listener) regenerateCerts() error {
+	l.Lock()
+	defer l.Unlock()
+
+	secret, err := l.storage.Get()
+	if err != nil {
+		return err
+	}
+
+	newSecret, err := l.factory.Regenerate(secret)
+	if err != nil {
+		return err
+	}
+	if err := l.storage.Update(newSecret); err != nil {
+		return err
+	}
+	// clear version to force cert reload
+	l.version = ""
+
+	return nil
+}
+
+func (l *listener) checkExpiration(days int) error {
+	l.Lock()
+	defer l.Unlock()
+
+	if days == 0 {
+		return nil
+	}
+
+	if l.cert == nil {
+		return nil
+	}
+
+	secret, err := l.storage.Get()
+	if err != nil {
+		return err
+	}
+
+	keyPair, err := tls.X509KeyPair(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
+	if err != nil {
+		return err
+	}
+
+	certParsed, err := x509.ParseCertificate(keyPair.Certificate[0])
+	if err != nil {
+		return err
+	}
+
+	if cert.IsCertExpired(certParsed, days) {
+		secret, err := l.factory.Renew(secret)
+		if err != nil {
+			return err
+		}
+		if err := l.storage.Update(secret); err != nil {
+			return err
+		}
+		// clear version to force cert reload
+		l.version = ""
+	}
+
+	return nil
+}
+
 func (l *listener) Accept() (net.Conn, error) {
 	l.init.Do(func() {
 		if len(l.sans) > 0 {
-			l.updateCert(l.sans...)
+			if err := l.updateCert(l.sans...); err != nil {
+				logrus.Errorf("dynamiclistener %s: failed to update cert with configured SANs: %v", l.Addr(), err)
+				return
+			}
+		}
+		if cert, err := l.loadCert(nil); err != nil {
+			logrus.Errorf("dynamiclistener %s: failed to preload certificate: %v", l.Addr(), err)
+		} else if cert == nil {
+			// This should only occur on the first startup when no SANs are configured in the listener config, in which
+			// case no certificate can be created, as dynamiclistener will not create certificates until at least one IP
+			// or DNS SAN is set. It will also occur when using the Kubernetes storage without a local File cache.
+			// For reliable serving of requests, callers should configure a local cache and/or a default set of SANs.
+			logrus.Warnf("dynamiclistener %s: no cached certificate available for preload - deferring certificate load until storage initialization or first client request", l.Addr())
 		}
 	})

@@ -91,30 +299,84 @@ func (l *listener) Accept() (net.Conn, error) {

 	host, _, err := net.SplitHostPort(addr.String())
 	if err != nil {
-		logrus.Errorf("failed to parse network %s: %v", addr.Network(), err)
+		logrus.Errorf("dynamiclistener %s: failed to parse connection local address %s: %v", l.Addr(), addr, err)
 		return conn, nil
 	}

-	if !strings.Contains(host, ":") {
-		if err := l.updateCert(host); err != nil {
-			logrus.Infof("failed to create TLS cert for: %s", host)
-		}
+	if err := l.updateCert(host); err != nil {
+		logrus.Errorf("dynamiclistener %s: failed to update cert with connection local address: %v", l.Addr(), err)
+	}
+
+	if l.conns != nil {
+		conn = l.wrap(conn)
 	}

 	return conn, nil
 }

+func (l *listener) wrap(conn net.Conn) net.Conn {
+	l.connLock.Lock()
+	defer l.connLock.Unlock()
+	l.connID++
+
+	wrapper := &closeWrapper{
+		Conn: conn,
+		id:   l.connID,
+		l:    l,
+	}
+	l.conns[l.connID] = wrapper
+
+	return wrapper
+}
+
+type closeWrapper struct {
+	net.Conn
+	id    int
+	l     *listener
+	ready bool
+}
+
+func (c *closeWrapper) close() error {
+	delete(c.l.conns, c.id)
+	return c.Conn.Close()
+}
+
+func (c *closeWrapper) Close() error {
+	c.l.connLock.Lock()
+	defer c.l.connLock.Unlock()
+	return c.close()
+}
+
 func (l *listener) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	newConn := hello.Conn
 	if hello.ServerName != "" {
 		if err := l.updateCert(hello.ServerName); err != nil {
+			logrus.Errorf("dynamiclistener %s: failed to update cert with TLS ServerName: %v", l.Addr(), err)
 			return nil, err
 		}
 	}
-
-	return l.loadCert()
+	connCert, err := l.loadCert(newConn)
+	if connCert != nil && err == nil && newConn != nil && l.conns != nil {
+		// if we were successfully able to load a cert and are closing connections on cert changes, mark newConn ready
+		// this will allow us to close the connection if a future connection forces the cert to re-load
+		wrapper, ok := newConn.(*closeWrapper)
+		if !ok {
+			logrus.Debugf("will not mark non-close wrapper connection from %s to %s as ready", newConn.RemoteAddr(), newConn.LocalAddr())
+			return connCert, err
+		}
+		l.connLock.Lock()
+		l.conns[wrapper.id].ready = true
+		l.connLock.Unlock()
+	}
+	return connCert, err
 }

 func (l *listener) updateCert(cn ...string) error {
+	cn = l.factory.Filter(cn...)
+	if len(cn) == 0 {
+		return nil
+	}
+
 	l.RLock()
 	defer l.RUnlock()

@@ -123,7 +385,7 @@ func (l *listener) updateCert(cn ...string) error {
 		return err
 	}

-	if !factory.NeedsUpdate(secret, cn...) {
+	if factory.IsStatic(secret) || !factory.NeedsUpdate(l.maxSANs, secret, cn...) {
 		return nil
 	}

@@ -141,14 +403,16 @@ func (l *listener) updateCert(cn ...string) error {
 		if err := l.storage.Update(secret); err != nil {
 			return err
 		}
-		// clear version to force cert reload
+		// Clear version to force cert reload next time loadCert is called by TLSConfig's
+		// GetCertificate hook to provide a certificate for a new connection. Note that this
+		// means the old certificate stays in l.cert until a new connection is made.
 		l.version = ""
 	}

 	return nil
 }

-func (l *listener) loadCert() (*tls.Certificate, error) {
+func (l *listener) loadCert(currentConn net.Conn) (*tls.Certificate, error) {
 	l.RLock()
 	defer l.RUnlock()

@@ -156,7 +420,7 @@ func (l *listener) loadCert() (*tls.Certificate, error) {
 	if err != nil {
 		return nil, err
 	}
-	if l.cert != nil && l.version == secret.ResourceVersion {
+	if l.cert != nil && l.version == secret.ResourceVersion && secret.ResourceVersion != "" {
 		return l.cert, nil
 	}

@@ -169,7 +433,10 @@ func (l *listener) loadCert() (*tls.Certificate, error) {
 	if err != nil {
 		return nil, err
 	}
-	if l.cert != nil && l.version == secret.ResourceVersion {
+	if !cert.IsValidTLSSecret(secret) {
+		return l.cert, nil
+	}
+	if l.cert != nil && l.version == secret.ResourceVersion && secret.ResourceVersion != "" {
 		return l.cert, nil
 	}

@@ -178,7 +445,26 @@ func (l *listener) loadCert() (*tls.Certificate, error) {
 		return nil, err
 	}

+	// cert has changed, close closeWrapper wrapped connections if this isn't the first load
+	if currentConn != nil && l.conns != nil && l.cert != nil {
+		l.connLock.Lock()
+		for _, conn := range l.conns {
+			// Don't close a connection that's in the middle of completing a TLS handshake
+			if !conn.ready {
+				continue
+			}
+			_ = conn.close()
+		}
+		l.connLock.Unlock()
+	}
+
+	// we can only close the ready channel once when the cert is first assigned
+	canClose := l.cert == nil
 	l.cert = &cert
+	if canClose {
+		close(l.certReady)
+	}
+	l.version = secret.ResourceVersion
 	return l.cert, nil
 }

@@ -191,7 +477,15 @@ func (l *listener) cacheHandler() http.Handler {

 		ip := net.ParseIP(h)
 		if len(ip) > 0 {
-			l.updateCert(h)
+			for _, v := range req.Header["User-Agent"] {
+				if strings.Contains(strings.ToLower(v), "mozilla") {
+					return
+				}
+			}
+
+			if err := l.updateCert(h); err != nil {
+				logrus.Errorf("dynamiclistener %s: failed to update cert with HTTP request Host header: %v", l.Addr(), err)
+			}
 		}
 	})
 }
--- a/listener_test.go
+++ b/listener_test.go
@@ -0,0 +1,225 @@
+package dynamiclistener
+
+import (
+	"crypto/tls"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/rancher/dynamiclistener/factory"
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	apiError "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func Test_getCertificate(t *testing.T) {
+	beforeKey, beforeCert, err := newCertificate()
+	assert.NoError(t, err, "Error when setting up test - unable to construct before key for test")
+	beforeTLSCert, err := tls.X509KeyPair(beforeCert, beforeKey)
+	assert.NoError(t, err, "Error when setting up test - unable to convert before to tls.Certificate")
+	afterKey, afterCert, err := newCertificate()
+	assert.NoError(t, err, "Error when setting up test - unable to construct after key for test")
+	afterTLSCert, err := tls.X509KeyPair(afterCert, afterKey)
+	assert.NoError(t, err, "Error when setting up test - unable to convert after to tls.Certificate")
+	tests := []struct {
+		// input test vars
+		name          string
+		secret        *v1.Secret
+		secretErr     error
+		cachedCert    *tls.Certificate
+		cachedVersion string
+		currentConn   *closeWrapper
+		otherConns    map[int]*closeWrapper
+
+		// output/result test vars
+		closedConns  []int
+		expectedCert *tls.Certificate
+		wantError    bool
+	}{
+		{
+			name:   "no secret found",
+			secret: nil,
+			secretErr: apiError.NewNotFound(schema.GroupResource{
+				Group:    "",
+				Resource: "Secret",
+			}, "testSecret"),
+			currentConn: &closeWrapper{id: 0},
+			otherConns:  map[int]*closeWrapper{},
+
+			expectedCert: nil,
+			wantError:    true,
+		},
+		{
+			name: "secret found, and is up to date",
+			secret: &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					ResourceVersion: "1",
+					Name:            "testSecret",
+					Namespace:       "test",
+				},
+				Data: map[string][]byte{
+					v1.TLSCertKey:       beforeCert,
+					v1.TLSPrivateKeyKey: beforeKey,
+				},
+			},
+			cachedVersion: "1",
+			cachedCert:    &beforeTLSCert,
+			currentConn:   &closeWrapper{id: 0},
+			otherConns:    map[int]*closeWrapper{},
+
+			expectedCert: &beforeTLSCert,
+			wantError:    false,
+		},
+		{
+			name: "secret found, is not up to date, but k8s secret is not valid",
+			secret: &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					ResourceVersion: "2",
+					Name:            "testSecret",
+					Namespace:       "test",
+				},
+				Data: map[string][]byte{
+					v1.TLSPrivateKeyKey: []byte("strawberry"),
+				},
+			},
+			cachedVersion: "1",
+			cachedCert:    &beforeTLSCert,
+			currentConn:   &closeWrapper{id: 0},
+			otherConns:    map[int]*closeWrapper{},
+
+			expectedCert: &beforeTLSCert,
+			wantError:    false,
+		},
+		{
+			name: "secret found, but is not up to date",
+			secret: &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					ResourceVersion: "2",
+					Name:            "testSecret",
+					Namespace:       "test",
+				},
+				Data: map[string][]byte{
+					v1.TLSCertKey:       afterCert,
+					v1.TLSPrivateKeyKey: afterKey,
+				},
+			},
+			cachedVersion: "1",
+			cachedCert:    &beforeTLSCert,
+			currentConn:   &closeWrapper{id: 0},
+			otherConns:    map[int]*closeWrapper{},
+
+			expectedCert: &afterTLSCert,
+			wantError:    false,
+		},
+		{
+			name: "secret found, is not up to date, and we have conns using current cert",
+			secret: &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					ResourceVersion: "2",
+					Name:            "testSecret",
+					Namespace:       "test",
+				},
+				Data: map[string][]byte{
+					v1.TLSCertKey:       afterCert,
+					v1.TLSPrivateKeyKey: afterKey,
+				},
+			},
+			cachedVersion: "1",
+			cachedCert:    &beforeTLSCert,
+			currentConn:   &closeWrapper{id: 0},
+			otherConns: map[int]*closeWrapper{
+				1: {
+					id:    1,
+					ready: false,
+					Conn:  &fakeConn{},
+				},
+				2: {
+					id:    2,
+					ready: true,
+					Conn:  &fakeConn{},
+				},
+			},
+
+			closedConns:  []int{2},
+			expectedCert: &afterTLSCert,
+			wantError:    false,
+		},
+	}
+	for i := range tests {
+		test := tests[i]
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			testConns := test.otherConns
+			if testConns != nil {
+				testConns[test.currentConn.id] = test.currentConn
+				// make sure our conn is listed as one of the current connections
+			}
+			l := listener{
+				cert:    test.cachedCert,
+				version: test.cachedVersion,
+				storage: &MockTLSStorage{
+					Secret:    test.secret,
+					SecretErr: test.secretErr,
+				},
+				conns: testConns,
+			}
+			for _, conn := range testConns {
+				conn.l = &l
+			}
+			newCert, err := l.getCertificate(&tls.ClientHelloInfo{Conn: test.currentConn})
+			if test.wantError {
+				assert.Errorf(t, err, "expected an error but none was provdied")
+			} else {
+				assert.NoError(t, err, "did not expect an error but got one")
+			}
+			assert.Equal(t, test.expectedCert, newCert, "expected cert did not match actual cert")
+			if test.expectedCert != nil && test.wantError == false && test.currentConn != nil && test.otherConns != nil {
+				assert.True(t, test.currentConn.ready, "expected connection to be ready but it was not")
+			} else {
+				if test.currentConn != nil {
+					assert.False(t, test.currentConn.ready, "did not expect connection to be ready")
+				}
+			}
+			for _, closedConn := range test.closedConns {
+				_, ok := l.conns[closedConn]
+				assert.False(t, ok, "closed conns should not be found")
+			}
+		})
+	}
+}
+
+func newCertificate() ([]byte, []byte, error) {
+	cert, key, err := factory.GenCA()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return factory.MarshalChain(key, cert)
+}
+
+type MockTLSStorage struct {
+	Secret    *v1.Secret
+	SecretErr error
+}
+
+func (m *MockTLSStorage) Get() (*v1.Secret, error) {
+	return m.Secret, m.SecretErr
+}
+
+func (m *MockTLSStorage) Update(secret *v1.Secret) error {
+	panic("Not implemented")
+}
+
+// adapted from k8s.io/apimachinery@v0.18.8/pkg/util.proxy/ugradeaware_test.go
+type fakeConn struct{}
+
+func (f *fakeConn) Read([]byte) (int, error)        { return 0, nil }
+func (f *fakeConn) Write([]byte) (int, error)       { return 0, nil }
+func (f *fakeConn) Close() error                    { return nil }
+func (fakeConn) LocalAddr() net.Addr                { return nil }
+func (fakeConn) RemoteAddr() net.Addr               { return nil }
+func (fakeConn) SetDeadline(t time.Time) error      { return nil }
+func (fakeConn) SetReadDeadline(t time.Time) error  { return nil }
+func (fakeConn) SetWriteDeadline(t time.Time) error { return nil }
--- a/redirect.go
+++ b/redirect.go
@@ -11,8 +11,10 @@ import (
 func HTTPRedirect(next http.Handler) http.Handler {
 	return http.HandlerFunc(
 		func(rw http.ResponseWriter, r *http.Request) {
-			if r.Header.Get("x-Forwarded-Proto") == "https" ||
+			if r.TLS != nil ||
+				r.Header.Get("x-Forwarded-Proto") == "https" ||
 				r.Header.Get("x-Forwarded-Proto") == "wss" ||
+				strings.HasPrefix(r.URL.Path, "/.well-known/") ||
 				strings.HasPrefix(r.URL.Path, "/ping") ||
 				strings.HasPrefix(r.URL.Path, "/health") {
 				next.ServeHTTP(rw, r)
--- a/server/server.go
+++ b/server/server.go
@@ -2,45 +2,80 @@ package server

 import (
 	"context"
+	"crypto"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"log"
+	"net"
 	"net/http"

 	"github.com/rancher/dynamiclistener"
 	"github.com/rancher/dynamiclistener/factory"
+	"github.com/rancher/dynamiclistener/storage/file"
+	"github.com/rancher/dynamiclistener/storage/kubernetes"
 	"github.com/rancher/dynamiclistener/storage/memory"
+	v1 "github.com/rancher/wrangler/v2/pkg/generated/controllers/core/v1"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/crypto/acme/autocert"
 )

-func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.Handler) error {
-	var (
-		// https listener will change this if http is enabled
-		targetHandler = handler
-	)
+type ListenOpts struct {
+	CAChain []*x509.Certificate
+	// Deprecated: Use CAChain instead
+	CA                *x509.Certificate
+	CAKey             crypto.Signer
+	Storage           dynamiclistener.TLSStorage
+	Secrets           v1.SecretController
+	CertNamespace     string
+	CertName          string
+	CANamespace       string
+	CAName            string
+	CertBackup        string
+	AcmeDomains       []string
+	BindHost          string
+	NoRedirect        bool
+	TLSListenerConfig dynamiclistener.Config
+}
+
+func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.Handler, opts *ListenOpts) error {
+	if opts == nil {
+		opts = &ListenOpts{}
+	}
+
+	if opts.TLSListenerConfig.TLSConfig == nil {
+		opts.TLSListenerConfig.TLSConfig = &tls.Config{}
+	}
+
+	logger := logrus.StandardLogger()
+	errorLog := log.New(logger.WriterLevel(logrus.DebugLevel), "", log.LstdFlags)
+
 	if httpsPort > 0 {
-		caCert, caKey, err := factory.LoadOrGenCA()
+		tlsTCPListener, err := dynamiclistener.NewTCPListener(opts.BindHost, httpsPort)
 		if err != nil {
 			return err
 		}

-		tlsTCPListener, err := dynamiclistener.NewTCPListener("0.0.0.0", httpsPort)
+		tlsTCPListener, handler, err = getTLSListener(ctx, tlsTCPListener, handler, *opts)
 		if err != nil {
 			return err
 		}

-		dynListener, dynHandler, err := dynamiclistener.NewListener(tlsTCPListener, memory.New(), caCert, caKey, dynamiclistener.Config{})
-		if err != nil {
-			return err
+		if !opts.NoRedirect {
+			handler = dynamiclistener.HTTPRedirect(handler)
 		}

-		targetHandler = wrapHandler(dynHandler, handler)
 		tlsServer := http.Server{
-			Handler: targetHandler,
+			Handler: handler,
+			BaseContext: func(listener net.Listener) context.Context {
+				return ctx
+			},
+			ErrorLog: errorLog,
 		}
-		targetHandler = dynamiclistener.HTTPRedirect(targetHandler)

 		go func() {
-			logrus.Infof("Listening on 0.0.0.0:%d", httpsPort)
-			err := tlsServer.Serve(dynListener)
+			logrus.Infof("Listening on %s:%d", opts.BindHost, httpsPort)
+			err := tlsServer.Serve(tlsTCPListener)
 			if err != http.ErrServerClosed && err != nil {
 				logrus.Fatalf("https server failed: %v", err)
 			}
@@ -53,11 +88,15 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H

 	if httpPort > 0 {
 		httpServer := http.Server{
-			Addr:    fmt.Sprintf("0.0.0.0:%d", httpPort),
-			Handler: targetHandler,
+			Addr:     fmt.Sprintf("%s:%d", opts.BindHost, httpPort),
+			Handler:  handler,
+			ErrorLog: errorLog,
+			BaseContext: func(listener net.Listener) context.Context {
+				return ctx
+			},
 		}
 		go func() {
-			logrus.Infof("Listening on 0.0.0.0:%d", httpPort)
+			logrus.Infof("Listening on %s:%d", opts.BindHost, httpPort)
 			err := httpServer.ListenAndServe()
 			if err != http.ErrServerClosed && err != nil {
 				logrus.Fatalf("http server failed: %v", err)
@@ -72,9 +111,122 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H
 	return nil
 }

+func getTLSListener(ctx context.Context, tcp net.Listener, handler http.Handler, opts ListenOpts) (net.Listener, http.Handler, error) {
+	if len(opts.TLSListenerConfig.TLSConfig.NextProtos) == 0 {
+		opts.TLSListenerConfig.TLSConfig.NextProtos = []string{"h2", "http/1.1"}
+	}
+
+	if len(opts.TLSListenerConfig.TLSConfig.Certificates) > 0 {
+		return tls.NewListener(tcp, opts.TLSListenerConfig.TLSConfig), handler, nil
+	}
+
+	if len(opts.AcmeDomains) > 0 {
+		return acmeListener(tcp, handler, opts)
+	}
+
+	storage := opts.Storage
+	if storage == nil {
+		storage = newStorage(ctx, opts)
+	}
+
+	caCert, caKey, err := getCA(opts)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	listener, dynHandler, err := dynamiclistener.NewListenerWithChain(tcp, storage, caCert, caKey, opts.TLSListenerConfig)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return listener, wrapHandler(dynHandler, handler), nil
+}
+
+func getCA(opts ListenOpts) ([]*x509.Certificate, crypto.Signer, error) {
+	if opts.CAKey != nil {
+		if opts.CAChain != nil {
+			return opts.CAChain, opts.CAKey, nil
+		} else if opts.CA != nil {
+			return []*x509.Certificate{opts.CA}, opts.CAKey, nil
+		}
+	}
+
+	if opts.Secrets == nil {
+		return factory.LoadOrGenCAChain()
+	}
+
+	if opts.CAName == "" {
+		opts.CAName = "serving-ca"
+	}
+
+	if opts.CANamespace == "" {
+		opts.CANamespace = opts.CertNamespace
+	}
+
+	if opts.CANamespace == "" {
+		opts.CANamespace = "kube-system"
+	}
+
+	return kubernetes.LoadOrGenCAChain(opts.Secrets, opts.CANamespace, opts.CAName)
+}
+
+func newStorage(ctx context.Context, opts ListenOpts) dynamiclistener.TLSStorage {
+	var result dynamiclistener.TLSStorage
+	if opts.CertBackup == "" {
+		result = memory.New()
+	} else {
+		result = memory.NewBacked(file.New(opts.CertBackup))
+	}
+
+	if opts.Secrets == nil {
+		return result
+	}
+
+	if opts.CertName == "" {
+		opts.CertName = "serving-cert"
+	}
+
+	if opts.CertNamespace == "" {
+		opts.CertNamespace = "kube-system"
+	}
+
+	return kubernetes.Load(ctx, opts.Secrets, opts.CertNamespace, opts.CertName, result)
+}
+
 func wrapHandler(handler http.Handler, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		handler.ServeHTTP(rw, req)
 		next.ServeHTTP(rw, req)
 	})
 }
+
+func acmeListener(tcp net.Listener, handler http.Handler, opts ListenOpts) (net.Listener, http.Handler, error) {
+	hosts := map[string]bool{}
+	for _, domain := range opts.AcmeDomains {
+		hosts[domain] = true
+	}
+
+	manager := autocert.Manager{
+		Cache: autocert.DirCache("certs-cache"),
+		Prompt: func(tosURL string) bool {
+			return true
+		},
+		HostPolicy: func(ctx context.Context, host string) error {
+			if !hosts[host] {
+				return fmt.Errorf("host %s is not configured", host)
+			}
+			return nil
+		},
+	}
+
+	opts.TLSListenerConfig.TLSConfig.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		if hello.ServerName == "localhost" || hello.ServerName == "" {
+			newHello := *hello
+			newHello.ServerName = opts.AcmeDomains[0]
+			return manager.GetCertificate(&newHello)
+		}
+		return manager.GetCertificate(hello)
+	}
+
+	return tls.NewListener(tcp, opts.TLSListenerConfig.TLSConfig), manager.HTTPHandler(handler), nil
+}
--- a/storage/file/file.go
+++ b/storage/file/file.go
@@ -2,9 +2,10 @@ package file

 import (
 	"encoding/json"
-	"github.com/rancher/dynamiclistener"
-	"k8s.io/api/core/v1"
 	"os"
+
+	"github.com/rancher/dynamiclistener"
+	v1 "k8s.io/api/core/v1"
 )

 func New(file string) dynamiclistener.TLSStorage {
@@ -39,4 +40,3 @@ func (s *storage) Update(secret *v1.Secret) error {

 	return json.NewEncoder(f).Encode(secret)
 }
-
--- a/storage/kubernetes/ca.go
+++ b/storage/kubernetes/ca.go
@@ -0,0 +1,112 @@
+package kubernetes
+
+import (
+	"crypto"
+	"crypto/x509"
+
+	"github.com/rancher/dynamiclistener/factory"
+	v1controller "github.com/rancher/wrangler/v2/pkg/generated/controllers/core/v1"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
+func LoadOrGenCA(secrets v1controller.SecretClient, namespace, name string) (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadOrGenCAChain(secrets, namespace, name)
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, err
+}
+
+func LoadOrGenCAChain(secrets v1controller.SecretClient, namespace, name string) ([]*x509.Certificate, crypto.Signer, error) {
+	secret, err := getSecret(secrets, namespace, name)
+	if err != nil {
+		return nil, nil, err
+	}
+	return factory.LoadCAChain(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
+}
+
+func LoadOrGenClient(secrets v1controller.SecretClient, namespace, name, cn string, ca *x509.Certificate, key crypto.Signer) (*x509.Certificate, crypto.Signer, error) {
+	secret, err := getClientSecret(secrets, namespace, name, cn, ca, key)
+	if err != nil {
+		return nil, nil, err
+	}
+	return factory.LoadCA(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
+}
+
+func getClientSecret(secrets v1controller.SecretClient, namespace, name, cn string, caCert *x509.Certificate, caKey crypto.Signer) (*v1.Secret, error) {
+	s, err := secrets.Get(namespace, name, metav1.GetOptions{})
+	if !errors.IsNotFound(err) {
+		return s, err
+	}
+
+	return createAndStoreClientCert(secrets, namespace, name, cn, caCert, caKey)
+}
+
+func getSecret(secrets v1controller.SecretClient, namespace, name string) (*v1.Secret, error) {
+	s, err := secrets.Get(namespace, name, metav1.GetOptions{})
+	if !errors.IsNotFound(err) {
+		return s, err
+	}
+
+	return createAndStore(secrets, namespace, name)
+}
+
+func createAndStoreClientCert(secrets v1controller.SecretClient, namespace string, name, cn string, caCert *x509.Certificate, caKey crypto.Signer) (*v1.Secret, error) {
+	key, err := factory.NewPrivateKey()
+	if err != nil {
+		return nil, err
+	}
+
+	cert, err := factory.NewSignedClientCert(key, caCert, caKey, cn)
+	if err != nil {
+		return nil, err
+	}
+
+	keyPem, certPem, err := factory.MarshalChain(key, cert, caCert)
+	if err != nil {
+		return nil, err
+	}
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			v1.TLSCertKey:       certPem,
+			v1.TLSPrivateKeyKey: keyPem,
+		},
+		Type: v1.SecretTypeTLS,
+	}
+
+	return secrets.Create(secret)
+}
+
+func createAndStore(secrets v1controller.SecretClient, namespace string, name string) (*v1.Secret, error) {
+	ca, cert, err := factory.GenCA()
+	if err != nil {
+		return nil, err
+	}
+
+	certPem, keyPem, err := factory.Marshal(ca, cert)
+	if err != nil {
+		return nil, err
+	}
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			v1.TLSCertKey:       certPem,
+			v1.TLSPrivateKeyKey: keyPem,
+		},
+		Type: v1.SecretTypeTLS,
+	}
+
+	return secrets.Create(secret)
+}
--- a/storage/kubernetes/controller.go
+++ b/storage/kubernetes/controller.go
@@ -6,59 +6,70 @@ import (
 	"time"

 	"github.com/rancher/dynamiclistener"
-	"github.com/rancher/dynamiclistener/factory"
-	"github.com/rancher/wrangler-api/pkg/generated/controllers/core"
-	v1controller "github.com/rancher/wrangler-api/pkg/generated/controllers/core/v1"
-	"github.com/rancher/wrangler/pkg/start"
+	"github.com/rancher/dynamiclistener/cert"
+	"github.com/rancher/wrangler/v2/pkg/generated/controllers/core"
+	v1controller "github.com/rancher/wrangler/v2/pkg/generated/controllers/core/v1"
+	"github.com/rancher/wrangler/v2/pkg/start"
 	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/util/retry"
 )

 type CoreGetter func() *core.Factory

+func Load(ctx context.Context, secrets v1controller.SecretController, namespace, name string, backing dynamiclistener.TLSStorage) dynamiclistener.TLSStorage {
+	storage := &storage{
+		name:      name,
+		namespace: namespace,
+		storage:   backing,
+		ctx:       ctx,
+		initSync:  &sync.Once{},
+	}
+	storage.init(secrets)
+	return storage
+}
+
 func New(ctx context.Context, core CoreGetter, namespace, name string, backing dynamiclistener.TLSStorage) dynamiclistener.TLSStorage {
 	storage := &storage{
 		name:      name,
 		namespace: namespace,
 		storage:   backing,
 		ctx:       ctx,
+		initSync:  &sync.Once{},
 	}

 	// lazy init
 	go func() {
-		for {
-			core := core()
-			if core != nil {
-				storage.init(core.Core().V1().Secret())
-				start.All(ctx, 5, core)
-				return
+		wait.PollImmediateUntilWithContext(ctx, time.Second, func(cxt context.Context) (bool, error) {
+			if coreFactory := core(); coreFactory != nil {
+				storage.init(coreFactory.Core().V1().Secret())
+				return true, start.All(ctx, 5, coreFactory)
 			}
-
-			select {
-			case <-ctx.Done():
-				return
-			case <-time.After(time.Second):
-			}
-		}
+			return false, nil
+		})
 	}()

 	return storage
 }

 type storage struct {
-	sync.Mutex
+	sync.RWMutex

 	namespace, name string
 	storage         dynamiclistener.TLSStorage
-	secrets         v1controller.SecretClient
+	secrets         v1controller.SecretController
 	ctx             context.Context
-	tls             *factory.TLS
+	tls             dynamiclistener.TLSFactory
+	initialized     bool
+	initSync        *sync.Once
 }

-func (s *storage) SetFactory(tls *factory.TLS) {
+func (s *storage) SetFactory(tls dynamiclistener.TLSFactory) {
+	s.Lock()
+	defer s.Unlock()
 	s.tls = tls
 }

@@ -80,30 +91,64 @@ func (s *storage) init(secrets v1controller.SecretController) {
 	})
 	s.secrets = secrets

-	if secret, err := s.storage.Get(); err == nil && secret != nil && len(secret.Data) > 0 {
-		// just ensure there is a secret in k3s
-		if _, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{}); errors.IsNotFound(err) {
-			_, _ = s.secrets.Create(&v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:        s.name,
-					Namespace:   s.namespace,
-					Annotations: secret.Annotations,
-				},
-				Type: v1.SecretTypeTLS,
-				Data: secret.Data,
-			})
+	// Asynchronously sync the backing storage to the Kubernetes secret, as doing so inline may
+	// block the listener from accepting new connections if the apiserver becomes unavailable
+	// after the Secrets controller has been initialized. We're not passing around any contexts
+	// here, nor does the controller accept any, so there's no good way to soft-fail with a
+	// reasonable timeout.
+	go s.syncStorage()
+}
+
+func (s *storage) syncStorage() {
+	var updateStorage bool
+	secret, err := s.Get()
+	if err == nil && cert.IsValidTLSSecret(secret) {
+		// local storage had a cached secret, ensure that it exists in Kubernetes
+		_, err := s.secrets.Create(&v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:        s.name,
+				Namespace:   s.namespace,
+				Annotations: secret.Annotations,
+			},
+			Type: v1.SecretTypeTLS,
+			Data: secret.Data,
+		})
+		if err != nil && !errors.IsAlreadyExists(err) {
+			logrus.Warnf("Failed to create Kubernetes secret: %v", err)
+		}
+	} else {
+		// local storage was empty, try to populate it
+		secret, err = s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
+		if err != nil {
+			if !errors.IsNotFound(err) {
+				logrus.Warnf("Failed to init Kubernetes secret: %v", err)
+			}
+		} else {
+			updateStorage = true
+		}
+	}
+
+	s.Lock()
+	defer s.Unlock()
+	s.initialized = true
+	if updateStorage {
+		if err := s.storage.Update(secret); err != nil {
+			logrus.Warnf("Failed to init backing storage secret: %v", err)
 		}
 	}
 }

 func (s *storage) Get() (*v1.Secret, error) {
-	s.Lock()
-	defer s.Unlock()
+	s.RLock()
+	defer s.RUnlock()

 	return s.storage.Get()
 }

 func (s *storage) targetSecret() (*v1.Secret, error) {
+	s.RLock()
+	defer s.RUnlock()
+
 	existingSecret, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
 	if errors.IsNotFound(err) {
 		return &v1.Secret{
@@ -111,30 +156,62 @@ func (s *storage) targetSecret() (*v1.Secret, error) {
 				Name:      s.name,
 				Namespace: s.namespace,
 			},
+			Type: v1.SecretTypeTLS,
 		}, nil
 	}
 	return existingSecret, err
 }

 func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
-	if s.secrets == nil {
+	if !s.initComplete() {
+		// Start a goroutine to attempt to save the secret later, once init is complete.
+		// If this was already handled by initComplete, it should be a no-op, or at worst get
+		// merged with the Kubernetes secret.
+		go s.initSync.Do(func() {
+			if err := wait.Poll(100*time.Millisecond, 15*time.Minute, func() (bool, error) {
+				if !s.initComplete() {
+					return false, nil
+				}
+				_, err := s.saveInK8s(secret)
+				return true, err
+			}); err != nil {
+				logrus.Errorf("Failed to save TLS secret after controller init: %v", err)
+			}
+		})
 		return secret, nil
 	}

-	if existing, err := s.storage.Get(); err == nil && s.tls != nil {
-		if newSecret, updated, err := s.tls.Merge(secret, existing); err == nil && updated {
-			secret = newSecret
-		}
-	}
-
 	targetSecret, err := s.targetSecret()
 	if err != nil {
 		return nil, err
 	}

-	if equality.Semantic.DeepEqual(targetSecret.Annotations, secret.Annotations) &&
-		equality.Semantic.DeepEqual(targetSecret.Data, secret.Data) {
-		return secret, nil
+	// if we don't have a TLS factory we can't create certs, so don't bother trying to merge anything,
+	// in favor of just blindly replacing the fields on the Kubernetes secret.
+	if s.tls != nil {
+		// merge new secret with secret from backing storage, if one exists
+		if existing, err := s.Get(); err == nil && cert.IsValidTLSSecret(existing) {
+			if newSecret, updated, err := s.tls.Merge(existing, secret); err == nil && updated {
+				secret = newSecret
+			}
+		}
+
+		// merge new secret with existing secret from Kubernetes, if one exists
+		if cert.IsValidTLSSecret(targetSecret) {
+			if newSecret, updated, err := s.tls.Merge(targetSecret, secret); err != nil {
+				return nil, err
+			} else if !updated {
+				return newSecret, nil
+			} else {
+				secret = newSecret
+			}
+		}
+	}
+
+	// ensure that the merged secret actually contains data before overwriting the existing fields
+	if !cert.IsValidTLSSecret(secret) {
+		logrus.Warnf("Skipping save of TLS secret for %s/%s due to missing certificate data", secret.Namespace, secret.Name)
+		return targetSecret, nil
 	}

 	targetSecret.Annotations = secret.Annotations
@@ -142,32 +219,49 @@ func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
 	targetSecret.Data = secret.Data

 	if targetSecret.UID == "" {
-		logrus.Infof("Creating new TLS secret for %v (count: %d): %v", targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
+		logrus.Infof("Creating new TLS secret for %s/%s (count: %d): %v", targetSecret.Namespace, targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
 		return s.secrets.Create(targetSecret)
-	} else {
-		logrus.Infof("Updating TLS secret for %v (count: %d): %v", targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
-		return s.secrets.Update(targetSecret)
 	}
+	logrus.Infof("Updating TLS secret for %s/%s (count: %d): %v", targetSecret.Namespace, targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
+	return s.secrets.Update(targetSecret)
 }

-func (s *storage) Update(secret *v1.Secret) (err error) {
-	s.Lock()
-	defer s.Unlock()
-
-	for i := 0; i < 3; i++ {
-		secret, err = s.saveInK8s(secret)
-		if errors.IsConflict(err) {
-			continue
-		} else if err != nil {
-			return err
+func (s *storage) Update(secret *v1.Secret) error {
+	// Asynchronously update the Kubernetes secret, as doing so inline may block the listener from
+	// accepting new connections if the apiserver becomes unavailable after the Secrets controller
+	// has been initialized. We're not passing around any contexts here, nor does the controller
+	// accept any, so there's no good way to soft-fail with a reasonable timeout.
+	go func() {
+		if err := s.update(secret); err != nil {
+			logrus.Errorf("Failed to save TLS secret for %s/%s: %v", secret.Namespace, secret.Name, err)
 		}
-		break
-	}
+	}()
+	return nil
+}
+
+func isConflictOrAlreadyExists(err error) bool {
+	return errors.IsConflict(err) || errors.IsAlreadyExists(err)
+}
+
+func (s *storage) update(secret *v1.Secret) (err error) {
+	var newSecret *v1.Secret
+	err = retry.OnError(retry.DefaultRetry, isConflictOrAlreadyExists, func() error {
+		newSecret, err = s.saveInK8s(secret)
+		return err
+	})

 	if err != nil {
 		return err
 	}

-	// update underlying storage
-	return s.storage.Update(secret)
+	// Only hold the lock while updating underlying storage
+	s.Lock()
+	defer s.Unlock()
+	return s.storage.Update(newSecret)
+}
+
+func (s *storage) initComplete() bool {
+	s.RLock()
+	defer s.RUnlock()
+	return s.initialized
 }
--- a/storage/memory/memory.go
+++ b/storage/memory/memory.go
@@ -32,13 +32,15 @@ func (m *memory) Get() (*v1.Secret, error) {
 }

 func (m *memory) Update(secret *v1.Secret) error {
-	if m.storage != nil {
-		if err := m.storage.Update(secret); err != nil {
-			return err
+	if m.secret == nil || m.secret.ResourceVersion == "" || m.secret.ResourceVersion != secret.ResourceVersion {
+		if m.storage != nil {
+			if err := m.storage.Update(secret); err != nil {
+				return err
+			}
 		}
-	}

-	logrus.Infof("Active TLS secret %s (ver=%s) (count %d): %v", secret.Name, secret.ResourceVersion, len(secret.Annotations)-1, secret.Annotations)
-	m.secret = secret
+		logrus.Infof("Active TLS secret %s/%s (ver=%s) (count %d): %v", secret.Namespace, secret.Name, secret.ResourceVersion, len(secret.Annotations)-1, secret.Annotations)
+		m.secret = secret
+	}
 	return nil
 }
--- a/storage/static/static.go
+++ b/storage/static/static.go
@@ -0,0 +1,36 @@
+package static
+
+import (
+	"github.com/rancher/dynamiclistener/factory"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Storage struct {
+	Secret *v1.Secret
+}
+
+func New(certPem, keyPem []byte) *Storage {
+	return &Storage{
+		Secret: &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					factory.Static: "true",
+				},
+			},
+			Data: map[string][]byte{
+				v1.TLSCertKey:       certPem,
+				v1.TLSPrivateKeyKey: keyPem,
+			},
+			Type: v1.SecretTypeTLS,
+		},
+	}
+}
+
+func (s *Storage) Get() (*v1.Secret, error) {
+	return s.Secret, nil
+}
+
+func (s *Storage) Update(_ *v1.Secret) error {
+	return nil
+}
Author	SHA1	Message	Date
renovate-rancher[bot]	a47262c730	Update GitHub Actions	2025-08-12 04:40:01 +00:00
renovate-rancher[bot]	e008d3c5e8	Update module github.com/stretchr/testify to v1.10.0 (#152 ) Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>	2025-02-19 19:36:50 -08:00
renovate-rancher[bot]	fd45ac1d6c	Update module golang.org/x/crypto to v0.33.0 (#149 ) Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>	2025-02-19 12:01:02 -08:00
renovate-rancher[bot]	df1da8dc03	Update actions/setup-go action to v5.3.0 (#148 ) Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>	2025-02-19 12:00:50 -08:00
renovate-rancher[bot]	91d39f3e2d	Update actions/checkout action to v4.2.2 (#147 ) Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>	2025-02-19 12:00:16 -08:00
Chad Roberts	cea9dc0596	Add GITHUB_TOKEN to env for release action (#155 )	2024-11-26 09:55:23 -05:00
Chad Roberts	60cbdf0bb4	Add release.yaml for 0.5 branch (#127 )	2024-11-15 12:20:49 -05:00
Krunal Hingu	b6f51e5c56	bump versions for k8s 1.29.3 (#107 )	2024-05-03 13:24:08 -04:00
Tom Lebreux	7a349f0e17	Add GHA to test the code (#98 )	2024-04-18 09:38:05 -04:00
Tom Lebreux	1eeb4b5b17	Downgrade github.com/prometheus/client_golang to v1.16.0 (#105 ) Fix incompatibility issue with k8s v1.28.6	2024-04-17 14:53:05 -04:00
Tom Lebreux	7d8524f076	Dependencies bumps (#103 ) * Update module golang.org/x/crypto to v0.22.0 * Update module github.com/rancher/wrangler/v2 to v2.2.0-rc3 --------- Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>	2024-04-10 15:30:59 -04:00
Michael Bolot	a1393faa8a	Merge pull request #97 from tomleb/wrangler-bumps-v2.2.0-rc1 Bump wrangler to v2.2.0-rc1	2024-03-26 13:47:35 -05:00
Tom Lebreux	7bb1110b59	Bump wrangler to v2.2.0-rc1	2024-03-26 14:45:06 -04:00
Michael Bolot	56e6e37ee5	Merge pull request #96 from tomleb/renovate-bumps-mar25 Renovate bumps	2024-03-25 16:03:28 -05:00
Tom Lebreux	bc5ed0e4ce	Bump Go to 1.22	2024-03-25 16:51:02 -04:00
Tom Lebreux	b3f1ab27eb	Update module golang.org/x/crypto to v0.21.0	2024-03-25 16:50:11 -04:00
renovate-rancher[bot]	6f261cdc0a	Update module github.com/stretchr/testify to v1.9.0	2024-03-25 16:47:18 -04:00
renovate-rancher[bot]	f0bbc6c283	Update module github.com/rancher/wrangler/v2 to v2.1.4	2024-03-25 16:46:06 -04:00
Kinara Shah	746c52d537	Merge pull request #87 from chiukapoor/rancher-v1.28 [v1.28] Bump dependencies to k8s 1.28.6 \| Update wrangler to v2.1.3	2024-02-06 10:08:33 -08:00
Chirayu Kapoor	69578d4219	Bump dependencies to support k8s 1.28 \| January Patch Signed-off-by: Chirayu Kapoor <chirayu.kapoor@suse.com>	2024-02-01 01:01:43 +05:30
Caleb Bron	d80ffb5c22	Merge pull request #88 from KevinJoiner/wrangler-v2 Bumps rancher/wrangler to it's tagged v2 version.	2024-01-24 08:13:33 -07:00
Kevin Joiner	e6451ba1e8	Bumps rancher/wrangler to it's tagged v2 version.	2024-01-11 16:22:55 -05:00
vardhaman22	0a2d8dff62	retry saving missed secret after intial sync	2023-09-28 09:53:35 -07:00
Kinara Shah	0132d96ec2	Merge pull request #80 from vardhaman22/k8s-1.27.4 updated deps for k8s 1.27	2023-08-30 22:23:50 -07:00
vardhaman22	06acb83e5d	fix listener call	2023-08-31 10:50:15 +05:30
vardhaman22	10456ff2e6	updated deps for k8s 1.27	2023-08-23 11:45:25 +05:30
Brad Davidson	1c60bf414f	Fix deadlock caused by apiserver outage during init We had similar code to prevent blocking when calling Update(), but not in the init function. Ref: https://github.com/rancher/rancher/issues/42278 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2023-08-15 12:44:26 -07:00
renovate-rancher[bot]	3e7612c2c9	Update module github.com/sirupsen/logrus to v1.9.3	2023-08-15 12:43:48 -07:00
Derek Nola	e6585da47a	Merge pull request #78 from knoppiks/multiple-ca-certs Allow multiple (intermediate) CA certs	2023-08-11 12:43:10 -07:00
Jonas Wagner	6cc9a670e1	Prevent Panic for empty Arrays on Error Co-authored-by: Brad Davidson <brad@oatmail.org> Signed-off-by: Jonas Wagner <jwagner@knoppiks.de>	2023-07-14 08:28:48 +02:00
Jonas Wagner	8f13b193a1	Use more Verbose name for Listener Co-authored-by: Brad Davidson <brad@oatmail.org> Signed-off-by: Jonas Wagner <jwagner@knoppiks.de	2023-07-14 08:28:47 +02:00
Jonas Wagner	02304047cf	Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de>	2023-07-10 09:42:17 +02:00
Kevin Joiner	4c1ac9bd4b	Removes wait loop for listener certs.	2023-07-06 11:20:27 -07:00
Ricardo Weir	2b62d5cc69	Merge pull request #71 from rancher/deploy-renovate-2023-04-18-11-27-11 Add initial Renovate configuration	2023-04-27 10:28:43 -07:00
renovate-rancher[bot]	2ac221e5d6	Add initial Renovate configuration	2023-04-18 11:27:12 +00:00
Ricardo Weir	b7a028fe3f	Merge pull request #69 from rmweir/update-wrangler Update wrangler to v1.1.0	2023-02-22 14:08:10 -07:00
Ricardo Weir	a150115362	Update wrangler to v1.1.0	2023-02-21 15:41:43 -07:00
Michael Bolot	7001abfa1f	Bump go version to 1.19	2022-10-19 12:32:07 -07:00
Michael Bolot	3adafb7edb	Tests for Marking additional connections as ready	2022-10-19 12:32:07 -07:00
Michael Bolot	e73d5f2fca	Marking additional connections as ready Most connections were not marked as ready despite having retrieved a valid cert. This change makes all connections which succesfully retrieved a cert get marked as ready	2022-10-19 12:32:07 -07:00
Caleb Bron	401fafb7e6	Merge pull request #64 from w13915984028/fix63 fix63 use sleep instead of force scheduling	2022-07-28 13:43:07 -07:00
Jian Wang	bad953b9f0	fix63 use sleep instead of force scheduling	2022-07-27 08:59:22 +02:00
Brad Davidson	8ebd77f8a4	Raise default ExpirationDaysCheck to 90 and extend into cert factory Most of our products actually renew at 90 days, so make that the default. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2022-07-21 14:08:16 -07:00
Brad Davidson	fdf983a935	Don't merge expired certs over the top of an unexpired cert Fixes an issue where an expired Kubernetes secret would replace the renewed locally-cached cert after cluster startup. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2022-07-21 14:08:16 -07:00
Flavio Grossi	7b5997cee9	always use CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS when generating a certificate	2022-07-20 12:07:31 -07:00
Lucas Ramage	42d72c2ef2	Merge pull request #56 from rancher/fossa Implement drone-plugin-fossa	2022-07-01 10:58:54 -04:00
Brad Davidson	d2b7e2aaa6	We support IPv6 now, don't skip adding IPv6 address SANs Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2022-05-20 12:21:30 -07:00
Brad Davidson	a30741bb53	Send complete certificate chain, not just the leaf cert Also, print a warning when signing may change the issuer. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2022-05-20 12:21:30 -07:00
Brad Davidson	4df376813d	Improve log messages and warn if no cert is available Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2022-05-20 12:21:30 -07:00
Brad Davidson	9b92d13bcb	Fix initial secret not being written to Kubernetes Updates to the secret that occurred before the controller was done syncing were not being written to Kubernetes. Subsequent updates to the secret would eventually get it written, but Rancher requires that the cert be written immediately. This was probably an unnecessary optimization anyway, so back it out in favor of just checking to see if the secrets controller is available. Also fixed improper handling of multiple goroutines attempting to create the Kubernetes secret at the same time; this was also handled eventually but caused an unnecessary round of extra writes to the secret. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2022-05-20 12:21:30 -07:00
Brad Davidson	b1d65efb6f	Move Kubernetes Secrets storage update to goroutine Fixes issue where apiserver outages can block dynamiclistener from accepting new connections. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2022-05-02 18:48:48 -07:00
Lucas Ramage	5e81b14c1f	Implement drone-plugin-fossa	2022-03-31 16:28:22 -04:00
Brian Downs	148d38076d	update config to allow for specifying experiation in days (#53 )	2021-12-21 15:38:04 -07:00
Brad Davidson	43f9c3ae0a	Fix handling of IPv6 addresses and long hostnames Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2021-11-23 23:38:49 -08:00
Brad Davidson	284cc004e8	Fix listenAndServe certificate expiration by preloading certs Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2021-11-23 23:38:49 -08:00
Kinara Shah	120a37b97a	Merge pull request #51 from nickgerace/quick-fix Add README	2021-11-19 14:29:09 -08:00
Nick Gerace	bbac29e0fa	Add README	2021-11-19 13:50:48 -05:00
Kinara Shah	962b635269	Merge pull request #50 from nickgerace/quick-fix Fix defaultNewSignedCertExpirationDays const	2021-11-19 10:28:49 -08:00
Nick Gerace	f147aa4166	Fix defaultNewSignedCertExpirationDays const This a quick fix for `2644a6ed16`	2021-11-19 12:31:47 -05:00
Kinara Shah	63157c59ce	Merge pull request #46 from nickgerace/days Allow for default expiration days to be loaded from env	2021-11-19 08:59:57 -08:00
Nick Gerace	2644a6ed16	Allow for default expiration days to be loaded from env	2021-11-18 12:38:35 -05:00
Brian Downs	27f4642299	Add ability to force cert regeneration (#43 ) * add ability to force cert regeneration	2021-11-15 13:50:26 -07:00
Caleb Bron	cd5d71f2fe	Merge pull request #44 from cmurphy/fix-type Fix net.Conn type assertion	2021-11-04 13:09:48 -07:00
Colleen Murphy	fb66484384	Fix net.Conn type assertion Don't assert that all connections are wrapped, as they won't be if the CloseConnOnCertChange setting is false. Only run the assertion within a conditional for wrapped connections, where it is safe. This prevents a panic from happening when CloseConnOnCertChange is not used.	2021-10-29 11:03:02 -07:00
Darren Shepherd	6b37dc1212	Merge pull request #42 from cmurphy/fix-close-conn Skip closing an initializing connection	2021-10-27 08:35:21 -07:00
Colleen Murphy	c7dd355394	Skip closing an initializing connection Without this change, if a cert is updated (e.g. to add CNs) while the listener is in the middle of Accept()ing a new connection, the connection gets dropped, we'll see a message like this in the server logs: http: TLS handshake error from 127.0.0.1:51232: write tcp 127.0.7.1:8443->127.0.0.1:51232: use of closed network connection and the client (like a browser) won't necessarily reconnect. This change modifies the GetCertificate routine in the listener's tls.Config to keep track of the state of the incoming connections and only close connections that have completed GetCertificate and therefore are finished with their TLS handshake, so that only old established connections are closed.	2021-10-25 13:17:24 -07:00
Darren Shepherd	94e22490cf	Merge pull request #41 from weihanglo/nil-defer-storage-tls Merge TLS only if TLS factory is set	2021-08-03 10:23:59 -07:00
Weihang Lo	b45d8a455e	Merge TLS only if TLS factory is set Since `storage.tls` is optional, we should check it existence before calling its methods.	2021-07-12 18:25:01 +08:00
Darren Shepherd	9865ae859c	Don't reset connections on the first load of the certs	2021-06-16 01:00:09 -07:00
Darren Shepherd	db883ae66a	Don't reset connections on the first load of the certs	2021-06-16 00:23:14 -07:00
Darren Shepherd	9dfd7df057	Pass context to http server as BaseContext	2021-06-15 22:42:42 -07:00
Darren Shepherd	ff22834bde	Avoid panic when secret is nil	2021-06-15 22:42:42 -07:00
Sjoerd Simons	dc7452dbb8	Accept IPv6 address as CN names Expand the cnRegexp to also accept ipv6 addresses such as: * ::1 * 2a00:1450:400e:80e:: * 2a00:1450:400e:80e::200e Fixes: #37 Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>	2021-06-14 11:07:13 -07:00
Dan Ramich	86af265dcd	Merge pull request #35 from dramich/panic Update IsStatic to check for nil annotations	2021-04-26 09:21:45 -06:00
Dan Ramich	f373fc1c7c	Update IsStatic to check for nil annotations	2021-04-23 14:56:14 -06:00
Darren Shepherd	e7b1adba70	Update to wrangler v0.8.0 and merge v0.2.x to master	2021-04-12 15:09:30 -07:00
Darren Shepherd	a60200ab9e	Merge tag 'v0.2.3'	2021-04-12 15:00:05 -07:00
Hussein Galal	fc8cf5f3ea	Merge pull request #33 from galal-hussein/fix_load_certs Fixing loading certs to work with etcd only nodes	2021-03-05 22:54:49 +02:00
galal-hussein	3878ff2a1f	Fixing loading certs	2021-03-05 22:39:13 +02:00
Hussein Galal	1b2460c151	Merge pull request #32 from galal-hussein/fix_resversion Add check to update dynamic listener cert in etcd only nodes	2021-03-01 21:58:18 +02:00
galal-hussein	e34610a1ae	Add check to update dynamic listener cert in etcd only nodes	2021-03-01 21:52:45 +02:00
Darren Shepherd	9b1b7d3132	Add filter helper method	2020-11-09 21:52:17 -07:00
Darren Shepherd	85f32491cb	Add dumb hook to set the organization in the client cert	2020-09-10 13:32:14 -07:00
Brad Davidson	7c224dcdfb	Merge pull request #29 from brandond/force_reissue_0.2 Allow forcing cert reissuance (v0.2 backport)	2020-08-11 12:58:42 -07:00
Brad Davidson	53f6b38760	Allow forcing cert reissuance (#28 ) Refreshing the cert should force renewal as opposed to returning early if the SANs aren't changing. This is currently breaking refresh of expired certs as per: https://github.com/rancher/k3s/issues/1621#issuecomment-669464318 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2020-08-10 17:12:39 -07:00
Darren Shepherd	479ab335d6	Add LoadOrGenClient to handle client cert generation	2020-08-10 17:12:39 -07:00
Darren Shepherd	2bfb7bd0cb	Fix error masking issue Also don't do an extra lookup of TLS secret after update.	2020-08-10 17:12:39 -07:00
Darren Shepherd	ebebb82b9b	Add LoadOrGenClient to handle client cert generation	2020-08-01 23:37:51 -07:00
Darren Shepherd	bafb051656	Merge pull request #27 from ibuildthecloud/master Fix error masking issue	2020-07-27 22:48:58 -07:00
Darren Shepherd	3b42c52bec	Fix error masking issue Also don't do an extra lookup of TLS secret after update.	2020-07-27 22:48:13 -07:00
Darren Shepherd	207e8a5c14	Merge pull request #23 from KnicKnic/fix_certpath_windows fix certpath generation for windows	2020-07-27 22:48:06 -07:00
Darren Shepherd	9c1939da3a	Merge pull request #25 from ibuildthecloud/master Stop using wrangler-api project	2020-07-14 13:10:33 -07:00
Darren Shepherd	5529139fbe	Update vendor	2020-07-14 13:09:07 -07:00
Darren Shepherd	bcbb612b24	Stop using wrangler-api project	2020-07-14 13:09:07 -07:00
Knic Knic	94e23c7edb	fix certpath generation for windows	2020-04-25 22:59:52 -07:00
Darren Shepherd	52ede5ec92	Merge pull request #22 from ibuildthecloud/master Always allow configured SANs regardless of the FilterCN	2020-04-17 19:33:42 -07:00
Darren Shepherd	5c222d5753	Don't parse x509 cert on each request	2020-04-17 19:31:42 -07:00
Darren Shepherd	74a61a850d	Always allow configured SANs regardless of the FilterCN	2020-04-17 19:31:31 -07:00
Darren Shepherd	4436fc6b48	Merge pull request #21 from ibuildthecloud/master Add ability to confirm adding new CNs	2020-04-02 22:10:05 -07:00
Darren Shepherd	4bac3f291f	Add ability to confirm adding new CNs	2020-04-02 22:08:36 -07:00
Darren Shepherd	c992ce309c	Reject bad CNs that will prevent the secret from being saved.	2020-04-02 22:07:45 -07:00
Darren Shepherd	763229ddcd	Merge pull request #20 from ibuildthecloud/master Add ability to limit the maximum number of SANs	2020-03-18 23:17:31 -07:00
Darren Shepherd	171fcf6b79	If connection closing is enabled then don't support HTTP/2	2020-03-18 23:16:38 -07:00
Darren Shepherd	05d7922a86	Add ability to limit the maximum number of SANs	2020-03-18 23:16:38 -07:00
Darren Shepherd	1e67d402dc	Merge pull request #19 from ibuildthecloud/master For web browser based requests do not consider IPs in host headers	2020-03-14 10:17:03 -07:00
Darren Shepherd	7e3fc0c594	For web browser based requests do not consider IPs in host headers	2020-03-14 10:16:11 -07:00
Darren Shepherd	111c5b43e9	Merge pull request #18 from ibuildthecloud/dropconn Wrong lock used to protect conn map	2020-02-13 09:53:08 -07:00
Darren Shepherd	bd73d0d4bc	Wrong lock used to protect conn map	2020-02-13 09:52:45 -07:00
Darren Shepherd	5276ad483a	Merge pull request #17 from ibuildthecloud/dropconn Add option to close connections on cert change	2020-02-12 14:13:44 -07:00
Darren Shepherd	8545ce98db	Add option to close connections on cert change	2020-02-12 14:00:40 -07:00
Darren Shepherd	3f92468568	Merge pull request #16 from ibuildthecloud/master Fix acme listener	2020-02-07 14:28:38 -07:00
Darren Shepherd	5ba69b1c5f	Fix acme listener	2020-02-07 14:20:45 -07:00
Darren Shepherd	6281628cd4	Merge pull request #15 from ibuildthecloud/master Add BindHost option	2020-02-05 23:12:55 -07:00
Darren Shepherd	0b114dc0c2	Add BindHost option	2020-02-05 23:11:51 -07:00
Darren Shepherd	ece289ed54	Merge pull request #14 from ibuildthecloud/master Fix merging of the k8s secret to reduce the number of writes	2020-02-04 12:49:56 -07:00
Darren Shepherd	bc68bf5499	Fix merging of the k8s secret to reduce the number of writes	2020-02-04 12:48:38 -07:00
Darren Shepherd	795bb90214	Merge pull request #13 from ibuildthecloud/master Add more helpers	2020-01-30 22:41:53 -07:00
Darren Shepherd	dcc205f52d	mod tidy	2020-01-30 22:41:19 -07:00
Darren Shepherd	4e8035fa46	Fix go fmt/vet issues	2020-01-30 22:41:19 -07:00
Darren Shepherd	a75e84bc81	Add more helpers	2020-01-30 22:41:19 -07:00
Darren Shepherd	ab900b5268	Merge pull request #12 from ibuildthecloud/master Add static storage and listener opts	2019-12-04 11:35:09 -07:00
Darren Shepherd	f1484a07b3	Add static storage and listener opts	2019-12-04 11:32:00 -07:00