Add ability to force cert regeneration (#43) (#48)

* add ability to force cert regeneration

.drone.yml

@@ -1,15 +0,0 @@
----
-
-kind: pipeline
-name: fossa
-
-steps:
-- name: fossa
-  image: rancher/drone-fossa:latest
-  settings:
-    api_key:
-      from_secret: FOSSA_API_KEY
-  when:
-    instance:
-      - drone-publish.rancher.io
-

README.md

@@ -1,10 +0,0 @@
-# [dynamiclistener](https://github.com/rancher/dynamiclistener)
-
-This `README` is a work in progress; aimed towards providing information for navigating the contents of this repository.
-
-## Changing the Expiration Days for Newly Signed Certificates
-
-By default, a newly signed certificate is set to expire 365 days (1 year) after its creation time and date.
-You can use the `CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS` environment variable to change this value.
-
-**Please note:** the value for the aforementioned variable must be a string representing an unsigned integer corresponding to the number of days until expiration (i.e. X509 "NotAfter" value).

cert/cert.go

@@ -33,9 +33,7 @@ import (
 	"math"
 	"math/big"
 	"net"
-	"os"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"time"
 
@@ -47,15 +45,16 @@ const (
 	duration365d = time.Hour * 24 * 365
 )
 
-var ErrStaticCert = errors.New("cannot renew static certificate")
+var (
+	ErrStaticCert = errors.New("cannot renew static certificate")
+)
 
-// Config contains the basic fields required for creating a certificate.
+// Config contains the basic fields required for creating a certificate
 type Config struct {
 	CommonName   string
 	Organization []string
 	AltNames     AltNames
 	Usages       []x509.ExtKeyUsage
-	ExpiresAt    time.Duration
 }
 
 // AltNames contains the domain names and IP addresses that will be added
@@ -66,14 +65,9 @@ type AltNames struct {
 	IPs      []net.IP
 }
 
-// NewRSAPrivateKey creates an RSA private key
-func NewRSAPrivateKey() (*rsa.PrivateKey, error) {
-	return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
-}
-
 // NewPrivateKey creates an RSA private key
-func NewPrivateKey() (*ecdsa.PrivateKey, error) {
-	return ecdsa.GenerateKey(elliptic.P256Sm2(), cryptorand.Reader)
+func NewPrivateKey() (*rsa.PrivateKey, error) {
+	return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
 }
 
 // NewSelfSignedCACert creates a CA certificate
@@ -96,15 +90,10 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 	if err != nil {
 		return nil, err
 	}
-
-	logrus.Infof("generated self-signed CA certificate %s: notBefore=%s notAfter=%s",
-		tmpl.Subject, tmpl.NotBefore, tmpl.NotAfter)
-
 	return x509.ParseCertificate(certDERBytes)
 }
 
-// NewSignedCert creates a signed certificate using the given CA certificate and key based
-// on the given configuration.
+// NewSignedCert creates a signed certificate using the given CA certificate and key
 func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
 	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
 	if err != nil {
@@ -116,19 +105,6 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 	if len(cfg.Usages) == 0 {
 		return nil, errors.New("must specify at least one ExtKeyUsage")
 	}
-	expiresAt := duration365d
-	if cfg.ExpiresAt > 0 {
-		expiresAt = time.Duration(cfg.ExpiresAt)
-	} else {
-		envExpirationDays := os.Getenv("CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS")
-		if envExpirationDays != "" {
-			if envExpirationDaysInt, err := strconv.Atoi(envExpirationDays); err != nil {
-				logrus.Infof("[NewSignedCert] expiration days from ENV (%s) could not be converted to int (falling back to default value: %d)", envExpirationDays, expiresAt)
-			} else {
-				expiresAt = time.Hour * 24 * time.Duration(envExpirationDaysInt)
-			}
-		}
-	}
 
 	certTmpl := x509.Certificate{
 		Subject: pkix.Name{
@@ -139,7 +115,7 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 		IPAddresses:  cfg.AltNames.IPs,
 		SerialNumber: serial,
 		NotBefore:    caCert.NotBefore,
-		NotAfter:     time.Now().Add(expiresAt).UTC(),
+		NotAfter:     time.Now().Add(duration365d).UTC(),
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:  cfg.Usages,
 	}
@@ -158,7 +134,7 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 
 // MakeEllipticPrivateKeyPEM creates an ECDSA private key
 func MakeEllipticPrivateKeyPEM() ([]byte, error) {
-	privateKey, err := ecdsa.GenerateKey(elliptic.P256Sm2(), cryptorand.Reader)
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
 	if err != nil {
 		return nil, err
 	}
@@ -209,7 +185,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 		maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures
 	}
 
-	caKey, err := NewPrivateKey()
+	caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -237,7 +213,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 		return nil, nil, err
 	}
 
-	priv, err := NewPrivateKey()
+	priv, err := rsa.GenerateKey(cryptorand.Reader, 2048)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -280,12 +256,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 
 	// Generate key
 	keyBuffer := bytes.Buffer{}
-	privBuf, err := x509.MarshalECPrivateKey(priv)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if err := pem.Encode(&keyBuffer, &pem.Block{Type: ECPrivateKeyBlockType, Bytes: privBuf}); err != nil {
+	if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
 		return nil, nil, err
 	}
 

cert/cert_test.go

@@ -1,39 +0,0 @@
-package cert
-
-import (
-	"crypto/ecdsa"
-	"fmt"
-	"os"
-	"testing"
-)
-
-func TestCreateAndReadCert(t *testing.T) {
-	kFile := "service.key"
-	defer os.Remove(kFile)
-	key, err := NewPrivateKey()
-	if err != nil {
-		t.Errorf("failed to create private key: %v", err)
-	}
-
-	if err := WriteKey(kFile, EncodePrivateKeyPEM(key)); err != nil {
-		t.Errorf("failed to encode private key to pem: %v", err)
-	}
-
-	keyR, err := PrivateKeyFromFile(kFile)
-	if err != nil {
-		t.Errorf("failed to load private key from file: %v", err)
-	}
-
-	switch k := keyR.(type) {
-	case *ecdsa.PrivateKey:
-		fmt.Println("loaded back ecdsa private key")
-	default:
-		t.Errorf("load back a wrong private key %v", k)
-	}
-
-	buf := EncodePrivateKeyPEM(key)
-	_, err = ParsePrivateKeyPEM(buf)
-	if err != nil {
-		t.Errorf("failed to parse private key from pem: %v", err)
-	}
-}

cert/csr.go

@@ -17,7 +17,6 @@ limitations under the License.
 package cert
 
 import (
-	"crypto/ecdsa"
 	cryptorand "crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
@@ -61,11 +60,8 @@ func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateReque
 
 func sigType(privateKey interface{}) x509.SignatureAlgorithm {
 	// Customize the signature for RSA keys, depending on the key size
-	switch privK := privateKey.(type) {
-	case *ecdsa.PrivateKey:
-		return x509.ECDSAWithSHA256
-	case *rsa.PrivateKey:
-		keySize := privK.N.BitLen()
+	if privateKey, ok := privateKey.(*rsa.PrivateKey); ok {
+		keySize := privateKey.N.BitLen()
 		switch {
 		case keySize >= 4096:
 			return x509.SHA512WithRSA

cert/pem.go

@@ -41,7 +41,7 @@ const (
 )
 
 // EncodePublicKeyPEM returns PEM-encoded public data
-func EncodePublicKeyPEM(key interface{}) ([]byte, error) {
+func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
 	der, err := x509.MarshalPKIXPublicKey(key)
 	if err != nil {
 		return []byte{}, err
@@ -54,25 +54,12 @@ func EncodePublicKeyPEM(key interface{}) ([]byte, error) {
 }
 
 // EncodePrivateKeyPEM returns PEM-encoded private key data
-func EncodePrivateKeyPEM(key interface{}) []byte {
-	var block *pem.Block
-	switch privKey := key.(type) {
-	case *ecdsa.PrivateKey:
-		derBytes, _ := x509.MarshalECPrivateKey(privKey)
-		block = &pem.Block{
-			Type:  ECPrivateKeyBlockType,
-			Bytes: derBytes,
-		}
-	case *rsa.PrivateKey:
-		block = &pem.Block{
-			Type:  RSAPrivateKeyBlockType,
-			Bytes: x509.MarshalPKCS1PrivateKey(privKey),
-		}
+func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
+	block := pem.Block{
+		Type:  RSAPrivateKeyBlockType,
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
 	}
-	if block != nil {
-		return pem.EncodeToMemory(block)
-	}
-	return []byte{}
+	return pem.EncodeToMemory(&block)
 }
 
 // EncodeCertPEM returns PEM-endcoded certificate data

cert/secret.go

@@ -1,16 +0,0 @@
-package cert
-
-import v1 "k8s.io/api/core/v1"
-
-func IsValidTLSSecret(secret *v1.Secret) bool {
-	if secret == nil {
-		return false
-	}
-	if _, ok := secret.Data[v1.TLSCertKey]; !ok {
-		return false
-	}
-	if _, ok := secret.Data[v1.TLSPrivateKeyKey]; !ok {
-		return false
-	}
-	return true
-}

factory/ca.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"time"
 
 	"github.com/rancher/dynamiclistener/cert"
 )
@@ -17,7 +16,7 @@ func GenCA() (*x509.Certificate, crypto.Signer, error) {
 		return nil, nil, err
 	}
 
-	caCert, err := NewSelfSignedCACert(caKey, fmt.Sprintf("dynamiclistener-ca@%d", time.Now().Unix()), "dynamiclistener-org")
+	caCert, err := NewSelfSignedCACert(caKey, "dynamiclistener-ca", "dynamiclistener-org")
 	if err != nil {
 		return nil, nil, err
 	}

factory/cert_utils.go

@@ -10,17 +10,13 @@ import (
 	"math"
 	"math/big"
 	"net"
-	"os"
-	"strconv"
-	"strings"
 	"time"
 
 	"github.com/sirupsen/logrus"
 )
 
 const (
-	CertificateBlockType               = "CERTIFICATE"
-	defaultNewSignedCertExpirationDays = 365
+	CertificateBlockType = "CERTIFICATE"
 )
 
 func NewSelfSignedCACert(key crypto.Signer, cn string, org ...string) (*x509.Certificate, error) {
@@ -43,9 +39,6 @@ func NewSelfSignedCACert(key crypto.Signer, cn string, org ...string) (*x509.Cer
 		return nil, err
 	}
 
-	logrus.Infof("generated self-signed CA certificate %s: notBefore=%s notAfter=%s",
-		tmpl.Subject, tmpl.NotBefore, tmpl.NotAfter)
-
 	return x509.ParseCertificate(certDERBytes)
 }
 
@@ -66,12 +59,6 @@ func NewSignedClientCert(signer crypto.Signer, caCert *x509.Certificate, caKey c
 		},
 	}
 
-	parts := strings.Split(cn, ",o=")
-	if len(parts) > 1 {
-		parent.Subject.CommonName = parts[0]
-		parent.Subject.Organization = parts[1:]
-	}
-
 	cert, err := x509.CreateCertificate(rand.Reader, &parent, caCert, signer.Public(), caKey)
 	if err != nil {
 		return nil, err
@@ -88,22 +75,12 @@ func NewSignedCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.
 		return nil, err
 	}
 
-	expirationDays := defaultNewSignedCertExpirationDays
-	envExpirationDays := os.Getenv("CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS")
-	if envExpirationDays != "" {
-		if envExpirationDaysInt, err := strconv.Atoi(envExpirationDays); err != nil {
-			logrus.Infof("[NewSignedCert] expiration days from ENV (%s) could not be converted to int (falling back to default value: %d)", envExpirationDays, defaultNewSignedCertExpirationDays)
-		} else {
-			expirationDays = envExpirationDaysInt
-		}
-	}
-
 	parent := x509.Certificate{
 		DNSNames:     domains,
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		IPAddresses:  ips,
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		NotAfter:     time.Now().Add(time.Hour * 24 * time.Duration(expirationDays)).UTC(),
+		NotAfter:     time.Now().Add(time.Hour * 24 * 365).UTC(),
 		NotBefore:    caCert.NotBefore,
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{

factory/gen.go

@@ -6,16 +6,13 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha1"
-	"crypto/sha256"
 	"crypto/x509"
-	"encoding/hex"
 	"encoding/pem"
 	"fmt"
 	"net"
 	"regexp"
 	"sort"
 	"strings"
-	"time"
 
 	"github.com/rancher/dynamiclistener/cert"
 	"github.com/sirupsen/logrus"
@@ -33,12 +30,11 @@ var (
 )
 
 type TLS struct {
-	CACert              *x509.Certificate
-	CAKey               crypto.Signer
-	CN                  string
-	Organization        []string
-	FilterCN            func(...string) []string
-	ExpirationDaysCheck int
+	CACert       *x509.Certificate
+	CAKey        crypto.Signer
+	CN           string
+	Organization []string
+	FilterCN     func(...string) []string
 }
 
 func cns(secret *v1.Secret) (cns []string) {
@@ -72,42 +68,20 @@ func collectCNs(secret *v1.Secret) (domains []string, ips []net.IP, err error) {
 	return
 }
 
-// Merge combines the SAN lists from the target and additional Secrets, and
-// returns a potentially modified Secret, along with a bool indicating if the
-// returned Secret is not the same as the target Secret. Secrets with expired
-// certificates will never be returned.
-//
-// If the merge would not add any CNs to the additional Secret, the additional
-// Secret is returned, to allow for certificate rotation/regeneration.
-//
-// If the merge would not add any CNs to the target Secret, the target Secret is
-// returned; no merging is necessary.
-//
-// If neither certificate is acceptable as-is, a new certificate containing
-// the union of the two lists is generated, using the private key from the
-// first Secret. The returned Secret will contain the updated cert.
+// Merge combines the SAN lists from the target and additional Secrets, and returns a potentially modified Secret,
+// along with a bool indicating if the returned Secret has been updated or not. If the two SAN lists alread matched
+// and no merging was necessary, but the Secrets' certificate fingerprints differed, the second secret is returned
+// and the updated bool is set to true despite neither certificate having actually been modified. This is required
+// to support handling certificate renewal within the kubernetes storage provider.
 func (t *TLS) Merge(target, additional *v1.Secret) (*v1.Secret, bool, error) {
-	// static secrets can't be altered, don't bother trying
-	if IsStatic(target) {
-		return target, false, nil
+	secret, updated, err := t.AddCN(target, cns(additional)...)
+	if !updated {
+		if target.Annotations[fingerprint] != additional.Annotations[fingerprint] {
+			secret = additional
+			updated = true
+		}
 	}
-
-	mergedCNs := append(cns(target), cns(additional)...)
-
-	// if the additional secret already has all the CNs, use it in preference to the
-	// current one. This behavior is required to allow for renewal or regeneration.
-	if !NeedsUpdate(0, additional, mergedCNs...) && !t.IsExpired(additional) {
-		return additional, true, nil
-	}
-
-	// if the target secret already has all the CNs, continue using it. The additional
-	// cert had only a subset of the current CNs, so nothing needs to be added.
-	if !NeedsUpdate(0, target, mergedCNs...) && !t.IsExpired(target) {
-		return target, false, nil
-	}
-
-	// neither cert currently has all the necessary CNs or is unexpired; generate a new one.
-	return t.generateCert(target, mergedCNs...)
+	return secret, updated, err
 }
 
 // Renew returns a copy of the given certificate that has been re-signed
@@ -157,10 +131,6 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 		secret = &v1.Secret{}
 	}
 
-	if err := t.Verify(secret); err != nil {
-		logrus.Warnf("unable to verify existing certificate: %v - signing operation may change certificate issuer", err)
-	}
-
 	secret = populateCN(secret, cn...)
 
 	privateKey, err := getPrivateKey(secret)
@@ -178,7 +148,7 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 		return nil, false, err
 	}
 
-	keyBytes, certBytes, err := MarshalChain(privateKey, newCert, t.CACert)
+	certBytes, keyBytes, err := Marshal(newCert, privateKey)
 	if err != nil {
 		return nil, false, err
 	}
@@ -186,7 +156,6 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 	if secret.Data == nil {
 		secret.Data = map[string][]byte{}
 	}
-	secret.Type = v1.SecretTypeTLS
 	secret.Data[v1.TLSCertKey] = certBytes
 	secret.Data[v1.TLSPrivateKeyKey] = keyBytes
 	secret.Annotations[fingerprint] = fmt.Sprintf("SHA1=%X", sha1.Sum(newCert.Raw))
@@ -194,44 +163,6 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 	return secret, true, nil
 }
 
-func (t *TLS) IsExpired(secret *v1.Secret) bool {
-	certsPem := secret.Data[v1.TLSCertKey]
-	if len(certsPem) == 0 {
-		return false
-	}
-
-	certificates, err := cert.ParseCertsPEM(certsPem)
-	if err != nil || len(certificates) == 0 {
-		return false
-	}
-
-	expirationDays := time.Duration(t.ExpirationDaysCheck) * time.Hour * 24
-	return time.Now().Add(expirationDays).After(certificates[0].NotAfter)
-}
-
-func (t *TLS) Verify(secret *v1.Secret) error {
-	certsPem := secret.Data[v1.TLSCertKey]
-	if len(certsPem) == 0 {
-		return nil
-	}
-
-	certificates, err := cert.ParseCertsPEM(certsPem)
-	if err != nil || len(certificates) == 0 {
-		return err
-	}
-
-	verifyOpts := x509.VerifyOptions{
-		Roots: x509.NewCertPool(),
-		KeyUsages: []x509.ExtKeyUsage{
-			x509.ExtKeyUsageAny,
-		},
-	}
-	verifyOpts.Roots.AddCert(t.CACert)
-
-	_, err = certificates[0].Verify(verifyOpts)
-	return err
-}
-
 func (t *TLS) newCert(domains []string, ips []net.IP, privateKey crypto.Signer) (*x509.Certificate, error) {
 	return NewSignedCert(privateKey, t.CACert, t.CAKey, t.CN, t.Organization, domains, ips)
 }
@@ -243,7 +174,7 @@ func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
 	}
 	for _, cn := range cn {
 		if cnRegexp.MatchString(cn) {
-			secret.Annotations[getAnnotationKey(cn)] = cn
+			secret.Annotations[cnPrefix+cn] = cn
 		} else {
 			logrus.Errorf("dropping invalid CN: %s", cn)
 		}
@@ -254,10 +185,7 @@ func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
 // IsStatic returns true if the Secret has an attribute indicating that it contains
 // a static (aka user-provided) certificate, which should not be modified.
 func IsStatic(secret *v1.Secret) bool {
-	if secret != nil && secret.Annotations != nil {
-		return secret.Annotations[Static] == "true"
-	}
-	return false
+	return secret.Annotations[Static] == "true"
 }
 
 // NeedsUpdate returns true if any of the CNs are not currently present on the
@@ -270,7 +198,7 @@ func NeedsUpdate(maxSANs int, secret *v1.Secret, cn ...string) bool {
 	}
 
 	for _, cn := range cn {
-		if secret.Annotations[getAnnotationKey(cn)] == "" {
+		if secret.Annotations[cnPrefix+cn] == "" {
 			if maxSANs > 0 && len(cns(secret)) >= maxSANs {
 				return false
 			}
@@ -295,33 +223,14 @@ func getPrivateKey(secret *v1.Secret) (crypto.Signer, error) {
 	return NewPrivateKey()
 }
 
-// MarshalChain returns given key and certificates as byte slices.
-func MarshalChain(privateKey crypto.Signer, certs ...*x509.Certificate) (keyBytes, certChainBytes []byte, err error) {
-	keyBytes, err = cert.MarshalPrivateKeyToPEM(privateKey)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	for _, cert := range certs {
-		if cert != nil {
-			certBlock := pem.Block{
-				Type:  CertificateBlockType,
-				Bytes: cert.Raw,
-			}
-			certChainBytes = append(certChainBytes, pem.EncodeToMemory(&certBlock)...)
-		}
-	}
-	return keyBytes, certChainBytes, nil
-}
-
 // Marshal returns the given cert and key as byte slices.
-func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) (certBytes, keyBytes []byte, err error) {
+func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) ([]byte, []byte, error) {
 	certBlock := pem.Block{
 		Type:  CertificateBlockType,
 		Bytes: x509Cert.Raw,
 	}
 
-	keyBytes, err = cert.MarshalPrivateKeyToPEM(privateKey)
+	keyBytes, err := cert.MarshalPrivateKeyToPEM(privateKey)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -333,22 +242,3 @@ func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) (certBytes, k
 func NewPrivateKey() (crypto.Signer, error) {
 	return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 }
-
-// getAnnotationKey return the key to use for a given CN. IPv4 addresses and short hostnames
-// are safe to store as-is, but longer hostnames and IPv6 address must be truncated and/or undergo
-// character replacement in order to be used as an annotation key. If the CN requires modification,
-// a portion of the SHA256 sum of the original value is used as the suffix, to reduce the likelihood
-// of collisions in modified values.
-func getAnnotationKey(cn string) string {
-	cn = cnPrefix + cn
-	cnLen := len(cn)
-	if cnLen < 64 && !strings.ContainsRune(cn, ':') {
-		return cn
-	}
-	digest := sha256.Sum256([]byte(cn))
-	cn = strings.ReplaceAll(cn, ":", "_")
-	if cnLen > 56 {
-		cnLen = 56
-	}
-	return cn[0:cnLen] + "-" + hex.EncodeToString(digest[0:])[0:6]
-}

filter.go

@@ -1,12 +0,0 @@
-package dynamiclistener
-
-func OnlyAllow(str string) func(...string) []string {
-	return func(s2 ...string) []string {
-		for _, s := range s2 {
-			if s == str {
-				return []string{s}
-			}
-		}
-		return nil
-	}
-}

go.mod

@@ -1,12 +1,11 @@
 module github.com/rancher/dynamiclistener
 
-go 1.12
+go 1.16
 
 require (
-	github.com/rancher/wrangler v0.8.9
+	github.com/rancher/wrangler v0.8.3
 	github.com/sirupsen/logrus v1.4.2
 	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2
 	k8s.io/api v0.18.8
 	k8s.io/apimachinery v0.18.8
-	k8s.io/client-go v0.18.8
 )

go.sum

@@ -86,7 +86,6 @@ github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4=
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@@ -308,8 +307,8 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T
 github.com/qri-io/starlib v0.4.2-0.20200213133954-ff2e8cd5ef8d/go.mod h1:7DPO4domFU579Ga6E61sB9VFNaniPVwJP5C4bBCu3wA=
 github.com/rancher/lasso v0.0.0-20210616224652-fc3ebd901c08 h1:NxR8Fh0eE7/5/5Zvlog9B5NVjWKqBSb1WYMUF7/IE5c=
 github.com/rancher/lasso v0.0.0-20210616224652-fc3ebd901c08/go.mod h1:9qZd/S8DqWzfKtjKGgSoHqGEByYmUE3qRaBaaAHwfEM=
-github.com/rancher/wrangler v0.8.9 h1:qNHBUw7jHdQKBVX4ksmY9ckth6oZaL2tRUKMwtERZw8=
-github.com/rancher/wrangler v0.8.9/go.mod h1:Lte9WjPtGYxYacIWeiS9qawvu2R4NujFU9xuXWJvc/0=
+github.com/rancher/wrangler v0.8.3 h1:m3d5ChOQj2Pdozy6nkGiSzAgQxlQlXRis2zSRwaO83k=
+github.com/rancher/wrangler v0.8.3/go.mod h1:dKEaHNB4izxmPUtpq1Hvr3z3Oh+9k5pCZyFO9sUhlaY=
 github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
@@ -344,9 +343,8 @@ github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRci
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.3-0.20181224173747-660f15d67dbb/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -536,8 +534,6 @@ gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20191120175047-4206685974f2/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

listener.go

@@ -44,18 +44,14 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 	if config.TLSConfig == nil {
 		config.TLSConfig = &tls.Config{}
 	}
-	if config.ExpirationDaysCheck == 0 {
-		config.ExpirationDaysCheck = 90
-	}
 
 	dynamicListener := &listener{
 		factory: &factory.TLS{
-			CACert:              caCert,
-			CAKey:               caKey,
-			CN:                  config.CN,
-			Organization:        config.Organization,
-			FilterCN:            allowDefaultSANs(config.SANs, config.FilterCN),
-			ExpirationDaysCheck: config.ExpirationDaysCheck,
+			CACert:       caCert,
+			CAKey:        caKey,
+			CN:           config.CN,
+			Organization: config.Organization,
+			FilterCN:     allowDefaultSANs(config.SANs, config.FilterCN),
 		},
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
@@ -85,6 +81,10 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 		}
 	}
 
+	if config.ExpirationDaysCheck == 0 {
+		config.ExpirationDaysCheck = 30
+	}
+
 	tlsListener := tls.NewListener(dynamicListener.WrapExpiration(config.ExpirationDaysCheck), dynamicListener.tlsConfig)
 
 	return tlsListener, dynamicListener.cacheHandler(), nil
@@ -162,15 +162,12 @@ type listener struct {
 func (l *listener) WrapExpiration(days int) net.Listener {
 	ctx, cancel := context.WithCancel(context.Background())
 	go func() {
-		// loop on short sleeps until certificate preload completes
-		for l.cert == nil {
-			time.Sleep(time.Millisecond)
-		}
+		time.Sleep(30 * time.Second)
 
 		for {
 			wait := 6 * time.Hour
 			if err := l.checkExpiration(days); err != nil {
-				logrus.Errorf("dynamiclistener %s: failed to check and renew dynamic cert: %v", l.Addr(), err)
+				logrus.Errorf("failed to check and renew dynamic cert: %v", err)
 				// Don't go into short retry loop if we're using a static (user-provided) cert.
 				// We will still check and print an error every six hours until the user updates the secret with
 				// a cert that is not about to expire. Hopefully this will prompt them to take action.
@@ -261,19 +258,7 @@ func (l *listener) checkExpiration(days int) error {
 func (l *listener) Accept() (net.Conn, error) {
 	l.init.Do(func() {
 		if len(l.sans) > 0 {
-			if err := l.updateCert(l.sans...); err != nil {
-				logrus.Errorf("dynamiclistener %s: failed to update cert with configured SANs: %v", l.Addr(), err)
-				return
-			}
-		}
-		if cert, err := l.loadCert(nil); err != nil {
-			logrus.Errorf("dynamiclistener %s: failed to preload certificate: %v", l.Addr(), err)
-		} else if cert == nil {
-			// This should only occur on the first startup when no SANs are configured in the listener config, in which
-			// case no certificate can be created, as dynamiclistener will not create certificates until at least one IP
-			// or DNS SAN is set. It will also occur when using the Kubernetes storage without a local File cache.
-			// For reliable serving of requests, callers should configure a local cache and/or a default set of SANs.
-			logrus.Warnf("dynamiclistener %s: no cached certificate available for preload - deferring certificate load until storage initialization or first client request", l.Addr())
+			l.updateCert(l.sans...)
 		}
 	})
 
@@ -289,12 +274,14 @@ func (l *listener) Accept() (net.Conn, error) {
 
 	host, _, err := net.SplitHostPort(addr.String())
 	if err != nil {
-		logrus.Errorf("dynamiclistener %s: failed to parse connection local address %s: %v", l.Addr(), addr, err)
+		logrus.Errorf("failed to parse network %s: %v", addr.Network(), err)
 		return conn, nil
 	}
 
-	if err := l.updateCert(host); err != nil {
-		logrus.Errorf("dynamiclistener %s: failed to update cert with connection local address: %v", l.Addr(), err)
+	if !strings.Contains(host, ":") {
+		if err := l.updateCert(host); err != nil {
+			logrus.Infof("failed to create TLS cert for: %s, %v", host, err)
+		}
 	}
 
 	if l.conns != nil {
@@ -321,9 +308,8 @@ func (l *listener) wrap(conn net.Conn) net.Conn {
 
 type closeWrapper struct {
 	net.Conn
-	id    int
-	l     *listener
-	ready bool
+	id int
+	l  *listener
 }
 
 func (c *closeWrapper) close() error {
@@ -338,15 +324,13 @@ func (c *closeWrapper) Close() error {
 }
 
 func (l *listener) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	newConn := hello.Conn
 	if hello.ServerName != "" {
 		if err := l.updateCert(hello.ServerName); err != nil {
-			logrus.Errorf("dynamiclistener %s: failed to update cert with TLS ServerName: %v", l.Addr(), err)
 			return nil, err
 		}
 	}
 
-	return l.loadCert(newConn)
+	return l.loadCert()
 }
 
 func (l *listener) updateCert(cn ...string) error {
@@ -363,7 +347,7 @@ func (l *listener) updateCert(cn ...string) error {
 		return err
 	}
 
-	if factory.IsStatic(secret) || !factory.NeedsUpdate(l.maxSANs, secret, cn...) {
+	if !factory.IsStatic(secret) && !factory.NeedsUpdate(l.maxSANs, secret, cn...) {
 		return nil
 	}
 
@@ -381,16 +365,14 @@ func (l *listener) updateCert(cn ...string) error {
 		if err := l.storage.Update(secret); err != nil {
 			return err
 		}
-		// Clear version to force cert reload next time loadCert is called by TLSConfig's
-		// GetCertificate hook to provide a certificate for a new connection. Note that this
-		// means the old certificate stays in l.cert until a new connection is made.
+		// clear version to force cert reload
 		l.version = ""
 	}
 
 	return nil
 }
 
-func (l *listener) loadCert(currentConn net.Conn) (*tls.Certificate, error) {
+func (l *listener) loadCert() (*tls.Certificate, error) {
 	l.RLock()
 	defer l.RUnlock()
 
@@ -411,9 +393,6 @@ func (l *listener) loadCert(currentConn net.Conn) (*tls.Certificate, error) {
 	if err != nil {
 		return nil, err
 	}
-	if !cert.IsValidTLSSecret(secret) {
-		return l.cert, nil
-	}
 	if l.cert != nil && l.version == secret.ResourceVersion && secret.ResourceVersion != "" {
 		return l.cert, nil
 	}
@@ -423,17 +402,12 @@ func (l *listener) loadCert(currentConn net.Conn) (*tls.Certificate, error) {
 		return nil, err
 	}
 
-	// cert has changed, close closeWrapper wrapped connections if this isn't the first load
-	if currentConn != nil && l.conns != nil && l.cert != nil {
+	// cert has changed, close closeWrapper wrapped connections
+	if l.conns != nil {
 		l.connLock.Lock()
 		for _, conn := range l.conns {
-			// Don't close a connection that's in the middle of completing a TLS handshake
-			if !conn.ready {
-				continue
-			}
 			_ = conn.close()
 		}
-		l.conns[currentConn.(*closeWrapper).id].ready = true
 		l.connLock.Unlock()
 	}
 
@@ -457,9 +431,7 @@ func (l *listener) cacheHandler() http.Handler {
 				}
 			}
 
-			if err := l.updateCert(h); err != nil {
-				logrus.Errorf("dynamiclistener %s: failed to update cert with HTTP request Host header: %v", l.Addr(), err)
-			}
+			l.updateCert(h)
 		}
 	})
 }

server/server.go

@@ -64,10 +64,7 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H
 		}
 
 		tlsServer := http.Server{
-			Handler: handler,
-			BaseContext: func(listener net.Listener) context.Context {
-				return ctx
-			},
+			Handler:  handler,
 			ErrorLog: errorLog,
 		}
 
@@ -89,9 +86,6 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H
 			Addr:     fmt.Sprintf("%s:%d", opts.BindHost, httpPort),
 			Handler:  handler,
 			ErrorLog: errorLog,
-			BaseContext: func(listener net.Listener) context.Context {
-				return ctx
-			},
 		}
 		go func() {
 			logrus.Infof("Listening on %s:%d", opts.BindHost, httpPort)

storage/file/file.go

@@ -2,10 +2,9 @@ package file
 
 import (
 	"encoding/json"
-	"os"
-
 	"github.com/rancher/dynamiclistener"
-	v1 "k8s.io/api/core/v1"
+	"k8s.io/api/core/v1"
+	"os"
 )
 
 func New(file string) dynamiclistener.TLSStorage {

storage/kubernetes/ca.go

@@ -56,7 +56,7 @@ func createAndStoreClientCert(secrets v1controller.SecretClient, namespace strin
 		return nil, err
 	}
 
-	keyPem, certPem, err := factory.MarshalChain(key, cert, caCert)
+	certPem, keyPem, err := factory.Marshal(cert, key)
 	if err != nil {
 		return nil, err
 	}

storage/kubernetes/controller.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/rancher/dynamiclistener"
-	"github.com/rancher/dynamiclistener/cert"
 	"github.com/rancher/wrangler/pkg/generated/controllers/core"
 	v1controller "github.com/rancher/wrangler/pkg/generated/controllers/core/v1"
 	"github.com/rancher/wrangler/pkg/start"
@@ -14,7 +13,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/util/retry"
 )
 
 type CoreGetter func() *core.Factory
@@ -41,9 +39,10 @@ func New(ctx context.Context, core CoreGetter, namespace, name string, backing d
 	// lazy init
 	go func() {
 		for {
-			if coreFactory := core(); coreFactory != nil {
-				storage.init(coreFactory.Core().V1().Secret())
-				_ = start.All(ctx, 5, coreFactory)
+			core := core()
+			if core != nil {
+				storage.init(core.Core().V1().Secret())
+				start.All(ctx, 5, core)
 				return
 			}
 
@@ -59,18 +58,16 @@ func New(ctx context.Context, core CoreGetter, namespace, name string, backing d
 }
 
 type storage struct {
-	sync.RWMutex
+	sync.Mutex
 
 	namespace, name string
 	storage         dynamiclistener.TLSStorage
-	secrets         v1controller.SecretController
+	secrets         v1controller.SecretClient
 	ctx             context.Context
 	tls             dynamiclistener.TLSFactory
 }
 
 func (s *storage) SetFactory(tls dynamiclistener.TLSFactory) {
-	s.Lock()
-	defer s.Unlock()
 	s.tls = tls
 }
 
@@ -92,48 +89,30 @@ func (s *storage) init(secrets v1controller.SecretController) {
 	})
 	s.secrets = secrets
 
-	secret, err := s.storage.Get()
-	if err == nil && cert.IsValidTLSSecret(secret) {
-		// local storage had a cached secret, ensure that it exists in Kubernetes
-		_, err := s.secrets.Create(&v1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:        s.name,
-				Namespace:   s.namespace,
-				Annotations: secret.Annotations,
-			},
-			Type: v1.SecretTypeTLS,
-			Data: secret.Data,
-		})
-		if err != nil && !errors.IsAlreadyExists(err) {
-			logrus.Warnf("Failed to create Kubernetes secret: %v", err)
-		}
-	} else {
-		// local storage was empty, try to populate it
-		secret, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
-		if err != nil {
-			if !errors.IsNotFound(err) {
-				logrus.Warnf("Failed to init Kubernetes secret: %v", err)
-			}
-			return
-		}
-
-		if err := s.storage.Update(secret); err != nil {
-			logrus.Warnf("Failed to init backing storage secret: %v", err)
+	if secret, err := s.storage.Get(); err == nil && secret != nil && len(secret.Data) > 0 {
+		// just ensure there is a secret in k3s
+		if _, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{}); errors.IsNotFound(err) {
+			_, _ = s.secrets.Create(&v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        s.name,
+					Namespace:   s.namespace,
+					Annotations: secret.Annotations,
+				},
+				Type: v1.SecretTypeTLS,
+				Data: secret.Data,
+			})
 		}
 	}
 }
 
 func (s *storage) Get() (*v1.Secret, error) {
-	s.RLock()
-	defer s.RUnlock()
+	s.Lock()
+	defer s.Unlock()
 
 	return s.storage.Get()
 }
 
 func (s *storage) targetSecret() (*v1.Secret, error) {
-	s.RLock()
-	defer s.RUnlock()
-
 	existingSecret, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
 	if errors.IsNotFound(err) {
 		return &v1.Secret{
@@ -141,48 +120,33 @@ func (s *storage) targetSecret() (*v1.Secret, error) {
 				Name:      s.name,
 				Namespace: s.namespace,
 			},
-			Type: v1.SecretTypeTLS,
 		}, nil
 	}
 	return existingSecret, err
 }
 
 func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
-	if !s.initComplete() {
+	if s.secrets == nil {
 		return secret, nil
 	}
 
+	if existing, err := s.storage.Get(); err == nil && s.tls != nil {
+		if newSecret, updated, err := s.tls.Merge(existing, secret); err == nil && updated {
+			secret = newSecret
+		}
+	}
+
 	targetSecret, err := s.targetSecret()
 	if err != nil {
 		return nil, err
 	}
 
-	// if we don't have a TLS factory we can't create certs, so don't bother trying to merge anything,
-	// in favor of just blindly replacing the fields on the Kubernetes secret.
-	if s.tls != nil {
-		// merge new secret with secret from backing storage, if one exists
-		if existing, err := s.Get(); err == nil && cert.IsValidTLSSecret(existing) {
-			if newSecret, updated, err := s.tls.Merge(existing, secret); err == nil && updated {
-				secret = newSecret
-			}
-		}
-
-		// merge new secret with existing secret from Kubernetes, if one exists
-		if cert.IsValidTLSSecret(targetSecret) {
-			if newSecret, updated, err := s.tls.Merge(targetSecret, secret); err != nil {
-				return nil, err
-			} else if !updated {
-				return newSecret, nil
-			} else {
-				secret = newSecret
-			}
-		}
-	}
-
-	// ensure that the merged secret actually contains data before overwriting the existing fields
-	if !cert.IsValidTLSSecret(secret) {
-		logrus.Warnf("Skipping save of TLS secret for %s/%s due to missing certificate data", secret.Namespace, secret.Name)
-		return targetSecret, nil
+	if newSecret, updated, err := s.tls.Merge(targetSecret, secret); err != nil {
+		return nil, err
+	} else if !updated {
+		return newSecret, nil
+	} else {
+		secret = newSecret
 	}
 
 	targetSecret.Annotations = secret.Annotations
@@ -190,49 +154,31 @@ func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
 	targetSecret.Data = secret.Data
 
 	if targetSecret.UID == "" {
-		logrus.Infof("Creating new TLS secret for %s/%s (count: %d): %v", targetSecret.Namespace, targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
+		logrus.Infof("Creating new TLS secret for %v (count: %d): %v", targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
 		return s.secrets.Create(targetSecret)
 	}
-	logrus.Infof("Updating TLS secret for %s/%s (count: %d): %v", targetSecret.Namespace, targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
+	logrus.Infof("Updating TLS secret for %v (count: %d): %v", targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
 	return s.secrets.Update(targetSecret)
 }
 
-func (s *storage) Update(secret *v1.Secret) error {
-	// Asynchronously update the Kubernetes secret, as doing so inline may block the listener from
-	// accepting new connections if the apiserver becomes unavailable after the Secrets controller
-	// has been initialized. We're not passing around any contexts here, nor does the controller
-	// accept any, so there's no good way to soft-fail with a reasonable timeout.
-	go func() {
-		if err := s.update(secret); err != nil {
-			logrus.Errorf("Failed to save TLS secret for %s/%s: %v", secret.Namespace, secret.Name, err)
+func (s *storage) Update(secret *v1.Secret) (err error) {
+	s.Lock()
+	defer s.Unlock()
+
+	for i := 0; i < 3; i++ {
+		secret, err = s.saveInK8s(secret)
+		if errors.IsConflict(err) {
+			continue
+		} else if err != nil {
+			return err
 		}
-	}()
-	return nil
-}
-
-func isConflictOrAlreadyExists(err error) bool {
-	return errors.IsConflict(err) || errors.IsAlreadyExists(err)
-}
-
-func (s *storage) update(secret *v1.Secret) (err error) {
-	var newSecret *v1.Secret
-	err = retry.OnError(retry.DefaultRetry, isConflictOrAlreadyExists, func() error {
-		newSecret, err = s.saveInK8s(secret)
-		return err
-	})
+		break
+	}
 
 	if err != nil {
 		return err
 	}
 
-	// Only hold the lock while updating underlying storage
-	s.Lock()
-	defer s.Unlock()
-	return s.storage.Update(newSecret)
-}
-
-func (s *storage) initComplete() bool {
-	s.RLock()
-	defer s.RUnlock()
-	return s.secrets != nil
+	// update underlying storage
+	return s.storage.Update(secret)
 }

storage/memory/memory.go

@@ -39,7 +39,7 @@ func (m *memory) Update(secret *v1.Secret) error {
 			}
 		}
 
-		logrus.Infof("Active TLS secret %s/%s (ver=%s) (count %d): %v", secret.Namespace, secret.Name, secret.ResourceVersion, len(secret.Annotations)-1, secret.Annotations)
+		logrus.Infof("Active TLS secret %s (ver=%s) (count %d): %v", secret.Name, secret.ResourceVersion, len(secret.Annotations)-1, secret.Annotations)
 		m.secret = secret
 	}
 	return nil