Skip to content

Commit d3e793d

Browse files
smirasmira
committed
fix: stop Kubernetes client from dynamically reloading the certs
Fixes #12822 This stops the internal Kubernetes client goroutine which reloads certs from being started. This is only part of the full fix, as there is a TLS transport leak related to go-kubernetes client aggressively caching TLS configs with unique dialers (a separate fix will go to `go-kubernetes`). Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
1 parent 6a5a0e3 commit d3e793d

File tree

1 file changed

+36
-0
lines changed

1 file changed

+36
-0
lines changed

pkg/kubernetes/kubernetes.go

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"fmt"
1010
"log"
1111
"net/url"
12+
"os"
1213
"time"
1314

1415
"github.com/cosi-project/runtime/pkg/controller"
@@ -54,8 +55,43 @@ func NewClientFromKubeletKubeconfig() (*Client, error) {
5455
return NewForConfig(config)
5556
}
5657

58+
func loadPKIIntoVariable(data *[]byte, path *string) error {
59+
if len(*data) > 0 {
60+
return nil
61+
}
62+
63+
if *path == "" {
64+
return fmt.Errorf("no certificate data or file provided")
65+
}
66+
67+
pkiData, err := os.ReadFile(*path)
68+
if err != nil {
69+
return fmt.Errorf("failed to read certificate file: %w", err)
70+
}
71+
72+
*data = pkiData
73+
*path = ""
74+
75+
return nil
76+
}
77+
5778
// NewForConfig initializes and returns a client using the provided config.
5879
func NewForConfig(config *restclient.Config) (*Client, error) {
80+
// read the certificates into byte slices to prevent the client from launching automatic
81+
// certificate reload
82+
if err := loadPKIIntoVariable(&config.TLSClientConfig.CAData, &config.TLSClientConfig.CAFile); err != nil {
83+
return nil, fmt.Errorf("failed to load CA certificate: %w", err)
84+
}
85+
86+
if err := loadPKIIntoVariable(&config.TLSClientConfig.CertData, &config.TLSClientConfig.CertFile); err != nil {
87+
return nil, fmt.Errorf("failed to load client certificate: %w", err)
88+
}
89+
90+
if err := loadPKIIntoVariable(&config.TLSClientConfig.KeyData, &config.TLSClientConfig.KeyFile); err != nil {
91+
return nil, fmt.Errorf("failed to load client key: %w", err)
92+
}
93+
94+
// now, initialize the client using the standard method
5995
client, err := taloskubernetes.NewForConfig(config)
6096
if err != nil {
6197
return nil, err

0 commit comments

Comments
 (0)