Update dependency go to v1.24.6

Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>

.github/renovate.json

@@ -0,0 +1,9 @@
+{
+  "extends": [
+    "github>rancher/renovate-config#release"
+  ],
+  "baseBranches": [
+    "master"
+  ],
+  "prHourlyLimit": 2
+}

.github/workflows/ci.yaml

@@ -0,0 +1,20 @@
+name: CI
+on:
+  pull_request:
+  push:
+    branches:
+    - 'master'
+    - 'release/*'
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      # https://github.com/actions/checkout/releases/tag/v4.1.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Install Go
+      # https://github.com/actions/setup-go/releases/tag/v5.0.0
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      with:
+        go-version-file: 'go.mod'
+    - run: go test -race -cover ./...

.github/workflows/release.yaml

@@ -0,0 +1,25 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name : Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Create release on Github
+        run: |
+          if [[ "${{ github.ref_name }}" == *-rc* ]]; then
+            gh --repo "${{ github.repository }}" release create ${{ github.ref_name }} --verify-tag --generate-notes --prerelease
+          else
+            gh --repo "${{ github.repository }}" release create ${{ github.ref_name }} --verify-tag --generate-notes
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/renovate.yml

@@ -0,0 +1,25 @@
+name: Renovate
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Override default log level"
+        required: false
+        default: "info"
+        type: string
+      overrideSchedule:
+        description: "Override all schedules"
+        required: false
+        default: "false"
+        type: string
+  # Run twice in the early morning (UTC) for initial and follow up steps (create pull request and merge)
+  schedule:
+    - cron: '30 4,6 * * *'
+
+jobs:
+  call-workflow:
+    uses: rancher/renovate-config/.github/workflows/renovate.yml@release
+    with:
+      logLevel: ${{ inputs.logLevel || 'info' }}
+      overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
+    secrets: inherit

README.md

@@ -0,0 +1,10 @@
+# [dynamiclistener](https://github.com/rancher/dynamiclistener)
+
+This `README` is a work in progress; aimed towards providing information for navigating the contents of this repository.
+
+## Changing the Expiration Days for Newly Signed Certificates
+
+By default, a newly signed certificate is set to expire 365 days (1 year) after its creation time and date.
+You can use the `CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS` environment variable to change this value.
+
+**Please note:** the value for the aforementioned variable must be a string representing an unsigned integer corresponding to the number of days until expiration (i.e. X509 "NotAfter" value).

cert/cert.go

@@ -33,9 +33,13 @@ import (
 	"math"
 	"math/big"
 	"net"
-	"path"
+	"os"
+	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
+
+	"github.com/sirupsen/logrus"
 )
 
 const (
@@ -43,12 +47,15 @@ const (
 	duration365d = time.Hour * 24 * 365
 )
 
-// Config contains the basic fields required for creating a certificate
+var ErrStaticCert = errors.New("cannot renew static certificate")
+
+// Config contains the basic fields required for creating a certificate.
 type Config struct {
 	CommonName   string
 	Organization []string
 	AltNames     AltNames
 	Usages       []x509.ExtKeyUsage
+	ExpiresAt    time.Duration
 }
 
 // AltNames contains the domain names and IP addresses that will be added
@@ -84,10 +91,15 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 	if err != nil {
 		return nil, err
 	}
+
+	logrus.Infof("generated self-signed CA certificate %s: notBefore=%s notAfter=%s",
+		tmpl.Subject, tmpl.NotBefore, tmpl.NotAfter)
+
 	return x509.ParseCertificate(certDERBytes)
 }
 
-// NewSignedCert creates a signed certificate using the given CA certificate and key
+// NewSignedCert creates a signed certificate using the given CA certificate and key based
+// on the given configuration.
 func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
 	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
 	if err != nil {
@@ -99,6 +111,19 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 	if len(cfg.Usages) == 0 {
 		return nil, errors.New("must specify at least one ExtKeyUsage")
 	}
+	expiresAt := duration365d
+	if cfg.ExpiresAt > 0 {
+		expiresAt = time.Duration(cfg.ExpiresAt)
+	} else {
+		envExpirationDays := os.Getenv("CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS")
+		if envExpirationDays != "" {
+			if envExpirationDaysInt, err := strconv.Atoi(envExpirationDays); err != nil {
+				logrus.Infof("[NewSignedCert] expiration days from ENV (%s) could not be converted to int (falling back to default value: %d)", envExpirationDays, expiresAt)
+			} else {
+				expiresAt = time.Hour * 24 * time.Duration(envExpirationDaysInt)
+			}
+		}
+	}
 
 	certTmpl := x509.Certificate{
 		Subject: pkix.Name{
@@ -109,7 +134,7 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 		IPAddresses:  cfg.AltNames.IPs,
 		SerialNumber: serial,
 		NotBefore:    caCert.NotBefore,
-		NotAfter:     time.Now().Add(duration365d).UTC(),
+		NotAfter:     time.Now().Add(expiresAt).UTC(),
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:  cfg.Usages,
 	}
@@ -117,7 +142,13 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 	if err != nil {
 		return nil, err
 	}
-	return x509.ParseCertificate(certDERBytes)
+
+	parsedCert, err := x509.ParseCertificate(certDERBytes)
+	if err == nil {
+		logrus.Infof("certificate %s signed by %s: notBefore=%s notAfter=%s",
+			parsedCert.Subject, caCert.Subject, parsedCert.NotBefore, parsedCert.NotAfter)
+	}
+	return parsedCert, err
 }
 
 // MakeEllipticPrivateKeyPEM creates an ECDSA private key
@@ -159,8 +190,8 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 	maxAge := time.Hour * 24 * 365          // one year self-signed certs
 
 	baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
-	certFixturePath := path.Join(fixtureDirectory, baseName+".crt")
-	keyFixturePath := path.Join(fixtureDirectory, baseName+".key")
+	certFixturePath := filepath.Join(fixtureDirectory, baseName+".crt")
+	keyFixturePath := filepath.Join(fixtureDirectory, baseName+".key")
 	if len(fixtureDirectory) > 0 {
 		cert, err := ioutil.ReadFile(certFixturePath)
 		if err == nil {
@@ -267,3 +298,14 @@ func ipsToStrings(ips []net.IP) []string {
 	}
 	return ss
 }
+
+// IsCertExpired checks if the certificate about to expire
+func IsCertExpired(cert *x509.Certificate, days int) bool {
+	expirationDate := cert.NotAfter
+	diffDays := time.Until(expirationDate).Hours() / 24.0
+	if diffDays <= float64(days) {
+		logrus.Infof("certificate %s will expire in %f days at %s", cert.Subject, diffDays, cert.NotAfter)
+		return true
+	}
+	return false
+}

cert/io.go

@@ -34,15 +34,15 @@ func CanReadCertAndKey(certPath, keyPath string) (bool, error) {
 	certReadable := canReadFile(certPath)
 	keyReadable := canReadFile(keyPath)
 
-	if certReadable == false && keyReadable == false {
+	if !certReadable && !keyReadable {
 		return false, nil
 	}
 
-	if certReadable == false {
+	if !certReadable {
 		return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", certPath)
 	}
 
-	if keyReadable == false {
+	if !keyReadable {
 		return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", keyPath)
 	}
 

cert/secret.go

@@ -0,0 +1,16 @@
+package cert
+
+import v1 "k8s.io/api/core/v1"
+
+func IsValidTLSSecret(secret *v1.Secret) bool {
+	if secret == nil {
+		return false
+	}
+	if _, ok := secret.Data[v1.TLSCertKey]; !ok {
+		return false
+	}
+	if _, ok := secret.Data[v1.TLSPrivateKeyKey]; !ok {
+		return false
+	}
+	return true
+}

factory/ca.go

@@ -0,0 +1,119 @@
+package factory
+
+import (
+	"crypto"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"time"
+
+	"github.com/rancher/dynamiclistener/cert"
+)
+
+func GenCA() (*x509.Certificate, crypto.Signer, error) {
+	caKey, err := NewPrivateKey()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	caCert, err := NewSelfSignedCACert(caKey, fmt.Sprintf("dynamiclistener-ca@%d", time.Now().Unix()), "dynamiclistener-org")
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return caCert, caKey, nil
+}
+
+// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
+func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadOrGenCAChain()
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, err
+}
+
+func LoadOrGenCAChain() ([]*x509.Certificate, crypto.Signer, error) {
+	certs, key, err := loadCA()
+	if err == nil {
+		return certs, key, nil
+	}
+
+	cert, key, err := GenCA()
+	if err != nil {
+		return nil, nil, err
+	}
+	certs = []*x509.Certificate{cert}
+
+	certBytes, keyBytes, err := MarshalChain(key, certs...)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if err := os.MkdirAll("./certs", 0700); err != nil {
+		return nil, nil, err
+	}
+
+	if err := ioutil.WriteFile("./certs/ca.pem", certBytes, 0600); err != nil {
+		return nil, nil, err
+	}
+
+	if err := ioutil.WriteFile("./certs/ca.key", keyBytes, 0600); err != nil {
+		return nil, nil, err
+	}
+
+	return certs, key, nil
+}
+
+func loadCA() ([]*x509.Certificate, crypto.Signer, error) {
+	return LoadCertsChain("./certs/ca.pem", "./certs/ca.key")
+}
+
+func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadCAChain(caPem, caKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, nil
+}
+
+func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error) {
+	key, err := cert.ParsePrivateKeyPEM(caKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	signer, ok := key.(crypto.Signer)
+	if !ok {
+		return nil, nil, fmt.Errorf("key is not a crypto.Signer")
+	}
+
+	certs, err := cert.ParseCertsPEM(caPem)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certs, signer, nil
+}
+
+// Deprecated: Use LoadCertsChain instead as it supports intermediate CAs
+func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadCertsChain(certFile, keyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, err
+}
+
+func LoadCertsChain(certFile, keyFile string) ([]*x509.Certificate, crypto.Signer, error) {
+	caPem, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		return nil, nil, err
+	}
+	caKey, err := ioutil.ReadFile(keyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return LoadCAChain(caPem, caKey)
+}

factory/cert_utils.go

@@ -0,0 +1,142 @@
+package factory
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math"
+	"math/big"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	CertificateBlockType               = "CERTIFICATE"
+	defaultNewSignedCertExpirationDays = 365
+)
+
+func NewSelfSignedCACert(key crypto.Signer, cn string, org ...string) (*x509.Certificate, error) {
+	now := time.Now()
+	tmpl := x509.Certificate{
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		NotAfter:              now.Add(time.Hour * 24 * 365 * 10).UTC(),
+		NotBefore:             now.UTC(),
+		SerialNumber:          new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName:   cn,
+			Organization: org,
+		},
+	}
+
+	certDERBytes, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		return nil, err
+	}
+
+	logrus.Infof("generated self-signed CA certificate %s: notBefore=%s notAfter=%s",
+		tmpl.Subject, tmpl.NotBefore, tmpl.NotAfter)
+
+	return x509.ParseCertificate(certDERBytes)
+}
+
+func NewSignedClientCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, cn string) (*x509.Certificate, error) {
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+
+	parent := x509.Certificate{
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		NotAfter:     time.Now().Add(time.Hour * 24 * 365).UTC(),
+		NotBefore:    caCert.NotBefore,
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: cn,
+		},
+	}
+
+	parts := strings.Split(cn, ",o=")
+	if len(parts) > 1 {
+		parent.Subject.CommonName = parts[0]
+		parent.Subject.Organization = parts[1:]
+	}
+
+	cert, err := x509.CreateCertificate(rand.Reader, &parent, caCert, signer.Public(), caKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return x509.ParseCertificate(cert)
+}
+
+func NewSignedCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, cn string, orgs []string,
+	domains []string, ips []net.IP) (*x509.Certificate, error) {
+
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+
+	expirationDays := defaultNewSignedCertExpirationDays
+	envExpirationDays := os.Getenv("CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS")
+	if envExpirationDays != "" {
+		if envExpirationDaysInt, err := strconv.Atoi(envExpirationDays); err != nil {
+			logrus.Infof("[NewSignedCert] expiration days from ENV (%s) could not be converted to int (falling back to default value: %d)", envExpirationDays, defaultNewSignedCertExpirationDays)
+		} else {
+			expirationDays = envExpirationDaysInt
+		}
+	}
+
+	parent := x509.Certificate{
+		DNSNames:     domains,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		IPAddresses:  ips,
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		NotAfter:     time.Now().Add(time.Hour * 24 * time.Duration(expirationDays)).UTC(),
+		NotBefore:    caCert.NotBefore,
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName:   cn,
+			Organization: orgs,
+		},
+	}
+
+	cert, err := x509.CreateCertificate(rand.Reader, &parent, caCert, signer.Public(), caKey)
+	if err != nil {
+		return nil, err
+	}
+
+	parsedCert, err := x509.ParseCertificate(cert)
+	if err == nil {
+		logrus.Infof("certificate %s signed by %s: notBefore=%s notAfter=%s",
+			parsedCert.Subject, caCert.Subject, parsedCert.NotBefore, parsedCert.NotAfter)
+	}
+	return parsedCert, err
+}
+
+func ParseCertPEM(pemCerts []byte) (*x509.Certificate, error) {
+	var pemBlock *pem.Block
+	for {
+		pemBlock, pemCerts = pem.Decode(pemCerts)
+		if pemBlock == nil {
+			break
+		}
+
+		if pemBlock.Type == CertificateBlockType {
+			return x509.ParseCertificate(pemBlock.Bytes)
+		}
+	}
+
+	return nil, fmt.Errorf("pem does not include a valid x509 cert")
+}

factory/gen.go

@@ -0,0 +1,356 @@
+package factory
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/hex"
+	"encoding/pem"
+	"fmt"
+	"net"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/rancher/dynamiclistener/cert"
+	"github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+)
+
+const (
+	cnPrefix    = "listener.cattle.io/cn-"
+	Static      = "listener.cattle.io/static"
+	fingerprint = "listener.cattle.io/fingerprint"
+)
+
+var (
+	cnRegexp = regexp.MustCompile("^([A-Za-z0-9:][-A-Za-z0-9_.:]*)?[A-Za-z0-9:]$")
+)
+
+type TLS struct {
+	CACert              []*x509.Certificate
+	CAKey               crypto.Signer
+	CN                  string
+	Organization        []string
+	FilterCN            func(...string) []string
+	ExpirationDaysCheck int
+}
+
+func cns(secret *v1.Secret) (cns []string) {
+	if secret == nil {
+		return nil
+	}
+	for k, v := range secret.Annotations {
+		if strings.HasPrefix(k, cnPrefix) {
+			cns = append(cns, v)
+		}
+	}
+	return
+}
+
+func collectCNs(secret *v1.Secret) (domains []string, ips []net.IP, err error) {
+	var (
+		cns = cns(secret)
+	)
+
+	sort.Strings(cns)
+
+	for _, v := range cns {
+		ip := net.ParseIP(v)
+		if ip == nil {
+			domains = append(domains, v)
+		} else {
+			ips = append(ips, ip)
+		}
+	}
+
+	return
+}
+
+// Merge combines the SAN lists from the target and additional Secrets, and
+// returns a potentially modified Secret, along with a bool indicating if the
+// returned Secret is not the same as the target Secret. Secrets with expired
+// certificates will never be returned.
+//
+// If the merge would not add any CNs to the additional Secret, the additional
+// Secret is returned, to allow for certificate rotation/regeneration.
+//
+// If the merge would not add any CNs to the target Secret, the target Secret is
+// returned; no merging is necessary.
+//
+// If neither certificate is acceptable as-is, a new certificate containing
+// the union of the two lists is generated, using the private key from the
+// first Secret. The returned Secret will contain the updated cert.
+func (t *TLS) Merge(target, additional *v1.Secret) (*v1.Secret, bool, error) {
+	// static secrets can't be altered, don't bother trying
+	if IsStatic(target) {
+		return target, false, nil
+	}
+
+	mergedCNs := append(cns(target), cns(additional)...)
+
+	// if the additional secret already has all the CNs, use it in preference to the
+	// current one. This behavior is required to allow for renewal or regeneration.
+	if !NeedsUpdate(0, additional, mergedCNs...) && !t.IsExpired(additional) {
+		return additional, true, nil
+	}
+
+	// if the target secret already has all the CNs, continue using it. The additional
+	// cert had only a subset of the current CNs, so nothing needs to be added.
+	if !NeedsUpdate(0, target, mergedCNs...) && !t.IsExpired(target) {
+		return target, false, nil
+	}
+
+	// neither cert currently has all the necessary CNs or is unexpired; generate a new one.
+	return t.generateCert(target, mergedCNs...)
+}
+
+// Renew returns a copy of the given certificate that has been re-signed
+// to extend the NotAfter date. It is an error to attempt to renew
+// a static (user-provided) certificate.
+func (t *TLS) Renew(secret *v1.Secret) (*v1.Secret, error) {
+	if IsStatic(secret) {
+		return secret, cert.ErrStaticCert
+	}
+	cns := cns(secret)
+	secret = secret.DeepCopy()
+	secret.Annotations = map[string]string{}
+	secret, _, err := t.generateCert(secret, cns...)
+	return secret, err
+}
+
+// Filter ensures that the CNs are all valid accorting to both internal logic, and any filter callbacks.
+// The returned list will contain only approved CN entries.
+func (t *TLS) Filter(cn ...string) []string {
+	if len(cn) == 0 || t.FilterCN == nil {
+		return cn
+	}
+	return t.FilterCN(cn...)
+}
+
+// AddCN attempts to add a list of CN strings to a given Secret, returning the potentially-modified
+// Secret along with a bool indicating whether or not it has been updated. The Secret will not be changed
+// if it has an attribute indicating that it is static (aka user-provided), or if no new CNs were added.
+func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
+	cn = t.Filter(cn...)
+
+	if IsStatic(secret) || !NeedsUpdate(0, secret, cn...) {
+		return secret, false, nil
+	}
+	return t.generateCert(secret, cn...)
+}
+
+func (t *TLS) Regenerate(secret *v1.Secret) (*v1.Secret, error) {
+	cns := cns(secret)
+	secret, _, err := t.generateCert(nil, cns...)
+	return secret, err
+}
+
+func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
+	secret = secret.DeepCopy()
+	if secret == nil {
+		secret = &v1.Secret{}
+	}
+
+	if err := t.Verify(secret); err != nil {
+		logrus.Warnf("unable to verify existing certificate: %v - signing operation may change certificate issuer", err)
+	}
+
+	secret = populateCN(secret, cn...)
+
+	privateKey, err := getPrivateKey(secret)
+	if err != nil {
+		return nil, false, err
+	}
+
+	domains, ips, err := collectCNs(secret)
+	if err != nil {
+		return nil, false, err
+	}
+
+	newCert, err := t.newCert(domains, ips, privateKey)
+	if err != nil {
+		return nil, false, err
+	}
+
+	keyBytes, certBytes, err := MarshalChain(privateKey, append([]*x509.Certificate{newCert}, t.CACert...)...)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if secret.Data == nil {
+		secret.Data = map[string][]byte{}
+	}
+	secret.Type = v1.SecretTypeTLS
+	secret.Data[v1.TLSCertKey] = certBytes
+	secret.Data[v1.TLSPrivateKeyKey] = keyBytes
+	secret.Annotations[fingerprint] = fmt.Sprintf("SHA1=%X", sha1.Sum(newCert.Raw))
+
+	return secret, true, nil
+}
+
+func (t *TLS) IsExpired(secret *v1.Secret) bool {
+	certsPem := secret.Data[v1.TLSCertKey]
+	if len(certsPem) == 0 {
+		return false
+	}
+
+	certificates, err := cert.ParseCertsPEM(certsPem)
+	if err != nil || len(certificates) == 0 {
+		return false
+	}
+
+	expirationDays := time.Duration(t.ExpirationDaysCheck) * time.Hour * 24
+	return time.Now().Add(expirationDays).After(certificates[0].NotAfter)
+}
+
+func (t *TLS) Verify(secret *v1.Secret) error {
+	certsPem := secret.Data[v1.TLSCertKey]
+	if len(certsPem) == 0 {
+		return nil
+	}
+
+	certificates, err := cert.ParseCertsPEM(certsPem)
+	if err != nil || len(certificates) == 0 {
+		return err
+	}
+
+	verifyOpts := x509.VerifyOptions{
+		Roots: x509.NewCertPool(),
+		KeyUsages: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageAny,
+		},
+	}
+	for _, c := range t.CACert {
+		verifyOpts.Roots.AddCert(c)
+	}
+
+	_, err = certificates[0].Verify(verifyOpts)
+	return err
+}
+
+func (t *TLS) newCert(domains []string, ips []net.IP, privateKey crypto.Signer) (*x509.Certificate, error) {
+	return NewSignedCert(privateKey, t.CACert[0], t.CAKey, t.CN, t.Organization, domains, ips)
+}
+
+func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
+	secret = secret.DeepCopy()
+	if secret.Annotations == nil {
+		secret.Annotations = map[string]string{}
+	}
+	for _, cn := range cn {
+		if cnRegexp.MatchString(cn) {
+			secret.Annotations[getAnnotationKey(cn)] = cn
+		} else {
+			logrus.Errorf("dropping invalid CN: %s", cn)
+		}
+	}
+	return secret
+}
+
+// IsStatic returns true if the Secret has an attribute indicating that it contains
+// a static (aka user-provided) certificate, which should not be modified.
+func IsStatic(secret *v1.Secret) bool {
+	if secret != nil && secret.Annotations != nil {
+		return secret.Annotations[Static] == "true"
+	}
+	return false
+}
+
+// NeedsUpdate returns true if any of the CNs are not currently present on the
+// secret's Certificate, as recorded in the cnPrefix annotations. It will return
+// false if all requested CNs are already present, or if maxSANs is non-zero and has
+// been exceeded.
+func NeedsUpdate(maxSANs int, secret *v1.Secret, cn ...string) bool {
+	if secret == nil {
+		return true
+	}
+
+	for _, cn := range cn {
+		if secret.Annotations[getAnnotationKey(cn)] == "" {
+			if maxSANs > 0 && len(cns(secret)) >= maxSANs {
+				return false
+			}
+			return true
+		}
+	}
+
+	return false
+}
+
+func getPrivateKey(secret *v1.Secret) (crypto.Signer, error) {
+	keyBytes := secret.Data[v1.TLSPrivateKeyKey]
+	if len(keyBytes) == 0 {
+		return NewPrivateKey()
+	}
+
+	privateKey, err := cert.ParsePrivateKeyPEM(keyBytes)
+	if signer, ok := privateKey.(crypto.Signer); ok && err == nil {
+		return signer, nil
+	}
+
+	return NewPrivateKey()
+}
+
+// MarshalChain returns given key and certificates as byte slices.
+func MarshalChain(privateKey crypto.Signer, certs ...*x509.Certificate) (keyBytes, certChainBytes []byte, err error) {
+	keyBytes, err = cert.MarshalPrivateKeyToPEM(privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for _, cert := range certs {
+		if cert != nil {
+			certBlock := pem.Block{
+				Type:  CertificateBlockType,
+				Bytes: cert.Raw,
+			}
+			certChainBytes = append(certChainBytes, pem.EncodeToMemory(&certBlock)...)
+		}
+	}
+	return keyBytes, certChainBytes, nil
+}
+
+// Marshal returns the given cert and key as byte slices.
+func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) (certBytes, keyBytes []byte, err error) {
+	certBlock := pem.Block{
+		Type:  CertificateBlockType,
+		Bytes: x509Cert.Raw,
+	}
+
+	keyBytes, err = cert.MarshalPrivateKeyToPEM(privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return pem.EncodeToMemory(&certBlock), keyBytes, nil
+}
+
+// NewPrivateKey returnes a new ECDSA key
+func NewPrivateKey() (crypto.Signer, error) {
+	return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+}
+
+// getAnnotationKey return the key to use for a given CN. IPv4 addresses and short hostnames
+// are safe to store as-is, but longer hostnames and IPv6 address must be truncated and/or undergo
+// character replacement in order to be used as an annotation key. If the CN requires modification,
+// a portion of the SHA256 sum of the original value is used as the suffix, to reduce the likelihood
+// of collisions in modified values.
+func getAnnotationKey(cn string) string {
+	cn = cnPrefix + cn
+	cnLen := len(cn)
+	if cnLen < 64 && !strings.ContainsRune(cn, ':') {
+		return cn
+	}
+	digest := sha256.Sum256([]byte(cn))
+	cn = strings.ReplaceAll(cn, ":", "_")
+	if cnLen > 56 {
+		cnLen = 56
+	}
+	return cn[0:cnLen] + "-" + hex.EncodeToString(digest[0:])[0:6]
+}

filter.go

@@ -0,0 +1,12 @@
+package dynamiclistener
+
+func OnlyAllow(str string) func(...string) []string {
+	return func(s2 ...string) []string {
+		for _, s := range s2 {
+			if s == str {
+				return []string{s}
+			}
+		}
+		return nil
+	}
+}

go.mod

@@ -1,14 +1,65 @@
 module github.com/rancher/dynamiclistener
 
-go 1.12
+go 1.23.0
+
+toolchain go1.24.6
 
 require (
-	github.com/hashicorp/golang-lru v0.5.1
-	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
-	github.com/sirupsen/logrus v1.4.1
-	github.com/stretchr/testify v1.3.0 // indirect
-	golang.org/x/crypto v0.0.0-20190506204251-e1dfcc566284
-	golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c // indirect
-	golang.org/x/sys v0.0.0-20190509141414-a5b02f93d862 // indirect
-	golang.org/x/text v0.3.2 // indirect
+	github.com/rancher/wrangler/v2 v2.1.4
+	github.com/sirupsen/logrus v1.9.3
+	github.com/stretchr/testify v1.10.0
+	golang.org/x/crypto v0.37.0
+	k8s.io/api v0.28.6
+	k8s.io/apimachinery v0.28.6
+	k8s.io/client-go v0.28.6
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.16.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/rancher/lasso v0.0.0-20240123150939-7055397d6dfa // indirect
+	golang.org/x/net v0.21.0 // indirect
+	golang.org/x/oauth2 v0.10.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/term v0.31.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )

go.sum

@@ -1,38 +1,188 @@
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
+github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
+github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE=
+github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM=
+github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
+github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8=
+github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
+github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
+github.com/rancher/lasso v0.0.0-20240123150939-7055397d6dfa h1:eRhvQJjIpPxJunlS3e1J3qTghUy9MIrMjQa2aXYSC3k=
+github.com/rancher/lasso v0.0.0-20240123150939-7055397d6dfa/go.mod h1:utdskbIL7kdVvPCUFPEJQDWJwPHGFpUCRfVkX2G2Xxg=
+github.com/rancher/wrangler/v2 v2.1.4 h1:ohov0i6A9dJHHO6sjfsH4Dqv93ZTdm5lIJVJdPzVdQc=
+github.com/rancher/wrangler/v2 v2.1.4/go.mod h1:af5OaGU/COgreQh1mRbKiUI64draT2NN34uk+PALFY8=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190506204251-e1dfcc566284 h1:rlLehGeYg6jfoyz/eDqDU1iRXLKfR42nnNh57ytKEWo=
-golang.org/x/crypto v0.0.0-20190506204251-e1dfcc566284/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c h1:uOCk1iQW6Vc18bnC13MfzScl+wdKBmM9Y9kU7Z83/lw=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
+golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190509141414-a5b02f93d862 h1:rM0ROo5vb9AdYJi1110yjWGMej9ITfKddS89P3Fkhug=
-golang.org/x/sys v0.0.0-20190509141414-a5b02f93d862/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.28.6 h1:yy6u9CuIhmg55YvF/BavPBBXB+5QicB64njJXxVnzLo=
+k8s.io/api v0.28.6/go.mod h1:AM6Ys6g9MY3dl/XNaNfg/GePI0FT7WBGu8efU/lirAo=
+k8s.io/apimachinery v0.28.6 h1:RsTeR4z6S07srPg6XYrwXpTJVMXsjPXn0ODakMytSW0=
+k8s.io/apimachinery v0.28.6/go.mod h1:QFNX/kCl/EMT2WTSz8k4WLCv2XnkOLMaL8GAVRMdpsA=
+k8s.io/client-go v0.28.6 h1:Gge6ziyIdafRchfoBKcpaARuz7jfrK1R1azuwORIsQI=
+k8s.io/client-go v0.28.6/go.mod h1:+nu0Yp21Oeo/cBCsprNVXB2BfJTV51lFfe5tXl2rUL8=
+k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
+k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
+k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
+k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=

listener.go

@@ -0,0 +1,514 @@
+package dynamiclistener
+
+import (
+	"context"
+	"crypto"
+	"crypto/tls"
+	"crypto/x509"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/rancher/dynamiclistener/cert"
+	"github.com/rancher/dynamiclistener/factory"
+	"github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+)
+
+type TLSStorage interface {
+	Get() (*v1.Secret, error)
+	Update(secret *v1.Secret) error
+}
+
+type TLSFactory interface {
+	Renew(secret *v1.Secret) (*v1.Secret, error)
+	AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error)
+	Merge(target *v1.Secret, additional *v1.Secret) (*v1.Secret, bool, error)
+	Filter(cn ...string) []string
+	Regenerate(secret *v1.Secret) (*v1.Secret, error)
+}
+
+type SetFactory interface {
+	SetFactory(tls TLSFactory)
+}
+
+// Deprecated: Use NewListenerWithChain instead as it supports intermediate CAs
+func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {
+	return NewListenerWithChain(l, storage, []*x509.Certificate{caCert}, caKey, config)
+}
+
+func NewListenerWithChain(l net.Listener, storage TLSStorage, caCert []*x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {
+	if config.CN == "" {
+		config.CN = "dynamic"
+	}
+	if len(config.Organization) == 0 {
+		config.Organization = []string{"dynamic"}
+	}
+	if config.TLSConfig == nil {
+		config.TLSConfig = &tls.Config{}
+	}
+	if config.ExpirationDaysCheck == 0 {
+		config.ExpirationDaysCheck = 90
+	}
+
+	dynamicListener := &listener{
+		factory: &factory.TLS{
+			CACert:              caCert,
+			CAKey:               caKey,
+			CN:                  config.CN,
+			Organization:        config.Organization,
+			FilterCN:            allowDefaultSANs(config.SANs, config.FilterCN),
+			ExpirationDaysCheck: config.ExpirationDaysCheck,
+		},
+		Listener:  l,
+		certReady: make(chan struct{}),
+		storage:   &nonNil{storage: storage},
+		sans:      config.SANs,
+		maxSANs:   config.MaxSANs,
+		tlsConfig: config.TLSConfig,
+	}
+	if dynamicListener.tlsConfig == nil {
+		dynamicListener.tlsConfig = &tls.Config{}
+	}
+	dynamicListener.tlsConfig.GetCertificate = dynamicListener.getCertificate
+
+	if config.CloseConnOnCertChange {
+		if len(dynamicListener.tlsConfig.Certificates) == 0 {
+			dynamicListener.tlsConfig.NextProtos = []string{"http/1.1"}
+		}
+		dynamicListener.conns = map[int]*closeWrapper{}
+	}
+
+	if setter, ok := storage.(SetFactory); ok {
+		setter.SetFactory(dynamicListener.factory)
+	}
+
+	if config.RegenerateCerts != nil && config.RegenerateCerts() {
+		if err := dynamicListener.regenerateCerts(); err != nil {
+			return nil, nil, err
+		}
+	}
+
+	tlsListener := tls.NewListener(dynamicListener.WrapExpiration(config.ExpirationDaysCheck), dynamicListener.tlsConfig)
+
+	return tlsListener, dynamicListener.cacheHandler(), nil
+}
+
+func allowDefaultSANs(sans []string, next func(...string) []string) func(...string) []string {
+	if next == nil {
+		return nil
+	} else if len(sans) == 0 {
+		return next
+	}
+
+	sanMap := map[string]bool{}
+	for _, san := range sans {
+		sanMap[san] = true
+	}
+
+	return func(s ...string) []string {
+		var (
+			good    []string
+			unknown []string
+		)
+		for _, s := range s {
+			if sanMap[s] {
+				good = append(good, s)
+			} else {
+				unknown = append(unknown, s)
+			}
+		}
+
+		return append(good, next(unknown...)...)
+	}
+}
+
+type cancelClose struct {
+	cancel func()
+	net.Listener
+}
+
+func (c *cancelClose) Close() error {
+	c.cancel()
+	return c.Listener.Close()
+}
+
+type Config struct {
+	CN                    string
+	Organization          []string
+	TLSConfig             *tls.Config
+	SANs                  []string
+	MaxSANs               int
+	ExpirationDaysCheck   int
+	CloseConnOnCertChange bool
+	RegenerateCerts       func() bool
+	FilterCN              func(...string) []string
+}
+
+type listener struct {
+	sync.RWMutex
+	net.Listener
+
+	conns    map[int]*closeWrapper
+	connID   int
+	connLock sync.Mutex
+
+	factory   TLSFactory
+	storage   TLSStorage
+	version   string
+	tlsConfig *tls.Config
+	cert      *tls.Certificate
+	certReady chan struct{}
+	sans      []string
+	maxSANs   int
+	init      sync.Once
+}
+
+func (l *listener) WrapExpiration(days int) net.Listener {
+	ctx, cancel := context.WithCancel(context.Background())
+	go func() {
+
+		// wait for cert to be set, this will unblock when the channel is closed
+		select {
+		case <-ctx.Done():
+			return
+		case <-l.certReady:
+		}
+
+		for {
+			wait := 6 * time.Hour
+			if err := l.checkExpiration(days); err != nil {
+				logrus.Errorf("dynamiclistener %s: failed to check and renew dynamic cert: %v", l.Addr(), err)
+				// Don't go into short retry loop if we're using a static (user-provided) cert.
+				// We will still check and print an error every six hours until the user updates the secret with
+				// a cert that is not about to expire. Hopefully this will prompt them to take action.
+				if err != cert.ErrStaticCert {
+					wait = 5 * time.Minute
+				}
+			}
+			select {
+			case <-ctx.Done():
+				return
+			case <-time.After(wait):
+			}
+		}
+	}()
+
+	return &cancelClose{
+		cancel:   cancel,
+		Listener: l,
+	}
+}
+
+// regenerateCerts regenerates the used certificates and
+// updates the secret.
+func (l *listener) regenerateCerts() error {
+	l.Lock()
+	defer l.Unlock()
+
+	secret, err := l.storage.Get()
+	if err != nil {
+		return err
+	}
+
+	newSecret, err := l.factory.Regenerate(secret)
+	if err != nil {
+		return err
+	}
+	if err := l.storage.Update(newSecret); err != nil {
+		return err
+	}
+	// clear version to force cert reload
+	l.version = ""
+
+	return nil
+}
+
+func (l *listener) checkExpiration(days int) error {
+	l.Lock()
+	defer l.Unlock()
+
+	if days == 0 {
+		return nil
+	}
+
+	if l.cert == nil {
+		return nil
+	}
+
+	secret, err := l.storage.Get()
+	if err != nil {
+		return err
+	}
+
+	keyPair, err := tls.X509KeyPair(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
+	if err != nil {
+		return err
+	}
+
+	certParsed, err := x509.ParseCertificate(keyPair.Certificate[0])
+	if err != nil {
+		return err
+	}
+
+	if cert.IsCertExpired(certParsed, days) {
+		secret, err := l.factory.Renew(secret)
+		if err != nil {
+			return err
+		}
+		if err := l.storage.Update(secret); err != nil {
+			return err
+		}
+		// clear version to force cert reload
+		l.version = ""
+	}
+
+	return nil
+}
+
+func (l *listener) Accept() (net.Conn, error) {
+	l.init.Do(func() {
+		if len(l.sans) > 0 {
+			if err := l.updateCert(l.sans...); err != nil {
+				logrus.Errorf("dynamiclistener %s: failed to update cert with configured SANs: %v", l.Addr(), err)
+				return
+			}
+		}
+		if cert, err := l.loadCert(nil); err != nil {
+			logrus.Errorf("dynamiclistener %s: failed to preload certificate: %v", l.Addr(), err)
+		} else if cert == nil {
+			// This should only occur on the first startup when no SANs are configured in the listener config, in which
+			// case no certificate can be created, as dynamiclistener will not create certificates until at least one IP
+			// or DNS SAN is set. It will also occur when using the Kubernetes storage without a local File cache.
+			// For reliable serving of requests, callers should configure a local cache and/or a default set of SANs.
+			logrus.Warnf("dynamiclistener %s: no cached certificate available for preload - deferring certificate load until storage initialization or first client request", l.Addr())
+		}
+	})
+
+	conn, err := l.Listener.Accept()
+	if err != nil {
+		return conn, err
+	}
+
+	addr := conn.LocalAddr()
+	if addr == nil {
+		return conn, nil
+	}
+
+	host, _, err := net.SplitHostPort(addr.String())
+	if err != nil {
+		logrus.Errorf("dynamiclistener %s: failed to parse connection local address %s: %v", l.Addr(), addr, err)
+		return conn, nil
+	}
+
+	if err := l.updateCert(host); err != nil {
+		logrus.Errorf("dynamiclistener %s: failed to update cert with connection local address: %v", l.Addr(), err)
+	}
+
+	if l.conns != nil {
+		conn = l.wrap(conn)
+	}
+
+	return conn, nil
+}
+
+func (l *listener) wrap(conn net.Conn) net.Conn {
+	l.connLock.Lock()
+	defer l.connLock.Unlock()
+	l.connID++
+
+	wrapper := &closeWrapper{
+		Conn: conn,
+		id:   l.connID,
+		l:    l,
+	}
+	l.conns[l.connID] = wrapper
+
+	return wrapper
+}
+
+type closeWrapper struct {
+	net.Conn
+	id    int
+	l     *listener
+	ready bool
+}
+
+func (c *closeWrapper) close() error {
+	delete(c.l.conns, c.id)
+	return c.Conn.Close()
+}
+
+func (c *closeWrapper) Close() error {
+	c.l.connLock.Lock()
+	defer c.l.connLock.Unlock()
+	return c.close()
+}
+
+func (l *listener) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	newConn := hello.Conn
+	if hello.ServerName != "" {
+		if err := l.updateCert(hello.ServerName); err != nil {
+			logrus.Errorf("dynamiclistener %s: failed to update cert with TLS ServerName: %v", l.Addr(), err)
+			return nil, err
+		}
+	}
+	connCert, err := l.loadCert(newConn)
+	if connCert != nil && err == nil && newConn != nil && l.conns != nil {
+		// if we were successfully able to load a cert and are closing connections on cert changes, mark newConn ready
+		// this will allow us to close the connection if a future connection forces the cert to re-load
+		wrapper, ok := newConn.(*closeWrapper)
+		if !ok {
+			logrus.Debugf("will not mark non-close wrapper connection from %s to %s as ready", newConn.RemoteAddr(), newConn.LocalAddr())
+			return connCert, err
+		}
+		l.connLock.Lock()
+		l.conns[wrapper.id].ready = true
+		l.connLock.Unlock()
+	}
+	return connCert, err
+}
+
+func (l *listener) updateCert(cn ...string) error {
+	cn = l.factory.Filter(cn...)
+	if len(cn) == 0 {
+		return nil
+	}
+
+	l.RLock()
+	defer l.RUnlock()
+
+	secret, err := l.storage.Get()
+	if err != nil {
+		return err
+	}
+
+	if factory.IsStatic(secret) || !factory.NeedsUpdate(l.maxSANs, secret, cn...) {
+		return nil
+	}
+
+	l.RUnlock()
+	l.Lock()
+	defer l.RLock()
+	defer l.Unlock()
+
+	secret, updated, err := l.factory.AddCN(secret, append(l.sans, cn...)...)
+	if err != nil {
+		return err
+	}
+
+	if updated {
+		if err := l.storage.Update(secret); err != nil {
+			return err
+		}
+		// Clear version to force cert reload next time loadCert is called by TLSConfig's
+		// GetCertificate hook to provide a certificate for a new connection. Note that this
+		// means the old certificate stays in l.cert until a new connection is made.
+		l.version = ""
+	}
+
+	return nil
+}
+
+func (l *listener) loadCert(currentConn net.Conn) (*tls.Certificate, error) {
+	l.RLock()
+	defer l.RUnlock()
+
+	secret, err := l.storage.Get()
+	if err != nil {
+		return nil, err
+	}
+	if l.cert != nil && l.version == secret.ResourceVersion && secret.ResourceVersion != "" {
+		return l.cert, nil
+	}
+
+	defer l.RLock()
+	l.RUnlock()
+	l.Lock()
+	defer l.Unlock()
+
+	secret, err = l.storage.Get()
+	if err != nil {
+		return nil, err
+	}
+	if !cert.IsValidTLSSecret(secret) {
+		return l.cert, nil
+	}
+	if l.cert != nil && l.version == secret.ResourceVersion && secret.ResourceVersion != "" {
+		return l.cert, nil
+	}
+
+	cert, err := tls.X509KeyPair(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
+	if err != nil {
+		return nil, err
+	}
+
+	// cert has changed, close closeWrapper wrapped connections if this isn't the first load
+	if currentConn != nil && l.conns != nil && l.cert != nil {
+		l.connLock.Lock()
+		for _, conn := range l.conns {
+			// Don't close a connection that's in the middle of completing a TLS handshake
+			if !conn.ready {
+				continue
+			}
+			_ = conn.close()
+		}
+		l.connLock.Unlock()
+	}
+
+	// we can only close the ready channel once when the cert is first assigned
+	canClose := l.cert == nil
+	l.cert = &cert
+	if canClose {
+		close(l.certReady)
+	}
+	l.version = secret.ResourceVersion
+	return l.cert, nil
+}
+
+func (l *listener) cacheHandler() http.Handler {
+	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+		h, _, err := net.SplitHostPort(req.Host)
+		if err != nil {
+			h = req.Host
+		}
+
+		ip := net.ParseIP(h)
+		if len(ip) > 0 {
+			for _, v := range req.Header["User-Agent"] {
+				if strings.Contains(strings.ToLower(v), "mozilla") {
+					return
+				}
+			}
+
+			if err := l.updateCert(h); err != nil {
+				logrus.Errorf("dynamiclistener %s: failed to update cert with HTTP request Host header: %v", l.Addr(), err)
+			}
+		}
+	})
+}
+
+type nonNil struct {
+	sync.Mutex
+	storage TLSStorage
+}
+
+func (n *nonNil) Get() (*v1.Secret, error) {
+	n.Lock()
+	defer n.Unlock()
+
+	s, err := n.storage.Get()
+	if err != nil || s == nil {
+		return &v1.Secret{}, err
+	}
+	return s, nil
+}
+
+func (n *nonNil) Update(secret *v1.Secret) error {
+	n.Lock()
+	defer n.Unlock()
+
+	return n.storage.Update(secret)
+}

listener_test.go

@@ -0,0 +1,225 @@
+package dynamiclistener
+
+import (
+	"crypto/tls"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/rancher/dynamiclistener/factory"
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	apiError "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func Test_getCertificate(t *testing.T) {
+	beforeKey, beforeCert, err := newCertificate()
+	assert.NoError(t, err, "Error when setting up test - unable to construct before key for test")
+	beforeTLSCert, err := tls.X509KeyPair(beforeCert, beforeKey)
+	assert.NoError(t, err, "Error when setting up test - unable to convert before to tls.Certificate")
+	afterKey, afterCert, err := newCertificate()
+	assert.NoError(t, err, "Error when setting up test - unable to construct after key for test")
+	afterTLSCert, err := tls.X509KeyPair(afterCert, afterKey)
+	assert.NoError(t, err, "Error when setting up test - unable to convert after to tls.Certificate")
+	tests := []struct {
+		// input test vars
+		name          string
+		secret        *v1.Secret
+		secretErr     error
+		cachedCert    *tls.Certificate
+		cachedVersion string
+		currentConn   *closeWrapper
+		otherConns    map[int]*closeWrapper
+
+		// output/result test vars
+		closedConns  []int
+		expectedCert *tls.Certificate
+		wantError    bool
+	}{
+		{
+			name:   "no secret found",
+			secret: nil,
+			secretErr: apiError.NewNotFound(schema.GroupResource{
+				Group:    "",
+				Resource: "Secret",
+			}, "testSecret"),
+			currentConn: &closeWrapper{id: 0},
+			otherConns:  map[int]*closeWrapper{},
+
+			expectedCert: nil,
+			wantError:    true,
+		},
+		{
+			name: "secret found, and is up to date",
+			secret: &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					ResourceVersion: "1",
+					Name:            "testSecret",
+					Namespace:       "test",
+				},
+				Data: map[string][]byte{
+					v1.TLSCertKey:       beforeCert,
+					v1.TLSPrivateKeyKey: beforeKey,
+				},
+			},
+			cachedVersion: "1",
+			cachedCert:    &beforeTLSCert,
+			currentConn:   &closeWrapper{id: 0},
+			otherConns:    map[int]*closeWrapper{},
+
+			expectedCert: &beforeTLSCert,
+			wantError:    false,
+		},
+		{
+			name: "secret found, is not up to date, but k8s secret is not valid",
+			secret: &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					ResourceVersion: "2",
+					Name:            "testSecret",
+					Namespace:       "test",
+				},
+				Data: map[string][]byte{
+					v1.TLSPrivateKeyKey: []byte("strawberry"),
+				},
+			},
+			cachedVersion: "1",
+			cachedCert:    &beforeTLSCert,
+			currentConn:   &closeWrapper{id: 0},
+			otherConns:    map[int]*closeWrapper{},
+
+			expectedCert: &beforeTLSCert,
+			wantError:    false,
+		},
+		{
+			name: "secret found, but is not up to date",
+			secret: &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					ResourceVersion: "2",
+					Name:            "testSecret",
+					Namespace:       "test",
+				},
+				Data: map[string][]byte{
+					v1.TLSCertKey:       afterCert,
+					v1.TLSPrivateKeyKey: afterKey,
+				},
+			},
+			cachedVersion: "1",
+			cachedCert:    &beforeTLSCert,
+			currentConn:   &closeWrapper{id: 0},
+			otherConns:    map[int]*closeWrapper{},
+
+			expectedCert: &afterTLSCert,
+			wantError:    false,
+		},
+		{
+			name: "secret found, is not up to date, and we have conns using current cert",
+			secret: &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					ResourceVersion: "2",
+					Name:            "testSecret",
+					Namespace:       "test",
+				},
+				Data: map[string][]byte{
+					v1.TLSCertKey:       afterCert,
+					v1.TLSPrivateKeyKey: afterKey,
+				},
+			},
+			cachedVersion: "1",
+			cachedCert:    &beforeTLSCert,
+			currentConn:   &closeWrapper{id: 0},
+			otherConns: map[int]*closeWrapper{
+				1: {
+					id:    1,
+					ready: false,
+					Conn:  &fakeConn{},
+				},
+				2: {
+					id:    2,
+					ready: true,
+					Conn:  &fakeConn{},
+				},
+			},
+
+			closedConns:  []int{2},
+			expectedCert: &afterTLSCert,
+			wantError:    false,
+		},
+	}
+	for i := range tests {
+		test := tests[i]
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			testConns := test.otherConns
+			if testConns != nil {
+				testConns[test.currentConn.id] = test.currentConn
+				// make sure our conn is listed as one of the current connections
+			}
+			l := listener{
+				cert:    test.cachedCert,
+				version: test.cachedVersion,
+				storage: &MockTLSStorage{
+					Secret:    test.secret,
+					SecretErr: test.secretErr,
+				},
+				conns: testConns,
+			}
+			for _, conn := range testConns {
+				conn.l = &l
+			}
+			newCert, err := l.getCertificate(&tls.ClientHelloInfo{Conn: test.currentConn})
+			if test.wantError {
+				assert.Errorf(t, err, "expected an error but none was provdied")
+			} else {
+				assert.NoError(t, err, "did not expect an error but got one")
+			}
+			assert.Equal(t, test.expectedCert, newCert, "expected cert did not match actual cert")
+			if test.expectedCert != nil && test.wantError == false && test.currentConn != nil && test.otherConns != nil {
+				assert.True(t, test.currentConn.ready, "expected connection to be ready but it was not")
+			} else {
+				if test.currentConn != nil {
+					assert.False(t, test.currentConn.ready, "did not expect connection to be ready")
+				}
+			}
+			for _, closedConn := range test.closedConns {
+				_, ok := l.conns[closedConn]
+				assert.False(t, ok, "closed conns should not be found")
+			}
+		})
+	}
+}
+
+func newCertificate() ([]byte, []byte, error) {
+	cert, key, err := factory.GenCA()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return factory.MarshalChain(key, cert)
+}
+
+type MockTLSStorage struct {
+	Secret    *v1.Secret
+	SecretErr error
+}
+
+func (m *MockTLSStorage) Get() (*v1.Secret, error) {
+	return m.Secret, m.SecretErr
+}
+
+func (m *MockTLSStorage) Update(secret *v1.Secret) error {
+	panic("Not implemented")
+}
+
+// adapted from k8s.io/apimachinery@v0.18.8/pkg/util.proxy/ugradeaware_test.go
+type fakeConn struct{}
+
+func (f *fakeConn) Read([]byte) (int, error)        { return 0, nil }
+func (f *fakeConn) Write([]byte) (int, error)       { return 0, nil }
+func (f *fakeConn) Close() error                    { return nil }
+func (fakeConn) LocalAddr() net.Addr                { return nil }
+func (fakeConn) RemoteAddr() net.Addr               { return nil }
+func (fakeConn) SetDeadline(t time.Time) error      { return nil }
+func (fakeConn) SetReadDeadline(t time.Time) error  { return nil }
+func (fakeConn) SetWriteDeadline(t time.Time) error { return nil }

read.go

@@ -1,50 +0,0 @@
-package dynamiclistener
-
-import (
-	"fmt"
-	"io/ioutil"
-	"path/filepath"
-)
-
-func ReadTLSConfig(userConfig *UserConfig) error {
-	var err error
-
-	path := userConfig.CertPath
-
-	userConfig.CACerts, err = readPEM(filepath.Join(path, "cacerts.pem"))
-	if err != nil {
-		return err
-	}
-
-	userConfig.Key, err = readPEM(filepath.Join(path, "key.pem"))
-	if err != nil {
-		return err
-	}
-
-	userConfig.Cert, err = readPEM(filepath.Join(path, "cert.pem"))
-	if err != nil {
-		return err
-	}
-
-	valid := false
-	if userConfig.Key != "" && userConfig.Cert != "" {
-		valid = true
-	} else if userConfig.Key == "" && userConfig.Cert == "" {
-		valid = true
-	}
-
-	if !valid {
-		return fmt.Errorf("invalid SSL configuration found, please set cert/key, cert/key/cacerts, cacerts only, or none")
-	}
-
-	return nil
-}
-
-func readPEM(path string) (string, error) {
-	content, err := ioutil.ReadFile(path)
-	if err != nil {
-		return "", nil
-	}
-
-	return string(content), nil
-}

redirect.go

@@ -0,0 +1,46 @@
+package dynamiclistener
+
+import (
+	"net"
+	"net/http"
+	"strconv"
+	"strings"
+)
+
+// Approach taken from letsencrypt, except manglePort is specific to us
+func HTTPRedirect(next http.Handler) http.Handler {
+	return http.HandlerFunc(
+		func(rw http.ResponseWriter, r *http.Request) {
+			if r.TLS != nil ||
+				r.Header.Get("x-Forwarded-Proto") == "https" ||
+				r.Header.Get("x-Forwarded-Proto") == "wss" ||
+				strings.HasPrefix(r.URL.Path, "/.well-known/") ||
+				strings.HasPrefix(r.URL.Path, "/ping") ||
+				strings.HasPrefix(r.URL.Path, "/health") {
+				next.ServeHTTP(rw, r)
+				return
+			}
+			if r.Method != "GET" && r.Method != "HEAD" {
+				http.Error(rw, "Use HTTPS", http.StatusBadRequest)
+				return
+			}
+			target := "https://" + manglePort(r.Host) + r.URL.RequestURI()
+			http.Redirect(rw, r, target, http.StatusFound)
+		})
+}
+
+func manglePort(hostport string) string {
+	host, port, err := net.SplitHostPort(hostport)
+	if err != nil {
+		return hostport
+	}
+
+	portInt, err := strconv.Atoi(port)
+	if err != nil {
+		return hostport
+	}
+
+	portInt = ((portInt / 1000) * 1000) + 443
+
+	return net.JoinHostPort(host, strconv.Itoa(portInt))
+}

server.go

@@ -1,551 +0,0 @@
-package dynamiclistener
-
-import (
-	"context"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"log"
-	"net"
-	"net/http"
-	"reflect"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	cert "github.com/rancher/dynamiclistener/cert"
-	"github.com/sirupsen/logrus"
-)
-
-type server struct {
-	sync.Mutex
-
-	userConfig          UserConfig
-	listenConfigStorage ListenerConfigStorage
-	tlsCert             *tls.Certificate
-
-	ips     map[string]bool
-	domains map[string]bool
-	cn      string
-
-	listeners []net.Listener
-	servers   []*http.Server
-
-	activeCA    *x509.Certificate
-	activeCAKey crypto.Signer
-}
-
-func NewServer(listenConfigStorage ListenerConfigStorage, config UserConfig) (ServerInterface, error) {
-	s := &server{
-		userConfig:          config,
-		listenConfigStorage: listenConfigStorage,
-		cn:                  "cattle",
-	}
-
-	s.ips = map[string]bool{}
-	s.domains = map[string]bool{}
-
-	if err := s.userConfigure(); err != nil {
-		return nil, err
-	}
-
-	lc, err := listenConfigStorage.Get()
-	if err != nil {
-		return nil, err
-	}
-
-	return s, s.Update(lc)
-}
-
-func (s *server) CACert() (string, error) {
-	if s.userConfig.NoCACerts {
-		return "", nil
-	}
-	if s.userConfig.CACerts != "" {
-		return s.userConfig.CACerts, nil
-	}
-	return "", fmt.Errorf("ca cert not found")
-}
-
-func marshalPrivateKey(privateKey crypto.Signer) (string, []byte, error) {
-	var (
-		keyType string
-		bytes   []byte
-		err     error
-	)
-	if key, ok := privateKey.(*ecdsa.PrivateKey); ok {
-		keyType = cert.ECPrivateKeyBlockType
-		bytes, err = x509.MarshalECPrivateKey(key)
-	} else if key, ok := privateKey.(*rsa.PrivateKey); ok {
-		keyType = cert.RSAPrivateKeyBlockType
-		bytes = x509.MarshalPKCS1PrivateKey(key)
-	} else {
-		keyType = cert.PrivateKeyBlockType
-		bytes, err = x509.MarshalPKCS8PrivateKey(privateKey)
-	}
-	if err != nil {
-		logrus.Errorf("Unable to marshal private key: %v", err)
-	}
-	return keyType, bytes, err
-}
-
-func newPrivateKey() (crypto.Signer, error) {
-	caKeyBytes, err := cert.MakeEllipticPrivateKeyPEM()
-	if err != nil {
-		return nil, err
-	}
-	caKeyIFace, err := cert.ParsePrivateKeyPEM(caKeyBytes)
-	if err != nil {
-		return nil, err
-	}
-	return caKeyIFace.(crypto.Signer), nil
-}
-
-func (s *server) save() (_err error) {
-	defer func() {
-		if _err != nil {
-			logrus.Errorf("Saving cert error: %s", _err)
-		}
-	}()
-
-	certStr, err := certToString(s.tlsCert)
-	if err != nil {
-		return err
-	}
-	cfg, err := s.listenConfigStorage.Get()
-	if err != nil {
-		return err
-	}
-	cfg.GeneratedCerts = map[string]string{s.cn: certStr}
-
-	_, err = s.listenConfigStorage.Set(cfg)
-	return err
-}
-
-func (s *server) userConfigure() error {
-	if s.userConfig.HTTPSPort == 0 {
-		s.userConfig.HTTPSPort = 8443
-	}
-
-	for _, d := range s.userConfig.Domains {
-		s.domains[d] = true
-	}
-
-	for _, ip := range s.userConfig.KnownIPs {
-		if netIP := net.ParseIP(ip); netIP != nil {
-			s.ips[ip] = true
-		}
-	}
-
-	if bindAddress := net.ParseIP(s.userConfig.BindAddress); bindAddress != nil {
-		s.ips[s.userConfig.BindAddress] = true
-	}
-
-	if s.activeCA == nil && s.activeCAKey == nil {
-		if s.userConfig.CACerts != "" && s.userConfig.CAKey != "" {
-			ca, err := cert.ParseCertsPEM([]byte(s.userConfig.CACerts))
-			if err != nil {
-				return err
-			}
-			key, err := cert.ParsePrivateKeyPEM([]byte(s.userConfig.CAKey))
-			if err != nil {
-				return err
-			}
-			s.activeCA = ca[0]
-			s.activeCAKey = key.(crypto.Signer)
-		} else {
-			ca, key, err := genCA()
-			if err != nil {
-				return err
-			}
-			s.activeCA = ca
-			s.activeCAKey = key
-		}
-	}
-
-	return nil
-}
-
-func genCA() (*x509.Certificate, crypto.Signer, error) {
-	caKey, err := newPrivateKey()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	caCert, err := cert.NewSelfSignedCACert(cert.Config{
-		CommonName:   "k3s-ca",
-		Organization: []string{"k3s-org"},
-	}, caKey)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return caCert, caKey, nil
-}
-
-func (s *server) Update(status *ListenerStatus) (_err error) {
-	s.Lock()
-	defer func() {
-		s.Unlock()
-		if _err != nil {
-			logrus.Errorf("Update cert error: %s", _err)
-		}
-		if s.tlsCert == nil {
-			s.getCertificate(&tls.ClientHelloInfo{ServerName: "localhost"})
-		}
-	}()
-
-	certString := status.GeneratedCerts[s.cn]
-	tlsCert, err := stringToCert(certString)
-	if err != nil {
-		logrus.Errorf("Update cert unable to convert string to cert: %s", err)
-		s.tlsCert = nil
-	}
-	if tlsCert != nil {
-		s.tlsCert = tlsCert
-		for i, certBytes := range tlsCert.Certificate {
-			cert, err := x509.ParseCertificate(certBytes)
-			if err != nil {
-				logrus.Errorf("Update cert %d parse error: %s", i, err)
-				s.tlsCert = nil
-				break
-			}
-
-			ips := map[string]bool{}
-			for _, ip := range cert.IPAddresses {
-				ips[ip.String()] = true
-			}
-
-			domains := map[string]bool{}
-			for _, domain := range cert.DNSNames {
-				domains[domain] = true
-			}
-
-			if !(reflect.DeepEqual(ips, s.ips) && reflect.DeepEqual(domains, s.domains)) {
-				subset := true
-				for ip := range s.ips {
-					if !ips[ip] {
-						subset = false
-						break
-					}
-				}
-				if subset {
-					for domain := range s.domains {
-						if !domains[domain] {
-							subset = false
-							break
-						}
-					}
-				}
-				if !subset {
-					s.tlsCert = nil
-				}
-				for ip := range ips {
-					s.ips[ip] = true
-				}
-				for domain := range domains {
-					s.domains[domain] = true
-				}
-			}
-		}
-	}
-
-	return s.reload()
-}
-
-func (s *server) shutdown() error {
-	for _, listener := range s.listeners {
-		if err := listener.Close(); err != nil {
-			return err
-		}
-	}
-	s.listeners = nil
-
-	for _, server := range s.servers {
-		go server.Shutdown(context.Background())
-	}
-	s.servers = nil
-
-	return nil
-}
-
-func (s *server) reload() error {
-	if len(s.listeners) > 0 {
-		return nil
-	}
-
-	if err := s.shutdown(); err != nil {
-		return err
-	}
-
-	if err := s.serveHTTPS(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (s *server) getCertificate(hello *tls.ClientHelloInfo) (_servingCert *tls.Certificate, _err error) {
-	s.Lock()
-	changed := false
-
-	defer func() {
-		defer s.Unlock()
-
-		if _err != nil {
-			logrus.Errorf("Get certificate error: %s", _err)
-			return
-		}
-
-		if changed {
-			s.save()
-		}
-	}()
-
-	if hello.ServerName != "" && !s.domains[hello.ServerName] {
-		s.tlsCert = nil
-		s.domains[hello.ServerName] = true
-	}
-
-	if s.tlsCert != nil {
-		return s.tlsCert, nil
-	}
-
-	ips := []net.IP{}
-	for ipStr := range s.ips {
-		if ip := net.ParseIP(ipStr); ip != nil {
-			ips = append(ips, ip)
-		}
-	}
-
-	dnsNames := []string{}
-	for domain := range s.domains {
-		dnsNames = append(dnsNames, domain)
-	}
-
-	cfg := cert.Config{
-		CommonName:   s.cn,
-		Organization: s.activeCA.Subject.Organization,
-		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		AltNames: cert.AltNames{
-			DNSNames: dnsNames,
-			IPs:      ips,
-		},
-	}
-
-	key, err := newPrivateKey()
-	if err != nil {
-		return nil, err
-	}
-
-	cert, err := cert.NewSignedCert(cfg, key, s.activeCA, s.activeCAKey)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsCert := &tls.Certificate{
-		Certificate: [][]byte{
-			cert.Raw,
-		},
-		PrivateKey: key,
-	}
-
-	changed = true
-	s.tlsCert = tlsCert
-	return tlsCert, nil
-}
-
-func (s *server) cacheHandler(handler http.Handler) http.Handler {
-	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-		h, _, err := net.SplitHostPort(req.Host)
-		if err != nil {
-			h = req.Host
-		}
-
-		s.Lock()
-		if ip := net.ParseIP(h); ip != nil {
-			if !s.ips[h] {
-				s.ips[h] = true
-				s.tlsCert = nil
-			}
-		} else {
-			if !s.domains[h] {
-				s.domains[h] = true
-				s.tlsCert = nil
-			}
-		}
-		s.Unlock()
-
-		handler.ServeHTTP(resp, req)
-	})
-}
-
-func (s *server) serveHTTPS() error {
-	conf := &tls.Config{
-		ClientAuth:               tls.RequestClientCert,
-		GetCertificate:           s.getCertificate,
-		PreferServerCipherSuites: true,
-	}
-
-	listener, err := s.newListener(s.userConfig.BindAddress, s.userConfig.HTTPSPort, conf)
-	if err != nil {
-		return err
-	}
-
-	logger := logrus.StandardLogger()
-	server := &http.Server{
-		Handler:  s.cacheHandler(s.Handler()),
-		ErrorLog: log.New(logger.WriterLevel(logrus.DebugLevel), "", log.LstdFlags),
-	}
-
-	s.servers = append(s.servers, server)
-	s.startServer(listener, server)
-
-	if s.userConfig.HTTPPort > 0 {
-		httpListener, err := s.newListener(s.userConfig.BindAddress, s.userConfig.HTTPPort, nil)
-		if err != nil {
-			return err
-		}
-
-		httpServer := &http.Server{
-			Handler:  s.cacheHandler(httpRedirect(s.Handler())),
-			ErrorLog: log.New(logger.WriterLevel(logrus.DebugLevel), "", log.LstdFlags),
-		}
-
-		s.servers = append(s.servers, httpServer)
-		s.startServer(httpListener, httpServer)
-	}
-
-	return nil
-}
-
-// Approach taken from letsencrypt, except manglePort is specific to us
-func httpRedirect(next http.Handler) http.Handler {
-	return http.HandlerFunc(
-		func(rw http.ResponseWriter, r *http.Request) {
-			if r.Header.Get("x-Forwarded-Proto") == "https" ||
-				strings.HasPrefix(r.URL.Path, "/ping") ||
-				strings.HasPrefix(r.URL.Path, "/health") {
-				next.ServeHTTP(rw, r)
-				return
-			}
-			if r.Method != "GET" && r.Method != "HEAD" {
-				http.Error(rw, "Use HTTPS", http.StatusBadRequest)
-				return
-			}
-			target := "https://" + manglePort(r.Host) + r.URL.RequestURI()
-			http.Redirect(rw, r, target, http.StatusFound)
-		})
-}
-
-func manglePort(hostport string) string {
-	host, port, err := net.SplitHostPort(hostport)
-	if err != nil {
-		return hostport
-	}
-
-	portInt, err := strconv.Atoi(port)
-	if err != nil {
-		return hostport
-	}
-
-	portInt = ((portInt / 1000) * 1000) + 443
-
-	return net.JoinHostPort(host, strconv.Itoa(portInt))
-}
-
-func (s *server) startServer(listener net.Listener, server *http.Server) {
-	go func() {
-		if err := server.Serve(listener); err != nil {
-			logrus.Errorf("server on %v returned err: %v", listener.Addr(), err)
-		}
-	}()
-}
-
-func (s *server) Handler() http.Handler {
-	return s.userConfig.Handler
-}
-
-func (s *server) newListener(ip string, port int, config *tls.Config) (net.Listener, error) {
-	addr := fmt.Sprintf("%s:%d", ip, port)
-	l, err := net.Listen("tcp", addr)
-	if err != nil {
-		return nil, err
-	}
-
-	l = tcpKeepAliveListener{l.(*net.TCPListener)}
-
-	if config != nil {
-		l = tls.NewListener(l, config)
-	}
-
-	s.listeners = append(s.listeners, l)
-	logrus.Info("Listening on ", addr)
-	return l, nil
-}
-
-func stringToCert(certString string) (*tls.Certificate, error) {
-	parts := strings.Split(certString, "#")
-	if len(parts) != 2 {
-		return nil, errors.New("Unable to split cert into two parts")
-	}
-
-	certPart, keyPart := parts[0], parts[1]
-	keyBytes, err := base64.StdEncoding.DecodeString(keyPart)
-	if err != nil {
-		return nil, err
-	}
-
-	key, err := cert.ParsePrivateKeyPEM(keyBytes)
-	if err != nil {
-		return nil, err
-	}
-
-	certBytes, err := base64.StdEncoding.DecodeString(certPart)
-	if err != nil {
-		return nil, err
-	}
-
-	return &tls.Certificate{
-		Certificate: [][]byte{certBytes},
-		PrivateKey:  key,
-	}, nil
-}
-
-func certToString(cert *tls.Certificate) (string, error) {
-	keyType, keyBytes, err := marshalPrivateKey(cert.PrivateKey.(crypto.Signer))
-	if err != nil {
-		return "", err
-	}
-
-	privateKeyPemBlock := &pem.Block{
-		Type:  keyType,
-		Bytes: keyBytes,
-	}
-	pemBytes := pem.EncodeToMemory(privateKeyPemBlock)
-
-	certString := base64.StdEncoding.EncodeToString(cert.Certificate[0])
-	keyString := base64.StdEncoding.EncodeToString(pemBytes)
-	return certString + "#" + keyString, nil
-}
-
-type tcpKeepAliveListener struct {
-	*net.TCPListener
-}
-
-func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
-	tc, err := ln.AcceptTCP()
-	if err != nil {
-		return
-	}
-	tc.SetKeepAlive(true)
-	tc.SetKeepAlivePeriod(3 * time.Minute)
-	return tc, nil
-}

server/server.go

@@ -0,0 +1,232 @@
+package server
+
+import (
+	"context"
+	"crypto"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+
+	"github.com/rancher/dynamiclistener"
+	"github.com/rancher/dynamiclistener/factory"
+	"github.com/rancher/dynamiclistener/storage/file"
+	"github.com/rancher/dynamiclistener/storage/kubernetes"
+	"github.com/rancher/dynamiclistener/storage/memory"
+	v1 "github.com/rancher/wrangler/v2/pkg/generated/controllers/core/v1"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/crypto/acme/autocert"
+)
+
+type ListenOpts struct {
+	CAChain []*x509.Certificate
+	// Deprecated: Use CAChain instead
+	CA                *x509.Certificate
+	CAKey             crypto.Signer
+	Storage           dynamiclistener.TLSStorage
+	Secrets           v1.SecretController
+	CertNamespace     string
+	CertName          string
+	CANamespace       string
+	CAName            string
+	CertBackup        string
+	AcmeDomains       []string
+	BindHost          string
+	NoRedirect        bool
+	TLSListenerConfig dynamiclistener.Config
+}
+
+func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.Handler, opts *ListenOpts) error {
+	if opts == nil {
+		opts = &ListenOpts{}
+	}
+
+	if opts.TLSListenerConfig.TLSConfig == nil {
+		opts.TLSListenerConfig.TLSConfig = &tls.Config{}
+	}
+
+	logger := logrus.StandardLogger()
+	errorLog := log.New(logger.WriterLevel(logrus.DebugLevel), "", log.LstdFlags)
+
+	if httpsPort > 0 {
+		tlsTCPListener, err := dynamiclistener.NewTCPListener(opts.BindHost, httpsPort)
+		if err != nil {
+			return err
+		}
+
+		tlsTCPListener, handler, err = getTLSListener(ctx, tlsTCPListener, handler, *opts)
+		if err != nil {
+			return err
+		}
+
+		if !opts.NoRedirect {
+			handler = dynamiclistener.HTTPRedirect(handler)
+		}
+
+		tlsServer := http.Server{
+			Handler: handler,
+			BaseContext: func(listener net.Listener) context.Context {
+				return ctx
+			},
+			ErrorLog: errorLog,
+		}
+
+		go func() {
+			logrus.Infof("Listening on %s:%d", opts.BindHost, httpsPort)
+			err := tlsServer.Serve(tlsTCPListener)
+			if err != http.ErrServerClosed && err != nil {
+				logrus.Fatalf("https server failed: %v", err)
+			}
+		}()
+		go func() {
+			<-ctx.Done()
+			tlsServer.Shutdown(context.Background())
+		}()
+	}
+
+	if httpPort > 0 {
+		httpServer := http.Server{
+			Addr:     fmt.Sprintf("%s:%d", opts.BindHost, httpPort),
+			Handler:  handler,
+			ErrorLog: errorLog,
+			BaseContext: func(listener net.Listener) context.Context {
+				return ctx
+			},
+		}
+		go func() {
+			logrus.Infof("Listening on %s:%d", opts.BindHost, httpPort)
+			err := httpServer.ListenAndServe()
+			if err != http.ErrServerClosed && err != nil {
+				logrus.Fatalf("http server failed: %v", err)
+			}
+		}()
+		go func() {
+			<-ctx.Done()
+			httpServer.Shutdown(context.Background())
+		}()
+	}
+
+	return nil
+}
+
+func getTLSListener(ctx context.Context, tcp net.Listener, handler http.Handler, opts ListenOpts) (net.Listener, http.Handler, error) {
+	if len(opts.TLSListenerConfig.TLSConfig.NextProtos) == 0 {
+		opts.TLSListenerConfig.TLSConfig.NextProtos = []string{"h2", "http/1.1"}
+	}
+
+	if len(opts.TLSListenerConfig.TLSConfig.Certificates) > 0 {
+		return tls.NewListener(tcp, opts.TLSListenerConfig.TLSConfig), handler, nil
+	}
+
+	if len(opts.AcmeDomains) > 0 {
+		return acmeListener(tcp, handler, opts)
+	}
+
+	storage := opts.Storage
+	if storage == nil {
+		storage = newStorage(ctx, opts)
+	}
+
+	caCert, caKey, err := getCA(opts)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	listener, dynHandler, err := dynamiclistener.NewListenerWithChain(tcp, storage, caCert, caKey, opts.TLSListenerConfig)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return listener, wrapHandler(dynHandler, handler), nil
+}
+
+func getCA(opts ListenOpts) ([]*x509.Certificate, crypto.Signer, error) {
+	if opts.CAKey != nil {
+		if opts.CAChain != nil {
+			return opts.CAChain, opts.CAKey, nil
+		} else if opts.CA != nil {
+			return []*x509.Certificate{opts.CA}, opts.CAKey, nil
+		}
+	}
+
+	if opts.Secrets == nil {
+		return factory.LoadOrGenCAChain()
+	}
+
+	if opts.CAName == "" {
+		opts.CAName = "serving-ca"
+	}
+
+	if opts.CANamespace == "" {
+		opts.CANamespace = opts.CertNamespace
+	}
+
+	if opts.CANamespace == "" {
+		opts.CANamespace = "kube-system"
+	}
+
+	return kubernetes.LoadOrGenCAChain(opts.Secrets, opts.CANamespace, opts.CAName)
+}
+
+func newStorage(ctx context.Context, opts ListenOpts) dynamiclistener.TLSStorage {
+	var result dynamiclistener.TLSStorage
+	if opts.CertBackup == "" {
+		result = memory.New()
+	} else {
+		result = memory.NewBacked(file.New(opts.CertBackup))
+	}
+
+	if opts.Secrets == nil {
+		return result
+	}
+
+	if opts.CertName == "" {
+		opts.CertName = "serving-cert"
+	}
+
+	if opts.CertNamespace == "" {
+		opts.CertNamespace = "kube-system"
+	}
+
+	return kubernetes.Load(ctx, opts.Secrets, opts.CertNamespace, opts.CertName, result)
+}
+
+func wrapHandler(handler http.Handler, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		handler.ServeHTTP(rw, req)
+		next.ServeHTTP(rw, req)
+	})
+}
+
+func acmeListener(tcp net.Listener, handler http.Handler, opts ListenOpts) (net.Listener, http.Handler, error) {
+	hosts := map[string]bool{}
+	for _, domain := range opts.AcmeDomains {
+		hosts[domain] = true
+	}
+
+	manager := autocert.Manager{
+		Cache: autocert.DirCache("certs-cache"),
+		Prompt: func(tosURL string) bool {
+			return true
+		},
+		HostPolicy: func(ctx context.Context, host string) error {
+			if !hosts[host] {
+				return fmt.Errorf("host %s is not configured", host)
+			}
+			return nil
+		},
+	}
+
+	opts.TLSListenerConfig.TLSConfig.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		if hello.ServerName == "localhost" || hello.ServerName == "" {
+			newHello := *hello
+			newHello.ServerName = opts.AcmeDomains[0]
+			return manager.GetCertificate(&newHello)
+		}
+		return manager.GetCertificate(hello)
+	}
+
+	return tls.NewListener(tcp, opts.TLSListenerConfig.TLSConfig), manager.HTTPHandler(handler), nil
+}

storage/file/file.go

@@ -0,0 +1,42 @@
+package file
+
+import (
+	"encoding/json"
+	"os"
+
+	"github.com/rancher/dynamiclistener"
+	v1 "k8s.io/api/core/v1"
+)
+
+func New(file string) dynamiclistener.TLSStorage {
+	return &storage{
+		file: file,
+	}
+}
+
+type storage struct {
+	file string
+}
+
+func (s *storage) Get() (*v1.Secret, error) {
+	f, err := os.Open(s.file)
+	if os.IsNotExist(err) {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	secret := v1.Secret{}
+	return &secret, json.NewDecoder(f).Decode(&secret)
+}
+
+func (s *storage) Update(secret *v1.Secret) error {
+	f, err := os.Create(s.file)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	return json.NewEncoder(f).Encode(secret)
+}

storage/kubernetes/ca.go

@@ -0,0 +1,112 @@
+package kubernetes
+
+import (
+	"crypto"
+	"crypto/x509"
+
+	"github.com/rancher/dynamiclistener/factory"
+	v1controller "github.com/rancher/wrangler/v2/pkg/generated/controllers/core/v1"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
+func LoadOrGenCA(secrets v1controller.SecretClient, namespace, name string) (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadOrGenCAChain(secrets, namespace, name)
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, err
+}
+
+func LoadOrGenCAChain(secrets v1controller.SecretClient, namespace, name string) ([]*x509.Certificate, crypto.Signer, error) {
+	secret, err := getSecret(secrets, namespace, name)
+	if err != nil {
+		return nil, nil, err
+	}
+	return factory.LoadCAChain(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
+}
+
+func LoadOrGenClient(secrets v1controller.SecretClient, namespace, name, cn string, ca *x509.Certificate, key crypto.Signer) (*x509.Certificate, crypto.Signer, error) {
+	secret, err := getClientSecret(secrets, namespace, name, cn, ca, key)
+	if err != nil {
+		return nil, nil, err
+	}
+	return factory.LoadCA(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
+}
+
+func getClientSecret(secrets v1controller.SecretClient, namespace, name, cn string, caCert *x509.Certificate, caKey crypto.Signer) (*v1.Secret, error) {
+	s, err := secrets.Get(namespace, name, metav1.GetOptions{})
+	if !errors.IsNotFound(err) {
+		return s, err
+	}
+
+	return createAndStoreClientCert(secrets, namespace, name, cn, caCert, caKey)
+}
+
+func getSecret(secrets v1controller.SecretClient, namespace, name string) (*v1.Secret, error) {
+	s, err := secrets.Get(namespace, name, metav1.GetOptions{})
+	if !errors.IsNotFound(err) {
+		return s, err
+	}
+
+	return createAndStore(secrets, namespace, name)
+}
+
+func createAndStoreClientCert(secrets v1controller.SecretClient, namespace string, name, cn string, caCert *x509.Certificate, caKey crypto.Signer) (*v1.Secret, error) {
+	key, err := factory.NewPrivateKey()
+	if err != nil {
+		return nil, err
+	}
+
+	cert, err := factory.NewSignedClientCert(key, caCert, caKey, cn)
+	if err != nil {
+		return nil, err
+	}
+
+	keyPem, certPem, err := factory.MarshalChain(key, cert, caCert)
+	if err != nil {
+		return nil, err
+	}
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			v1.TLSCertKey:       certPem,
+			v1.TLSPrivateKeyKey: keyPem,
+		},
+		Type: v1.SecretTypeTLS,
+	}
+
+	return secrets.Create(secret)
+}
+
+func createAndStore(secrets v1controller.SecretClient, namespace string, name string) (*v1.Secret, error) {
+	ca, cert, err := factory.GenCA()
+	if err != nil {
+		return nil, err
+	}
+
+	certPem, keyPem, err := factory.Marshal(ca, cert)
+	if err != nil {
+		return nil, err
+	}
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			v1.TLSCertKey:       certPem,
+			v1.TLSPrivateKeyKey: keyPem,
+		},
+		Type: v1.SecretTypeTLS,
+	}
+
+	return secrets.Create(secret)
+}

storage/kubernetes/controller.go

@@ -0,0 +1,267 @@
+package kubernetes
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/rancher/dynamiclistener"
+	"github.com/rancher/dynamiclistener/cert"
+	"github.com/rancher/wrangler/v2/pkg/generated/controllers/core"
+	v1controller "github.com/rancher/wrangler/v2/pkg/generated/controllers/core/v1"
+	"github.com/rancher/wrangler/v2/pkg/start"
+	"github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/util/retry"
+)
+
+type CoreGetter func() *core.Factory
+
+func Load(ctx context.Context, secrets v1controller.SecretController, namespace, name string, backing dynamiclistener.TLSStorage) dynamiclistener.TLSStorage {
+	storage := &storage{
+		name:      name,
+		namespace: namespace,
+		storage:   backing,
+		ctx:       ctx,
+		initSync:  &sync.Once{},
+	}
+	storage.init(secrets)
+	return storage
+}
+
+func New(ctx context.Context, core CoreGetter, namespace, name string, backing dynamiclistener.TLSStorage) dynamiclistener.TLSStorage {
+	storage := &storage{
+		name:      name,
+		namespace: namespace,
+		storage:   backing,
+		ctx:       ctx,
+		initSync:  &sync.Once{},
+	}
+
+	// lazy init
+	go func() {
+		wait.PollImmediateUntilWithContext(ctx, time.Second, func(cxt context.Context) (bool, error) {
+			if coreFactory := core(); coreFactory != nil {
+				storage.init(coreFactory.Core().V1().Secret())
+				return true, start.All(ctx, 5, coreFactory)
+			}
+			return false, nil
+		})
+	}()
+
+	return storage
+}
+
+type storage struct {
+	sync.RWMutex
+
+	namespace, name string
+	storage         dynamiclistener.TLSStorage
+	secrets         v1controller.SecretController
+	ctx             context.Context
+	tls             dynamiclistener.TLSFactory
+	initialized     bool
+	initSync        *sync.Once
+}
+
+func (s *storage) SetFactory(tls dynamiclistener.TLSFactory) {
+	s.Lock()
+	defer s.Unlock()
+	s.tls = tls
+}
+
+func (s *storage) init(secrets v1controller.SecretController) {
+	s.Lock()
+	defer s.Unlock()
+
+	secrets.OnChange(s.ctx, "tls-storage", func(key string, secret *v1.Secret) (*v1.Secret, error) {
+		if secret == nil {
+			return nil, nil
+		}
+		if secret.Namespace == s.namespace && secret.Name == s.name {
+			if err := s.Update(secret); err != nil {
+				return nil, err
+			}
+		}
+
+		return secret, nil
+	})
+	s.secrets = secrets
+
+	// Asynchronously sync the backing storage to the Kubernetes secret, as doing so inline may
+	// block the listener from accepting new connections if the apiserver becomes unavailable
+	// after the Secrets controller has been initialized. We're not passing around any contexts
+	// here, nor does the controller accept any, so there's no good way to soft-fail with a
+	// reasonable timeout.
+	go s.syncStorage()
+}
+
+func (s *storage) syncStorage() {
+	var updateStorage bool
+	secret, err := s.Get()
+	if err == nil && cert.IsValidTLSSecret(secret) {
+		// local storage had a cached secret, ensure that it exists in Kubernetes
+		_, err := s.secrets.Create(&v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:        s.name,
+				Namespace:   s.namespace,
+				Annotations: secret.Annotations,
+			},
+			Type: v1.SecretTypeTLS,
+			Data: secret.Data,
+		})
+		if err != nil && !errors.IsAlreadyExists(err) {
+			logrus.Warnf("Failed to create Kubernetes secret: %v", err)
+		}
+	} else {
+		// local storage was empty, try to populate it
+		secret, err = s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
+		if err != nil {
+			if !errors.IsNotFound(err) {
+				logrus.Warnf("Failed to init Kubernetes secret: %v", err)
+			}
+		} else {
+			updateStorage = true
+		}
+	}
+
+	s.Lock()
+	defer s.Unlock()
+	s.initialized = true
+	if updateStorage {
+		if err := s.storage.Update(secret); err != nil {
+			logrus.Warnf("Failed to init backing storage secret: %v", err)
+		}
+	}
+}
+
+func (s *storage) Get() (*v1.Secret, error) {
+	s.RLock()
+	defer s.RUnlock()
+
+	return s.storage.Get()
+}
+
+func (s *storage) targetSecret() (*v1.Secret, error) {
+	s.RLock()
+	defer s.RUnlock()
+
+	existingSecret, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
+	if errors.IsNotFound(err) {
+		return &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      s.name,
+				Namespace: s.namespace,
+			},
+			Type: v1.SecretTypeTLS,
+		}, nil
+	}
+	return existingSecret, err
+}
+
+func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
+	if !s.initComplete() {
+		// Start a goroutine to attempt to save the secret later, once init is complete.
+		// If this was already handled by initComplete, it should be a no-op, or at worst get
+		// merged with the Kubernetes secret.
+		go s.initSync.Do(func() {
+			if err := wait.Poll(100*time.Millisecond, 15*time.Minute, func() (bool, error) {
+				if !s.initComplete() {
+					return false, nil
+				}
+				_, err := s.saveInK8s(secret)
+				return true, err
+			}); err != nil {
+				logrus.Errorf("Failed to save TLS secret after controller init: %v", err)
+			}
+		})
+		return secret, nil
+	}
+
+	targetSecret, err := s.targetSecret()
+	if err != nil {
+		return nil, err
+	}
+
+	// if we don't have a TLS factory we can't create certs, so don't bother trying to merge anything,
+	// in favor of just blindly replacing the fields on the Kubernetes secret.
+	if s.tls != nil {
+		// merge new secret with secret from backing storage, if one exists
+		if existing, err := s.Get(); err == nil && cert.IsValidTLSSecret(existing) {
+			if newSecret, updated, err := s.tls.Merge(existing, secret); err == nil && updated {
+				secret = newSecret
+			}
+		}
+
+		// merge new secret with existing secret from Kubernetes, if one exists
+		if cert.IsValidTLSSecret(targetSecret) {
+			if newSecret, updated, err := s.tls.Merge(targetSecret, secret); err != nil {
+				return nil, err
+			} else if !updated {
+				return newSecret, nil
+			} else {
+				secret = newSecret
+			}
+		}
+	}
+
+	// ensure that the merged secret actually contains data before overwriting the existing fields
+	if !cert.IsValidTLSSecret(secret) {
+		logrus.Warnf("Skipping save of TLS secret for %s/%s due to missing certificate data", secret.Namespace, secret.Name)
+		return targetSecret, nil
+	}
+
+	targetSecret.Annotations = secret.Annotations
+	targetSecret.Type = v1.SecretTypeTLS
+	targetSecret.Data = secret.Data
+
+	if targetSecret.UID == "" {
+		logrus.Infof("Creating new TLS secret for %s/%s (count: %d): %v", targetSecret.Namespace, targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
+		return s.secrets.Create(targetSecret)
+	}
+	logrus.Infof("Updating TLS secret for %s/%s (count: %d): %v", targetSecret.Namespace, targetSecret.Name, len(targetSecret.Annotations)-1, targetSecret.Annotations)
+	return s.secrets.Update(targetSecret)
+}
+
+func (s *storage) Update(secret *v1.Secret) error {
+	// Asynchronously update the Kubernetes secret, as doing so inline may block the listener from
+	// accepting new connections if the apiserver becomes unavailable after the Secrets controller
+	// has been initialized. We're not passing around any contexts here, nor does the controller
+	// accept any, so there's no good way to soft-fail with a reasonable timeout.
+	go func() {
+		if err := s.update(secret); err != nil {
+			logrus.Errorf("Failed to save TLS secret for %s/%s: %v", secret.Namespace, secret.Name, err)
+		}
+	}()
+	return nil
+}
+
+func isConflictOrAlreadyExists(err error) bool {
+	return errors.IsConflict(err) || errors.IsAlreadyExists(err)
+}
+
+func (s *storage) update(secret *v1.Secret) (err error) {
+	var newSecret *v1.Secret
+	err = retry.OnError(retry.DefaultRetry, isConflictOrAlreadyExists, func() error {
+		newSecret, err = s.saveInK8s(secret)
+		return err
+	})
+
+	if err != nil {
+		return err
+	}
+
+	// Only hold the lock while updating underlying storage
+	s.Lock()
+	defer s.Unlock()
+	return s.storage.Update(newSecret)
+}
+
+func (s *storage) initComplete() bool {
+	s.RLock()
+	defer s.RUnlock()
+	return s.initialized
+}

storage/memory/memory.go

@@ -0,0 +1,46 @@
+package memory
+
+import (
+	"github.com/rancher/dynamiclistener"
+	"github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+)
+
+func New() dynamiclistener.TLSStorage {
+	return &memory{}
+}
+
+func NewBacked(storage dynamiclistener.TLSStorage) dynamiclistener.TLSStorage {
+	return &memory{storage: storage}
+}
+
+type memory struct {
+	storage dynamiclistener.TLSStorage
+	secret  *v1.Secret
+}
+
+func (m *memory) Get() (*v1.Secret, error) {
+	if m.secret == nil && m.storage != nil {
+		secret, err := m.storage.Get()
+		if err != nil {
+			return nil, err
+		}
+		m.secret = secret
+	}
+
+	return m.secret, nil
+}
+
+func (m *memory) Update(secret *v1.Secret) error {
+	if m.secret == nil || m.secret.ResourceVersion == "" || m.secret.ResourceVersion != secret.ResourceVersion {
+		if m.storage != nil {
+			if err := m.storage.Update(secret); err != nil {
+				return err
+			}
+		}
+
+		logrus.Infof("Active TLS secret %s/%s (ver=%s) (count %d): %v", secret.Namespace, secret.Name, secret.ResourceVersion, len(secret.Annotations)-1, secret.Annotations)
+		m.secret = secret
+	}
+	return nil
+}

storage/static/static.go

@@ -0,0 +1,36 @@
+package static
+
+import (
+	"github.com/rancher/dynamiclistener/factory"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Storage struct {
+	Secret *v1.Secret
+}
+
+func New(certPem, keyPem []byte) *Storage {
+	return &Storage{
+		Secret: &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					factory.Static: "true",
+				},
+			},
+			Data: map[string][]byte{
+				v1.TLSCertKey:       certPem,
+				v1.TLSPrivateKeyKey: keyPem,
+			},
+			Type: v1.SecretTypeTLS,
+		},
+	}
+}
+
+func (s *Storage) Get() (*v1.Secret, error) {
+	return s.Secret, nil
+}
+
+func (s *Storage) Update(_ *v1.Secret) error {
+	return nil
+}

tcp.go

@@ -0,0 +1,38 @@
+package dynamiclistener
+
+import (
+	"fmt"
+	"net"
+	"reflect"
+	"time"
+)
+
+func NewTCPListener(ip string, port int) (net.Listener, error) {
+	l, err := net.Listen("tcp", fmt.Sprintf("%s:%d", ip, port))
+	if err != nil {
+		return nil, err
+	}
+
+	tcpListener, ok := l.(*net.TCPListener)
+	if !ok {
+		return nil, fmt.Errorf("wrong listener type: %v", reflect.TypeOf(tcpListener))
+	}
+
+	return tcpKeepAliveListener{
+		TCPListener: tcpListener,
+	}, nil
+}
+
+type tcpKeepAliveListener struct {
+	*net.TCPListener
+}
+
+func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
+	tc, err := ln.AcceptTCP()
+	if err != nil {
+		return
+	}
+	tc.SetKeepAlive(true)
+	tc.SetKeepAlivePeriod(3 * time.Minute)
+	return tc, nil
+}

types.go

@@ -1,63 +0,0 @@
-package dynamiclistener
-
-import (
-	"net/http"
-)
-
-type ListenerConfigStorage interface {
-	Set(*ListenerStatus) (*ListenerStatus, error)
-	Get() (*ListenerStatus, error)
-}
-
-type ServerInterface interface {
-	Update(status *ListenerStatus) error
-	CACert() (string, error)
-}
-
-type UserConfig struct {
-	// Required fields
-
-	Handler   http.Handler
-	HTTPPort  int
-	HTTPSPort int
-	CertPath  string
-
-	// Optional fields
-
-	KnownIPs    []string
-	Domains     []string
-	Mode        string
-	NoCACerts   bool
-	CACerts     string
-	CAKey       string
-	Cert        string
-	Key         string
-	BindAddress string
-}
-
-type ListenerStatus struct {
-	Revision       string            `json:"revision,omitempty"`
-	CACert         string            `json:"caCert,omitempty"`
-	CAKey          string            `json:"caKey,omitempty"`
-	GeneratedCerts map[string]string `json:"generatedCerts" norman:"nocreate,noupdate"`
-	KnownIPs       map[string]bool   `json:"knownIps" norman:"nocreate,noupdate"`
-}
-
-func (l *ListenerStatus) DeepCopyInto(t *ListenerStatus) {
-	t.Revision = l.Revision
-	t.CACert = l.CACert
-	t.CAKey = l.CAKey
-	t.GeneratedCerts = copyMap(t.GeneratedCerts)
-	t.KnownIPs = map[string]bool{}
-	for k, v := range l.KnownIPs {
-		t.KnownIPs[k] = v
-	}
-}
-
-func copyMap(m map[string]string) map[string]string {
-	ret := map[string]string{}
-	for k, v := range m {
-		ret[k] = v
-	}
-	return ret
-}