Setup cert-watcher for TA server cert (aws#264)

sky333999 · web-flow · commit 31db083e0ed3 · 2024-10-30T11:12:59.000-04:00
diff --git a/cmd/amazon-cloudwatch-agent-target-allocator/config/config.go b/cmd/amazon-cloudwatch-agent-target-allocator/config/config.go
@@ -4,12 +4,14 @@
 package config
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"io/fs"
 	"os"
+	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -207,26 +209,31 @@ func Load() (*Config, string, error) {
 
 // ValidateConfig validates the cli and file configs together.
 func ValidateConfig(config *Config) error {
-	scrapeConfigsPresent := (config.PromConfig != nil && len(config.PromConfig.ScrapeConfigs) > 0)
+	scrapeConfigsPresent := config.PromConfig != nil && len(config.PromConfig.ScrapeConfigs) > 0
 	if !(config.PrometheusCR.Enabled || scrapeConfigsPresent) {
 		return fmt.Errorf("at least one scrape config must be defined, or Prometheus CR watching must be enabled")
 	}
 	return nil
 }
 
-func (c HTTPSServerConfig) NewTLSConfig() (*tls.Config, error) {
-	cert, err := tls.LoadX509KeyPair(c.TLSCertFilePath, c.TLSKeyFilePath)
+func (c HTTPSServerConfig) NewTLSConfig(ctx context.Context) (*tls.Config, error) {
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS13,
+	}
+
+	certWatcher, err := certwatcher.New(c.TLSCertFilePath, c.TLSKeyFilePath)
 	if err != nil {
 		return nil, err
 	}
-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-		ClientAuth:   tls.NoClientCert,
-		MinVersion:   tls.VersionTLS12,
-	}
+	tlsConfig.GetCertificate = certWatcher.GetCertificate
+	go func() {
+		_ = certWatcher.Start(ctx)
+	}()
+
 	if c.CAFilePath == "" {
 		return tlsConfig, nil
 	}
+
 	caCert, err := os.ReadFile(c.CAFilePath)
 	caCertPool := x509.NewCertPool()
 	if err != nil {
diff --git a/cmd/amazon-cloudwatch-agent-target-allocator/main.go b/cmd/amazon-cloudwatch-agent-target-allocator/main.go
@@ -80,7 +80,7 @@ func main() {
 	}
 
 	httpOptions := []server.Option{}
-	tlsConfig, confErr := cfg.HTTPS.NewTLSConfig()
+	tlsConfig, confErr := cfg.HTTPS.NewTLSConfig(ctx)
 	if confErr != nil {
 		setupLog.Error(confErr, "Unable to initialize TLS configuration", "Config", cfg.HTTPS)
 		os.Exit(1)

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ func main() {`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`httpOptions := []server.Option{}`
`83`		`- tlsConfig, confErr := cfg.HTTPS.NewTLSConfig()`
	`83`	`+ tlsConfig, confErr := cfg.HTTPS.NewTLSConfig(ctx)`
`84`	`84`	`if confErr != nil {`
`85`	`85`	`setupLog.Error(confErr, "Unable to initialize TLS configuration", "Config", cfg.HTTPS)`
`86`	`86`	`os.Exit(1)`