feat: fsnotify cert watching for live rotation (#29)

* feat: add fsnotify cert watching for live rotation

Add CatchCertChange() to watch parent directories of PKI cert files
for filesystem changes (K8s Secret volume symlink swaps). Events are
debounced at 500ms before triggering config reload via the existing
ReloadConfig path.

Also fix the TODO at interface.go:336 — reloadFirewall now checks
both firewall and pki config changes, ensuring firewall rules are
re-evaluated when certificates are rotated.

Closes #27

* bump go directive to 1.26.1 to fix govulncheck stdlib vulns

Fixes GO-2026-4599, GO-2026-4600, GO-2026-4601, GO-2026-4602:
crypto/x509, net/url, and os vulnerabilities in go1.25.7.

* build golangci-lint from source to support Go 1.26.1

golangci-lint v2.5 binary was built with Go 1.25, which rejects
linting code targeting Go 1.26.1. Switch to install-mode: goinstall
with v2.11.2 so the binary is built using the project's Go toolchain.

---------

Co-authored-by: privsim <excaliberswake@pm.me>

Author: disentangle-network

.github/workflows/test.yml

@@ -33,7 +33,8 @@ jobs:
     - name: golangci-lint
       uses: golangci/golangci-lint-action@v9
       with:
-        version: v2.5
+        version: v2.11.2
+        install-mode: goinstall
 
     - name: Test
       run: make test
@@ -122,7 +123,8 @@ jobs:
     - name: golangci-lint
       uses: golangci/golangci-lint-action@v9
       with:
-        version: v2.5
+        version: v2.11.2
+        install-mode: goinstall
 
     - name: Test
       run: make test

config/config.go

@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"dario.cat/mergo"
+	"github.com/fsnotify/fsnotify"
 	"github.com/sirupsen/logrus"
 	"go.yaml.in/yaml/v3"
 )
@@ -143,6 +144,107 @@ func (c *C) CatchHUP(ctx context.Context) {
 	}()
 }
 
+// CatchCertChange watches the parent directories of the configured pki.cert, pki.key, and pki.ca
+// file paths for filesystem changes (e.g., K8s Secret volume atomic symlink swaps) and triggers
+// a config reload. Changes are debounced: after the last filesystem event, the method waits
+// for the specified debounce duration before reloading to coalesce rapid updates (e.g., cert and
+// key updated in quick succession). The watcher is stopped when ctx is cancelled.
+func (c *C) CatchCertChange(ctx context.Context, debounce time.Duration) {
+	if c.path == "" {
+		return
+	}
+
+	certPaths := c.GetCertPaths()
+	if len(certPaths) == 0 {
+		c.l.Warn("No certificate file paths configured, cert file watching disabled")
+		return
+	}
+
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		c.l.WithError(err).Error("Failed to create fsnotify watcher for cert files")
+		return
+	}
+
+	// Watch parent directories because K8s uses atomic symlink swaps at the
+	// directory level, not individual file writes.
+	watched := make(map[string]bool)
+	for _, p := range certPaths {
+		dir := filepath.Dir(p)
+		absDir, err := filepath.Abs(dir)
+		if err != nil {
+			c.l.WithError(err).WithField("path", dir).Warn("Failed to resolve absolute path for cert directory")
+			continue
+		}
+		if watched[absDir] {
+			continue
+		}
+		if err := watcher.Add(absDir); err != nil {
+			c.l.WithError(err).WithField("dir", absDir).Warn("Failed to watch cert directory")
+			continue
+		}
+		watched[absDir] = true
+		c.l.WithField("dir", absDir).Info("Watching directory for certificate changes")
+	}
+
+	if len(watched) == 0 {
+		c.l.Warn("No cert directories could be watched, cert file watching disabled")
+		watcher.Close()
+		return
+	}
+
+	go func() {
+		defer watcher.Close()
+		var timer *time.Timer
+		for {
+			select {
+			case <-ctx.Done():
+				if timer != nil {
+					timer.Stop()
+				}
+				return
+			case event, ok := <-watcher.Events:
+				if !ok {
+					return
+				}
+				c.l.WithField("event", event).Debug("Cert directory fsnotify event")
+				// Reset the debounce timer on every event
+				if timer != nil {
+					timer.Stop()
+				}
+				timer = time.AfterFunc(debounce, func() {
+					c.l.Info("Certificate file change detected, reloading config")
+					c.ReloadConfig()
+				})
+			case err, ok := <-watcher.Errors:
+				if !ok {
+					return
+				}
+				c.l.WithError(err).Error("fsnotify watcher error")
+			}
+		}
+	}()
+}
+
+// GetCertPaths returns the file paths for pki.cert, pki.key, and pki.ca from the current
+// config settings, filtering out inline PEM data and empty values.
+func (c *C) GetCertPaths() []string {
+	keys := []string{"pki.cert", "pki.key", "pki.ca"}
+	var paths []string
+	for _, k := range keys {
+		v := c.GetString(k, "")
+		if v == "" {
+			continue
+		}
+		// Skip inline PEM data and PKCS#11 URIs — only watch actual file paths
+		if strings.Contains(v, "-----BEGIN") || strings.HasPrefix(v, "pkcs11:") {
+			continue
+		}
+		paths = append(paths, v)
+	}
+	return paths
+}
+
 func (c *C) ReloadConfig() {
 	c.reloadLock.Lock()
 	defer c.reloadLock.Unlock()

config/config_test.go

@@ -1,8 +1,10 @@
 package config
 
 import (
+	"context"
 	"os"
 	"path/filepath"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -220,3 +222,195 @@ firewall:
 	}
 	assert.Equal(t, expected, m)
 }
+
+func TestConfig_GetCertPaths(t *testing.T) {
+	l := test.NewLogger()
+
+	// File paths should be returned
+	c := NewC(l)
+	c.Settings["pki"] = map[string]any{
+		"cert": "/etc/nebula/host.crt",
+		"key":  "/etc/nebula/host.key",
+		"ca":   "/etc/nebula/ca.crt",
+	}
+	paths := c.GetCertPaths()
+	assert.Len(t, paths, 3)
+	assert.Contains(t, paths, "/etc/nebula/host.crt")
+	assert.Contains(t, paths, "/etc/nebula/host.key")
+	assert.Contains(t, paths, "/etc/nebula/ca.crt")
+
+	// Inline PEM data should be skipped
+	c = NewC(l)
+	c.Settings["pki"] = map[string]any{
+		"cert": "-----BEGIN NEBULA CERTIFICATE-----\ndata\n-----END NEBULA CERTIFICATE-----",
+		"key":  "/etc/nebula/host.key",
+		"ca":   "-----BEGIN NEBULA CERTIFICATE-----\ndata\n-----END NEBULA CERTIFICATE-----",
+	}
+	paths = c.GetCertPaths()
+	assert.Len(t, paths, 1)
+	assert.Equal(t, "/etc/nebula/host.key", paths[0])
+
+	// PKCS#11 URIs should be skipped
+	c = NewC(l)
+	c.Settings["pki"] = map[string]any{
+		"cert": "/etc/nebula/host.crt",
+		"key":  "pkcs11:token=mytoken",
+		"ca":   "/etc/nebula/ca.crt",
+	}
+	paths = c.GetCertPaths()
+	assert.Len(t, paths, 2)
+	assert.Contains(t, paths, "/etc/nebula/host.crt")
+	assert.Contains(t, paths, "/etc/nebula/ca.crt")
+
+	// Empty or missing settings should return empty
+	c = NewC(l)
+	paths = c.GetCertPaths()
+	assert.Empty(t, paths)
+}
+
+func TestConfig_CatchCertChange(t *testing.T) {
+	l := test.NewLogger()
+
+	// Set up a temp directory with config and cert files
+	configDir, err := os.MkdirTemp("", "config-certwatch-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(configDir)
+
+	certDir, err := os.MkdirTemp("", "certs-certwatch-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(certDir)
+
+	certPath := filepath.Join(certDir, "host.crt")
+	keyPath := filepath.Join(certDir, "host.key")
+	caPath := filepath.Join(certDir, "ca.crt")
+
+	require.NoError(t, os.WriteFile(certPath, []byte("cert-data"), 0644))
+	require.NoError(t, os.WriteFile(keyPath, []byte("key-data"), 0644))
+	require.NoError(t, os.WriteFile(caPath, []byte("ca-data"), 0644))
+
+	// Create config that references those cert paths
+	configYaml := "pki:\n  cert: " + certPath + "\n  key: " + keyPath + "\n  ca: " + caPath + "\n"
+	require.NoError(t, os.WriteFile(filepath.Join(configDir, "config.yaml"), []byte(configYaml), 0644))
+
+	c := NewC(l)
+	require.NoError(t, c.Load(configDir))
+
+	// Track reload calls via callback
+	var reloadCount atomic.Int32
+	c.RegisterReloadCallback(func(c *C) {
+		reloadCount.Add(1)
+	})
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Start watching with a short debounce for testing
+	c.CatchCertChange(ctx, 100*time.Millisecond)
+
+	// Give the watcher time to start
+	time.Sleep(50 * time.Millisecond)
+
+	// Modify a cert file
+	require.NoError(t, os.WriteFile(certPath, []byte("cert-data-updated"), 0644))
+
+	// Wait for debounce + processing
+	time.Sleep(500 * time.Millisecond)
+
+	assert.GreaterOrEqual(t, reloadCount.Load(), int32(1), "ReloadConfig should have been called at least once")
+
+	// Reset count and test debouncing: rapid writes should coalesce into one reload
+	startCount := reloadCount.Load()
+	require.NoError(t, os.WriteFile(certPath, []byte("cert-v2"), 0644))
+	time.Sleep(20 * time.Millisecond)
+	require.NoError(t, os.WriteFile(keyPath, []byte("key-v2"), 0644))
+	time.Sleep(20 * time.Millisecond)
+	require.NoError(t, os.WriteFile(caPath, []byte("ca-v2"), 0644))
+
+	// Wait for debounce to fire
+	time.Sleep(500 * time.Millisecond)
+
+	endCount := reloadCount.Load()
+	// The debounced rapid writes should result in at most 2 reload calls
+	// (ideally 1, but filesystem event timing can vary)
+	assert.LessOrEqual(t, endCount-startCount, int32(2),
+		"Debouncing should coalesce rapid writes into few reloads")
+	assert.GreaterOrEqual(t, endCount-startCount, int32(1),
+		"At least one reload should occur for the rapid writes")
+}
+
+func TestConfig_CatchCertChange_ContextCancel(t *testing.T) {
+	l := test.NewLogger()
+
+	certDir, err := os.MkdirTemp("", "certs-cancel-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(certDir)
+
+	certPath := filepath.Join(certDir, "host.crt")
+	require.NoError(t, os.WriteFile(certPath, []byte("cert-data"), 0644))
+
+	configDir, err := os.MkdirTemp("", "config-cancel-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(configDir)
+
+	configYaml := "pki:\n  cert: " + certPath + "\n"
+	require.NoError(t, os.WriteFile(filepath.Join(configDir, "config.yaml"), []byte(configYaml), 0644))
+
+	c := NewC(l)
+	require.NoError(t, c.Load(configDir))
+
+	var reloadCount atomic.Int32
+	c.RegisterReloadCallback(func(c *C) {
+		reloadCount.Add(1)
+	})
+
+	ctx, cancel := context.WithCancel(context.Background())
+	c.CatchCertChange(ctx, 100*time.Millisecond)
+	time.Sleep(50 * time.Millisecond)
+
+	// Cancel the context to stop the watcher
+	cancel()
+	time.Sleep(50 * time.Millisecond)
+
+	// Write to cert file after cancellation — should NOT trigger reload
+	beforeCount := reloadCount.Load()
+	require.NoError(t, os.WriteFile(certPath, []byte("cert-after-cancel"), 0644))
+	time.Sleep(300 * time.Millisecond)
+
+	assert.Equal(t, beforeCount, reloadCount.Load(),
+		"No reload should occur after context cancellation")
+}
+
+func TestConfig_CatchCertChange_NoPath(t *testing.T) {
+	l := test.NewLogger()
+	c := NewC(l)
+
+	// No path set — CatchCertChange should return immediately without panic
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	c.CatchCertChange(ctx, 100*time.Millisecond)
+}
+
+func TestConfig_CatchCertChange_InlinePEM(t *testing.T) {
+	l := test.NewLogger()
+
+	configDir, err := os.MkdirTemp("", "config-inline-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(configDir)
+
+	// All inline PEM — no files to watch
+	configYaml := `pki:
+  cert: "-----BEGIN NEBULA CERTIFICATE-----\ndata\n-----END NEBULA CERTIFICATE-----"
+  key: "-----BEGIN NEBULA X25519 PRIVATE KEY-----\ndata\n-----END NEBULA X25519 PRIVATE KEY-----"
+  ca: "-----BEGIN NEBULA CERTIFICATE-----\ndata\n-----END NEBULA CERTIFICATE-----"
+`
+	require.NoError(t, os.WriteFile(filepath.Join(configDir, "config.yaml"), []byte(configYaml), 0644))
+
+	c := NewC(l)
+	require.NoError(t, c.Load(configDir))
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Should not panic or error — just logs a warning and returns
+	c.CatchCertChange(ctx, 100*time.Millisecond)
+}

go.mod

@@ -1,6 +1,6 @@
 module github.com/slackhq/nebula
 
-go 1.25.7
+go 1.26.1
 
 require (
 	dario.cat/mergo v1.0.2
@@ -10,6 +10,7 @@ require (
 	github.com/cloudflare/circl v1.6.3
 	github.com/cyberdelia/go-metrics-graphite v0.0.0-20161219230853-39f87cc3b432
 	github.com/flynn/noise v1.1.0
+	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gaissmai/bart v0.26.1
 	github.com/gogo/protobuf v1.3.2
 	github.com/google/gopacket v1.1.19

go.sum

@@ -28,6 +28,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/flynn/noise v1.1.0 h1:KjPQoQCEFdZDiP03phOvGi11+SVVhBG2wOWAorLsstg=
 github.com/flynn/noise v1.1.0/go.mod h1:xbMo+0i6+IGbYdJhF31t2eR1BIU0CYc12+BNAKwUTag=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gaissmai/bart v0.26.1 h1:+w4rnLGNlA2GDVn382Tfe3jOsK5vOr5n4KmigJ9lbTo=
 github.com/gaissmai/bart v0.26.1/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=

interface.go

@@ -333,11 +333,15 @@ func (f *Interface) reloadDisconnectInvalid(c *config.C) {
 }
 
 func (f *Interface) reloadFirewall(c *config.C) {
-	//TODO: need to trigger/detect if the certificate changed too
-	if c.HasChanged("firewall") == false {
-		f.l.Debug("No firewall config change detected")
+	firewallChanged := c.HasChanged("firewall")
+	certChanged := c.HasChanged("pki")
+	if !firewallChanged && !certChanged {
+		f.l.Debug("No firewall or certificate config change detected")
 		return
 	}
+	if certChanged {
+		f.l.Info("Certificate change detected, re-evaluating firewall rules")
+	}
 
 	fw, err := NewFirewallFromConfig(f.l, f.pki.getCertState(), c)
 	if err != nil {

main.go

@@ -126,6 +126,7 @@ func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logg
 	var tun overlay.Device
 	if !configTest {
 		c.CatchHUP(ctx)
+		c.CatchCertChange(ctx, 500*time.Millisecond)
 
 		if deviceFactory == nil {
 			deviceFactory = overlay.NewDeviceFromConfig