rancher / dynamiclistener

Apache License 2.0
17 stars 61 forks source link

Fix ListenAndServe certificate expiration by preloading certs #49

Closed brandond closed 3 years ago

brandond commented 3 years ago

This change fixes an issue with how server.ListenAndServe loads certificates. It sets up a memory -> kubernetes -> memory Secret storage stack, which combined with lazy (on-demand) loading of certificate data, caused the certificate to not be properly renewed when it expired.

It also resolves a regression from #38 - while IPv6 addresses are no longer rejected by the CN regex, they cannot actually be stored in the CN annotation, as semicolons are not allowed in annotation keys. This also fixes handling of hostnames that are more than 41 characters long.