dynamic certs: do not copy mutex via shallow copy of tls.Config

go vet error:

call of dynamiccertificates.NewDynamicServingCertificateController
copies lock value: crypto/tls.Config contains sync.Once contains
sync.Mutex

Signed-off-by: Monis Khan <mok@vmware.com>

staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/server_test.go

@@ -79,7 +79,7 @@ func TestServingCert(t *testing.T) {
 	}
 
 	dynamicCertificateController := NewDynamicServingCertificateController(
-		*tlsConfig,
+		tlsConfig,
 		&nullCAContent{name: "client-ca"},
 		defaultCertProvider,
 		sniCerts,

staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/tlsconfig.go

@@ -41,7 +41,7 @@ const workItemKey = "key"
 type DynamicServingCertificateController struct {
 	// baseTLSConfig is the static portion of the tlsConfig for serving to clients.  It is copied and the copy is mutated
 	// based on the dynamic cert state.
-	baseTLSConfig tls.Config
+	baseTLSConfig *tls.Config
 
 	// clientCA provides the very latest content of the ca bundle
 	clientCA CAContentProvider
@@ -65,7 +65,7 @@ var _ Listener = &DynamicServingCertificateController{}
 
 // NewDynamicServingCertificateController returns a controller that can be used to keep a TLSConfig up to date.
 func NewDynamicServingCertificateController(
-	baseTLSConfig tls.Config,
+	baseTLSConfig *tls.Config,
 	clientCA CAContentProvider,
 	servingCert CertKeyContentProvider,
 	sniCerts []SNICertKeyContentProvider,

staging/src/k8s.io/apiserver/pkg/server/secure_serving.go

@@ -66,7 +66,7 @@ func (s *SecureServingInfo) tlsConfig(stopCh <-chan struct{}) (*tls.Config, erro
 
 	if s.ClientCA != nil || s.Cert != nil || len(s.SNICerts) > 0 {
 		dynamicCertificateController := dynamiccertificates.NewDynamicServingCertificateController(
-			*tlsConfig,
+			tlsConfig,
 			s.ClientCA,
 			s.Cert,
 			s.SNICerts,