Use chinese crypto

.github/renovate.json

@@ -1,9 +0,0 @@
-{
-  "extends": [
-    "github>rancher/renovate-config#release"
-  ],
-  "baseBranches": [
-    "master"
-  ],
-  "prHourlyLimit": 2
-}

.github/workflows/renovate.yml

@@ -1,25 +0,0 @@
-name: Renovate
-on:
-  workflow_dispatch:
-    inputs:
-      logLevel:
-        description: "Override default log level"
-        required: false
-        default: "info"
-        type: string
-      overrideSchedule:
-        description: "Override all schedules"
-        required: false
-        default: "false"
-        type: string
-  # Run twice in the early morning (UTC) for initial and follow up steps (create pull request and merge)
-  schedule:
-    - cron: '30 4,6 * * *'
-
-jobs:
-  call-workflow:
-    uses: rancher/renovate-config/.github/workflows/renovate.yml@release
-    with:
-      logLevel: ${{ inputs.logLevel || 'info' }}
-      overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
-    secrets: inherit

cert/cert.go

@@ -66,11 +66,16 @@ type AltNames struct {
 	IPs      []net.IP
 }
 
-// NewPrivateKey creates an RSA private key
-func NewPrivateKey() (*rsa.PrivateKey, error) {
+// NewRSAPrivateKey creates an RSA private key
+func NewRSAPrivateKey() (*rsa.PrivateKey, error) {
 	return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
 }
 
+// NewPrivateKey creates an RSA private key
+func NewPrivateKey() (*ecdsa.PrivateKey, error) {
+	return ecdsa.GenerateKey(elliptic.P256Sm2(), cryptorand.Reader)
+}
+
 // NewSelfSignedCACert creates a CA certificate
 func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
 	now := time.Now()
@@ -153,7 +158,7 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 
 // MakeEllipticPrivateKeyPEM creates an ECDSA private key
 func MakeEllipticPrivateKeyPEM() ([]byte, error) {
-	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256Sm2(), cryptorand.Reader)
 	if err != nil {
 		return nil, err
 	}
@@ -204,7 +209,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 		maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures
 	}
 
-	caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
+	caKey, err := NewPrivateKey()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -232,7 +237,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 		return nil, nil, err
 	}
 
-	priv, err := rsa.GenerateKey(cryptorand.Reader, 2048)
+	priv, err := NewPrivateKey()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -275,7 +280,12 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 
 	// Generate key
 	keyBuffer := bytes.Buffer{}
-	if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
+	privBuf, err := x509.MarshalECPrivateKey(priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if err := pem.Encode(&keyBuffer, &pem.Block{Type: ECPrivateKeyBlockType, Bytes: privBuf}); err != nil {
 		return nil, nil, err
 	}
 

cert/cert_test.go

@@ -0,0 +1,39 @@
+package cert
+
+import (
+	"crypto/ecdsa"
+	"fmt"
+	"os"
+	"testing"
+)
+
+func TestCreateAndReadCert(t *testing.T) {
+	kFile := "service.key"
+	defer os.Remove(kFile)
+	key, err := NewPrivateKey()
+	if err != nil {
+		t.Errorf("failed to create private key: %v", err)
+	}
+
+	if err := WriteKey(kFile, EncodePrivateKeyPEM(key)); err != nil {
+		t.Errorf("failed to encode private key to pem: %v", err)
+	}
+
+	keyR, err := PrivateKeyFromFile(kFile)
+	if err != nil {
+		t.Errorf("failed to load private key from file: %v", err)
+	}
+
+	switch k := keyR.(type) {
+	case *ecdsa.PrivateKey:
+		fmt.Println("loaded back ecdsa private key")
+	default:
+		t.Errorf("load back a wrong private key %v", k)
+	}
+
+	buf := EncodePrivateKeyPEM(key)
+	_, err = ParsePrivateKeyPEM(buf)
+	if err != nil {
+		t.Errorf("failed to parse private key from pem: %v", err)
+	}
+}

cert/csr.go

@@ -17,6 +17,7 @@ limitations under the License.
 package cert
 
 import (
+	"crypto/ecdsa"
 	cryptorand "crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
@@ -60,8 +61,11 @@ func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateReque
 
 func sigType(privateKey interface{}) x509.SignatureAlgorithm {
 	// Customize the signature for RSA keys, depending on the key size
-	if privateKey, ok := privateKey.(*rsa.PrivateKey); ok {
-		keySize := privateKey.N.BitLen()
+	switch privK := privateKey.(type) {
+	case *ecdsa.PrivateKey:
+		return x509.ECDSAWithSHA256
+	case *rsa.PrivateKey:
+		keySize := privK.N.BitLen()
 		switch {
 		case keySize >= 4096:
 			return x509.SHA512WithRSA

cert/pem.go

@@ -41,7 +41,7 @@ const (
 )
 
 // EncodePublicKeyPEM returns PEM-encoded public data
-func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
+func EncodePublicKeyPEM(key interface{}) ([]byte, error) {
 	der, err := x509.MarshalPKIXPublicKey(key)
 	if err != nil {
 		return []byte{}, err
@@ -54,12 +54,25 @@ func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
 }
 
 // EncodePrivateKeyPEM returns PEM-encoded private key data
-func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
-	block := pem.Block{
-		Type:  RSAPrivateKeyBlockType,
-		Bytes: x509.MarshalPKCS1PrivateKey(key),
+func EncodePrivateKeyPEM(key interface{}) []byte {
+	var block *pem.Block
+	switch privKey := key.(type) {
+	case *ecdsa.PrivateKey:
+		derBytes, _ := x509.MarshalECPrivateKey(privKey)
+		block = &pem.Block{
+			Type:  ECPrivateKeyBlockType,
+			Bytes: derBytes,
+		}
+	case *rsa.PrivateKey:
+		block = &pem.Block{
+			Type:  RSAPrivateKeyBlockType,
+			Bytes: x509.MarshalPKCS1PrivateKey(privKey),
+		}
 	}
-	return pem.EncodeToMemory(&block)
+	if block != nil {
+		return pem.EncodeToMemory(block)
+	}
+	return []byte{}
 }
 
 // EncodeCertPEM returns PEM-endcoded certificate data

factory/ca.go

@@ -25,28 +25,18 @@ func GenCA() (*x509.Certificate, crypto.Signer, error) {
 	return caCert, caKey, nil
 }
 
-// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
 func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
-	chain, signer, err := LoadOrGenCAChain()
-	if err != nil {
-		return nil, nil, err
-	}
-	return chain[0], signer, err
-}
-
-func LoadOrGenCAChain() ([]*x509.Certificate, crypto.Signer, error) {
-	certs, key, err := loadCA()
+	cert, key, err := loadCA()
 	if err == nil {
-		return certs, key, nil
+		return cert, key, nil
 	}
 
-	cert, key, err := GenCA()
+	cert, key, err = GenCA()
 	if err != nil {
 		return nil, nil, err
 	}
-	certs = []*x509.Certificate{cert}
 
-	certBytes, keyBytes, err := MarshalChain(key, certs...)
+	certBytes, keyBytes, err := Marshal(cert, key)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -63,22 +53,14 @@ func LoadOrGenCAChain() ([]*x509.Certificate, crypto.Signer, error) {
 		return nil, nil, err
 	}
 
-	return certs, key, nil
+	return cert, key, nil
 }
 
-func loadCA() ([]*x509.Certificate, crypto.Signer, error) {
-	return LoadCertsChain("./certs/ca.pem", "./certs/ca.key")
+func loadCA() (*x509.Certificate, crypto.Signer, error) {
+	return LoadCerts("./certs/ca.pem", "./certs/ca.key")
 }
 
 func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
-	chain, signer, err := LoadCAChain(caPem, caKey)
-	if err != nil {
-		return nil, nil, err
-	}
-	return chain[0], signer, nil
-}
-
-func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error) {
 	key, err := cert.ParsePrivateKeyPEM(caKey)
 	if err != nil {
 		return nil, nil, err
@@ -88,24 +70,15 @@ func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error
 		return nil, nil, fmt.Errorf("key is not a crypto.Signer")
 	}
 
-	certs, err := cert.ParseCertsPEM(caPem)
+	cert, err := ParseCertPEM(caPem)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	return certs, signer, nil
+	return cert, signer, nil
 }
 
-// Deprecated: Use LoadCertsChain instead as it supports intermediate CAs
 func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {
-	chain, signer, err := LoadCertsChain(certFile, keyFile)
-	if err != nil {
-		return nil, nil, err
-	}
-	return chain[0], signer, err
-}
-
-func LoadCertsChain(certFile, keyFile string) ([]*x509.Certificate, crypto.Signer, error) {
 	caPem, err := ioutil.ReadFile(certFile)
 	if err != nil {
 		return nil, nil, err
@@ -115,5 +88,5 @@ func LoadCertsChain(certFile, keyFile string) ([]*x509.Certificate, crypto.Signe
 		return nil, nil, err
 	}
 
-	return LoadCAChain(caPem, caKey)
+	return LoadCA(caPem, caKey)
 }

factory/gen.go

@@ -33,7 +33,7 @@ var (
 )
 
 type TLS struct {
-	CACert              []*x509.Certificate
+	CACert              *x509.Certificate
 	CAKey               crypto.Signer
 	CN                  string
 	Organization        []string
@@ -178,7 +178,7 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 		return nil, false, err
 	}
 
-	keyBytes, certBytes, err := MarshalChain(privateKey, append([]*x509.Certificate{newCert}, t.CACert...)...)
+	keyBytes, certBytes, err := MarshalChain(privateKey, newCert, t.CACert)
 	if err != nil {
 		return nil, false, err
 	}
@@ -226,16 +226,14 @@ func (t *TLS) Verify(secret *v1.Secret) error {
 			x509.ExtKeyUsageAny,
 		},
 	}
-	for _, c := range t.CACert {
-		verifyOpts.Roots.AddCert(c)
-	}
+	verifyOpts.Roots.AddCert(t.CACert)
 
 	_, err = certificates[0].Verify(verifyOpts)
 	return err
 }
 
 func (t *TLS) newCert(domains []string, ips []net.IP, privateKey crypto.Signer) (*x509.Certificate, error) {
-	return NewSignedCert(privateKey, t.CACert[0], t.CAKey, t.CN, t.Organization, domains, ips)
+	return NewSignedCert(privateKey, t.CACert, t.CAKey, t.CN, t.Organization, domains, ips)
 }
 
 func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {

go.mod

@@ -1,63 +1,12 @@
 module github.com/rancher/dynamiclistener
 
-go 1.20
+go 1.12
 
 require (
-	github.com/rancher/wrangler v1.1.1-0.20230831050635-df1bd5aae9df
-	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.8.4
-	golang.org/x/crypto v0.11.0
-	k8s.io/api v0.27.4
-	k8s.io/apimachinery v0.27.4
-	k8s.io/client-go v0.27.4
-)
-
-require (
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.1 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.14.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
-	github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29 // indirect
-	golang.org/x/net v0.12.0 // indirect
-	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.90.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
-	k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	github.com/rancher/wrangler v0.8.9
+	github.com/sirupsen/logrus v1.4.2
+	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2
+	k8s.io/api v0.18.8
+	k8s.io/apimachinery v0.18.8
+	k8s.io/client-go v0.18.8
 )

listener.go

@@ -34,12 +34,7 @@ type SetFactory interface {
 	SetFactory(tls TLSFactory)
 }
 
-// Deprecated: Use NewListenerWithChain instead as it supports intermediate CAs
 func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {
-	return NewListenerWithChain(l, storage, []*x509.Certificate{caCert}, caKey, config)
-}
-
-func NewListenerWithChain(l net.Listener, storage TLSStorage, caCert []*x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {
 	if config.CN == "" {
 		config.CN = "dynamic"
 	}
@@ -63,7 +58,6 @@ func NewListenerWithChain(l net.Listener, storage TLSStorage, caCert []*x509.Cer
 			ExpirationDaysCheck: config.ExpirationDaysCheck,
 		},
 		Listener:  l,
-		certReady: make(chan struct{}),
 		storage:   &nonNil{storage: storage},
 		sans:      config.SANs,
 		maxSANs:   config.MaxSANs,
@@ -160,7 +154,6 @@ type listener struct {
 	version   string
 	tlsConfig *tls.Config
 	cert      *tls.Certificate
-	certReady chan struct{}
 	sans      []string
 	maxSANs   int
 	init      sync.Once
@@ -169,12 +162,9 @@ type listener struct {
 func (l *listener) WrapExpiration(days int) net.Listener {
 	ctx, cancel := context.WithCancel(context.Background())
 	go func() {
-
-		// wait for cert to be set, this will unblock when the channel is closed
-		select {
-		case <-ctx.Done():
-			return
-		case <-l.certReady:
+		// loop on short sleeps until certificate preload completes
+		for l.cert == nil {
+			time.Sleep(time.Millisecond)
 		}
 
 		for {
@@ -355,20 +345,8 @@ func (l *listener) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 			return nil, err
 		}
 	}
-	connCert, err := l.loadCert(newConn)
-	if connCert != nil && err == nil && newConn != nil && l.conns != nil {
-		// if we were successfully able to load a cert and are closing connections on cert changes, mark newConn ready
-		// this will allow us to close the connection if a future connection forces the cert to re-load
-		wrapper, ok := newConn.(*closeWrapper)
-		if !ok {
-			logrus.Debugf("will not mark non-close wrapper connection from %s to %s as ready", newConn.RemoteAddr(), newConn.LocalAddr())
-			return connCert, err
-		}
-		l.connLock.Lock()
-		l.conns[wrapper.id].ready = true
-		l.connLock.Unlock()
-	}
-	return connCert, err
+
+	return l.loadCert(newConn)
 }
 
 func (l *listener) updateCert(cn ...string) error {
@@ -455,15 +433,11 @@ func (l *listener) loadCert(currentConn net.Conn) (*tls.Certificate, error) {
 			}
 			_ = conn.close()
 		}
+		l.conns[currentConn.(*closeWrapper).id].ready = true
 		l.connLock.Unlock()
 	}
 
-	// we can only close the ready channel once when the cert is first assigned
-	canClose := l.cert == nil
 	l.cert = &cert
-	if canClose {
-		close(l.certReady)
-	}
 	l.version = secret.ResourceVersion
 	return l.cert, nil
 }

listener_test.go

@@ -1,225 +0,0 @@
-package dynamiclistener
-
-import (
-	"crypto/tls"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/rancher/dynamiclistener/factory"
-	"github.com/stretchr/testify/assert"
-	v1 "k8s.io/api/core/v1"
-	apiError "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-func Test_getCertificate(t *testing.T) {
-	beforeKey, beforeCert, err := newCertificate()
-	assert.NoError(t, err, "Error when setting up test - unable to construct before key for test")
-	beforeTLSCert, err := tls.X509KeyPair(beforeCert, beforeKey)
-	assert.NoError(t, err, "Error when setting up test - unable to convert before to tls.Certificate")
-	afterKey, afterCert, err := newCertificate()
-	assert.NoError(t, err, "Error when setting up test - unable to construct after key for test")
-	afterTLSCert, err := tls.X509KeyPair(afterCert, afterKey)
-	assert.NoError(t, err, "Error when setting up test - unable to convert after to tls.Certificate")
-	tests := []struct {
-		// input test vars
-		name          string
-		secret        *v1.Secret
-		secretErr     error
-		cachedCert    *tls.Certificate
-		cachedVersion string
-		currentConn   *closeWrapper
-		otherConns    map[int]*closeWrapper
-
-		// output/result test vars
-		closedConns  []int
-		expectedCert *tls.Certificate
-		wantError    bool
-	}{
-		{
-			name:   "no secret found",
-			secret: nil,
-			secretErr: apiError.NewNotFound(schema.GroupResource{
-				Group:    "",
-				Resource: "Secret",
-			}, "testSecret"),
-			currentConn: &closeWrapper{id: 0},
-			otherConns:  map[int]*closeWrapper{},
-
-			expectedCert: nil,
-			wantError:    true,
-		},
-		{
-			name: "secret found, and is up to date",
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					ResourceVersion: "1",
-					Name:            "testSecret",
-					Namespace:       "test",
-				},
-				Data: map[string][]byte{
-					v1.TLSCertKey:       beforeCert,
-					v1.TLSPrivateKeyKey: beforeKey,
-				},
-			},
-			cachedVersion: "1",
-			cachedCert:    &beforeTLSCert,
-			currentConn:   &closeWrapper{id: 0},
-			otherConns:    map[int]*closeWrapper{},
-
-			expectedCert: &beforeTLSCert,
-			wantError:    false,
-		},
-		{
-			name: "secret found, is not up to date, but k8s secret is not valid",
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					ResourceVersion: "2",
-					Name:            "testSecret",
-					Namespace:       "test",
-				},
-				Data: map[string][]byte{
-					v1.TLSPrivateKeyKey: []byte("strawberry"),
-				},
-			},
-			cachedVersion: "1",
-			cachedCert:    &beforeTLSCert,
-			currentConn:   &closeWrapper{id: 0},
-			otherConns:    map[int]*closeWrapper{},
-
-			expectedCert: &beforeTLSCert,
-			wantError:    false,
-		},
-		{
-			name: "secret found, but is not up to date",
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					ResourceVersion: "2",
-					Name:            "testSecret",
-					Namespace:       "test",
-				},
-				Data: map[string][]byte{
-					v1.TLSCertKey:       afterCert,
-					v1.TLSPrivateKeyKey: afterKey,
-				},
-			},
-			cachedVersion: "1",
-			cachedCert:    &beforeTLSCert,
-			currentConn:   &closeWrapper{id: 0},
-			otherConns:    map[int]*closeWrapper{},
-
-			expectedCert: &afterTLSCert,
-			wantError:    false,
-		},
-		{
-			name: "secret found, is not up to date, and we have conns using current cert",
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					ResourceVersion: "2",
-					Name:            "testSecret",
-					Namespace:       "test",
-				},
-				Data: map[string][]byte{
-					v1.TLSCertKey:       afterCert,
-					v1.TLSPrivateKeyKey: afterKey,
-				},
-			},
-			cachedVersion: "1",
-			cachedCert:    &beforeTLSCert,
-			currentConn:   &closeWrapper{id: 0},
-			otherConns: map[int]*closeWrapper{
-				1: {
-					id:    1,
-					ready: false,
-					Conn:  &fakeConn{},
-				},
-				2: {
-					id:    2,
-					ready: true,
-					Conn:  &fakeConn{},
-				},
-			},
-
-			closedConns:  []int{2},
-			expectedCert: &afterTLSCert,
-			wantError:    false,
-		},
-	}
-	for i := range tests {
-		test := tests[i]
-		t.Run(test.name, func(t *testing.T) {
-			t.Parallel()
-			testConns := test.otherConns
-			if testConns != nil {
-				testConns[test.currentConn.id] = test.currentConn
-				// make sure our conn is listed as one of the current connections
-			}
-			l := listener{
-				cert:    test.cachedCert,
-				version: test.cachedVersion,
-				storage: &MockTLSStorage{
-					Secret:    test.secret,
-					SecretErr: test.secretErr,
-				},
-				conns: testConns,
-			}
-			for _, conn := range testConns {
-				conn.l = &l
-			}
-			newCert, err := l.getCertificate(&tls.ClientHelloInfo{Conn: test.currentConn})
-			if test.wantError {
-				assert.Errorf(t, err, "expected an error but none was provdied")
-			} else {
-				assert.NoError(t, err, "did not expect an error but got one")
-			}
-			assert.Equal(t, test.expectedCert, newCert, "expected cert did not match actual cert")
-			if test.expectedCert != nil && test.wantError == false && test.currentConn != nil && test.otherConns != nil {
-				assert.True(t, test.currentConn.ready, "expected connection to be ready but it was not")
-			} else {
-				if test.currentConn != nil {
-					assert.False(t, test.currentConn.ready, "did not expect connection to be ready")
-				}
-			}
-			for _, closedConn := range test.closedConns {
-				_, ok := l.conns[closedConn]
-				assert.False(t, ok, "closed conns should not be found")
-			}
-		})
-	}
-}
-
-func newCertificate() ([]byte, []byte, error) {
-	cert, key, err := factory.GenCA()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return factory.MarshalChain(key, cert)
-}
-
-type MockTLSStorage struct {
-	Secret    *v1.Secret
-	SecretErr error
-}
-
-func (m *MockTLSStorage) Get() (*v1.Secret, error) {
-	return m.Secret, m.SecretErr
-}
-
-func (m *MockTLSStorage) Update(secret *v1.Secret) error {
-	panic("Not implemented")
-}
-
-// adapted from k8s.io/apimachinery@v0.18.8/pkg/util.proxy/ugradeaware_test.go
-type fakeConn struct{}
-
-func (f *fakeConn) Read([]byte) (int, error)        { return 0, nil }
-func (f *fakeConn) Write([]byte) (int, error)       { return 0, nil }
-func (f *fakeConn) Close() error                    { return nil }
-func (fakeConn) LocalAddr() net.Addr                { return nil }
-func (fakeConn) RemoteAddr() net.Addr               { return nil }
-func (fakeConn) SetDeadline(t time.Time) error      { return nil }
-func (fakeConn) SetReadDeadline(t time.Time) error  { return nil }
-func (fakeConn) SetWriteDeadline(t time.Time) error { return nil }

server/server.go

@@ -21,8 +21,6 @@ import (
 )
 
 type ListenOpts struct {
-	CAChain []*x509.Certificate
-	// Deprecated: Use CAChain instead
 	CA                *x509.Certificate
 	CAKey             crypto.Signer
 	Storage           dynamiclistener.TLSStorage
@@ -134,7 +132,7 @@ func getTLSListener(ctx context.Context, tcp net.Listener, handler http.Handler,
 		return nil, nil, err
 	}
 
-	listener, dynHandler, err := dynamiclistener.NewListenerWithChain(tcp, storage, caCert, caKey, opts.TLSListenerConfig)
+	listener, dynHandler, err := dynamiclistener.NewListener(tcp, storage, caCert, caKey, opts.TLSListenerConfig)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -142,17 +140,13 @@ func getTLSListener(ctx context.Context, tcp net.Listener, handler http.Handler,
 	return listener, wrapHandler(dynHandler, handler), nil
 }
 
-func getCA(opts ListenOpts) ([]*x509.Certificate, crypto.Signer, error) {
-	if opts.CAKey != nil {
-		if opts.CAChain != nil {
-			return opts.CAChain, opts.CAKey, nil
-		} else if opts.CA != nil {
-			return []*x509.Certificate{opts.CA}, opts.CAKey, nil
-		}
+func getCA(opts ListenOpts) (*x509.Certificate, crypto.Signer, error) {
+	if opts.CA != nil && opts.CAKey != nil {
+		return opts.CA, opts.CAKey, nil
 	}
 
 	if opts.Secrets == nil {
-		return factory.LoadOrGenCAChain()
+		return factory.LoadOrGenCA()
 	}
 
 	if opts.CAName == "" {
@@ -167,7 +161,7 @@ func getCA(opts ListenOpts) ([]*x509.Certificate, crypto.Signer, error) {
 		opts.CANamespace = "kube-system"
 	}
 
-	return kubernetes.LoadOrGenCAChain(opts.Secrets, opts.CANamespace, opts.CAName)
+	return kubernetes.LoadOrGenCA(opts.Secrets, opts.CANamespace, opts.CAName)
 }
 
 func newStorage(ctx context.Context, opts ListenOpts) dynamiclistener.TLSStorage {

storage/kubernetes/ca.go

@@ -11,21 +11,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
 func LoadOrGenCA(secrets v1controller.SecretClient, namespace, name string) (*x509.Certificate, crypto.Signer, error) {
-	chain, signer, err := LoadOrGenCAChain(secrets, namespace, name)
-	if err != nil {
-		return nil, nil, err
-	}
-	return chain[0], signer, err
-}
-
-func LoadOrGenCAChain(secrets v1controller.SecretClient, namespace, name string) ([]*x509.Certificate, crypto.Signer, error) {
 	secret, err := getSecret(secrets, namespace, name)
 	if err != nil {
 		return nil, nil, err
 	}
-	return factory.LoadCAChain(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
+	return factory.LoadCA(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
 }
 
 func LoadOrGenClient(secrets v1controller.SecretClient, namespace, name, cn string, ca *x509.Certificate, key crypto.Signer) (*x509.Certificate, crypto.Signer, error) {

storage/kubernetes/controller.go

@@ -14,7 +14,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/retry"
 )
 
@@ -26,7 +25,6 @@ func Load(ctx context.Context, secrets v1controller.SecretController, namespace,
 		namespace: namespace,
 		storage:   backing,
 		ctx:       ctx,
-		initSync:  &sync.Once{},
 	}
 	storage.init(secrets)
 	return storage
@@ -38,18 +36,23 @@ func New(ctx context.Context, core CoreGetter, namespace, name string, backing d
 		namespace: namespace,
 		storage:   backing,
 		ctx:       ctx,
-		initSync:  &sync.Once{},
 	}
 
 	// lazy init
 	go func() {
-		wait.PollImmediateUntilWithContext(ctx, time.Second, func(cxt context.Context) (bool, error) {
+		for {
 			if coreFactory := core(); coreFactory != nil {
 				storage.init(coreFactory.Core().V1().Secret())
-				return true, start.All(ctx, 5, coreFactory)
+				_ = start.All(ctx, 5, coreFactory)
+				return
 			}
-			return false, nil
-		})
+
+			select {
+			case <-ctx.Done():
+				return
+			case <-time.After(time.Second):
+			}
+		}
 	}()
 
 	return storage
@@ -63,8 +66,6 @@ type storage struct {
 	secrets         v1controller.SecretController
 	ctx             context.Context
 	tls             dynamiclistener.TLSFactory
-	initialized     bool
-	initSync        *sync.Once
 }
 
 func (s *storage) SetFactory(tls dynamiclistener.TLSFactory) {
@@ -91,17 +92,7 @@ func (s *storage) init(secrets v1controller.SecretController) {
 	})
 	s.secrets = secrets
 
-	// Asynchronously sync the backing storage to the Kubernetes secret, as doing so inline may
-	// block the listener from accepting new connections if the apiserver becomes unavailable
-	// after the Secrets controller has been initialized. We're not passing around any contexts
-	// here, nor does the controller accept any, so there's no good way to soft-fail with a
-	// reasonable timeout.
-	go s.syncStorage()
-}
-
-func (s *storage) syncStorage() {
-	var updateStorage bool
-	secret, err := s.Get()
+	secret, err := s.storage.Get()
 	if err == nil && cert.IsValidTLSSecret(secret) {
 		// local storage had a cached secret, ensure that it exists in Kubernetes
 		_, err := s.secrets.Create(&v1.Secret{
@@ -118,20 +109,14 @@ func (s *storage) syncStorage() {
 		}
 	} else {
 		// local storage was empty, try to populate it
-		secret, err = s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
+		secret, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
 		if err != nil {
 			if !errors.IsNotFound(err) {
 				logrus.Warnf("Failed to init Kubernetes secret: %v", err)
 			}
-		} else {
-			updateStorage = true
+			return
 		}
-	}
 
-	s.Lock()
-	defer s.Unlock()
-	s.initialized = true
-	if updateStorage {
 		if err := s.storage.Update(secret); err != nil {
 			logrus.Warnf("Failed to init backing storage secret: %v", err)
 		}
@@ -164,20 +149,6 @@ func (s *storage) targetSecret() (*v1.Secret, error) {
 
 func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
 	if !s.initComplete() {
-		// Start a goroutine to attempt to save the secret later, once init is complete.
-		// If this was already handled by initComplete, it should be a no-op, or at worst get
-		// merged with the Kubernetes secret.
-		go s.initSync.Do(func() {
-			if err := wait.Poll(100*time.Millisecond, 15*time.Minute, func() (bool, error) {
-				if !s.initComplete() {
-					return false, nil
-				}
-				_, err := s.saveInK8s(secret)
-				return true, err
-			}); err != nil {
-				logrus.Errorf("Failed to save TLS secret after controller init: %v", err)
-			}
-		})
 		return secret, nil
 	}
 
@@ -263,5 +234,5 @@ func (s *storage) update(secret *v1.Secret) (err error) {
 func (s *storage) initComplete() bool {
 	s.RLock()
 	defer s.RUnlock()
-	return s.initialized
+	return s.secrets != nil
 }