[release-1.10] 🐛 Improve client cert/key rotation of the RuntimeSDK client (#13215)

* Improve client  cert/key rotation of the RuntimeSDK client

* Drop usage of t.Context() as it requires go1.24

Signed-off-by: Stefan Büringer buringerst@vmware.com

---------

Signed-off-by: Stefan Büringer buringerst@vmware.com

Author: sbueringer

exp/runtime/internal/controllers/extensionconfig_controller_test.go

@@ -61,10 +61,11 @@ func TestExtensionReconciler_Reconcile(t *testing.T) {
 	g.Expect(fakev1alpha1.AddToCatalog(cat)).To(Succeed())
 
 	registry := runtimeregistry.New()
-	runtimeClient := internalruntimeclient.New(internalruntimeclient.Options{
+	runtimeClient, _, err := internalruntimeclient.New(internalruntimeclient.Options{
 		Catalog:  cat,
 		Registry: registry,
 	})
+	g.Expect(err).ToNot(HaveOccurred())
 
 	g.Expect(runtimehooksv1.AddToCatalog(cat)).To(Succeed())
 
@@ -241,10 +242,11 @@ func TestExtensionReconciler_discoverExtensionConfig(t *testing.T) {
 		g.Expect(err).ToNot(HaveOccurred())
 		defer srv1.Close()
 
-		runtimeClient := internalruntimeclient.New(internalruntimeclient.Options{
+		runtimeClient, _, err := internalruntimeclient.New(internalruntimeclient.Options{
 			Catalog:  cat,
 			Registry: registry,
 		})
+		g.Expect(err).ToNot(HaveOccurred())
 
 		extensionConfig := fakeExtensionConfigForURL(ns.Name, extensionName, srv1.URL)
 		extensionConfig.Spec.ClientConfig.CABundle = testcerts.CACert
@@ -281,10 +283,11 @@ func TestExtensionReconciler_discoverExtensionConfig(t *testing.T) {
 		// srv1 := fakeSecureExtensionServer(discoveryHandler("first"))
 		// defer srv1.Close()
 
-		runtimeClient := internalruntimeclient.New(internalruntimeclient.Options{
+		runtimeClient, _, err := internalruntimeclient.New(internalruntimeclient.Options{
 			Catalog:  cat,
 			Registry: registry,
 		})
+		g.Expect(err).ToNot(HaveOccurred())
 
 		extensionConfig := fakeExtensionConfigForURL(ns.Name, extensionName, "https://localhost:31239")
 		extensionConfig.Spec.ClientConfig.CABundle = testcerts.CACert

exp/runtime/internal/controllers/warmup_test.go

@@ -72,13 +72,15 @@ func Test_warmupRunnable_Start(t *testing.T) {
 			}(ns.Name, name, server.URL)
 		}
 
+		runtimeClient, _, err := internalruntimeclient.New(internalruntimeclient.Options{
+			Catalog:  cat,
+			Registry: registry,
+		})
+		g.Expect(err).ToNot(HaveOccurred())
 		r := &warmupRunnable{
-			Client:    env.GetClient(),
-			APIReader: env.GetAPIReader(),
-			RuntimeClient: internalruntimeclient.New(internalruntimeclient.Options{
-				Catalog:  cat,
-				Registry: registry,
-			}),
+			Client:        env.GetClient(),
+			APIReader:     env.GetAPIReader(),
+			RuntimeClient: runtimeClient,
 		}
 
 		if err := r.Start(ctx); err != nil {
@@ -137,13 +139,15 @@ func Test_warmupRunnable_Start(t *testing.T) {
 			g.Expect(env.CreateAndWait(ctx, extensionConfig)).To(Succeed())
 		}
 
+		runtimeClient, _, err := internalruntimeclient.New(internalruntimeclient.Options{
+			Catalog:  cat,
+			Registry: registry,
+		})
+		g.Expect(err).ToNot(HaveOccurred())
 		r := &warmupRunnable{
-			Client:    env.GetClient(),
-			APIReader: env.GetAPIReader(),
-			RuntimeClient: internalruntimeclient.New(internalruntimeclient.Options{
-				Catalog:  cat,
-				Registry: registry,
-			}),
+			Client:         env.GetClient(),
+			APIReader:      env.GetAPIReader(),
+			RuntimeClient:  runtimeClient,
 			warmupInterval: 500 * time.Millisecond,
 			warmupTimeout:  5 * time.Second,
 		}

internal/runtime/client/client.go

@@ -20,6 +20,7 @@ package client
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -43,6 +44,7 @@ import (
 	"k8s.io/client-go/transport"
 	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	runtimev1 "sigs.k8s.io/cluster-api/exp/runtime/api/v1alpha1"
@@ -69,15 +71,28 @@ type Options struct {
 }
 
 // New returns a new Client.
-func New(options Options) runtimeclient.Client {
+func New(options Options) (runtimeclient.Client, *certwatcher.CertWatcher, error) {
+	httpClientCache := cache.New[httpClientEntry](24 * time.Hour)
+
+	var certWatcher *certwatcher.CertWatcher
+	if options.CertFile != "" && options.KeyFile != "" {
+		var err error
+		certWatcher, err = certwatcher.New(options.CertFile, options.KeyFile)
+		if err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to create RuntimeSDK client: failed to create cert-watcher")
+		}
+		certWatcher.RegisterCallback(func(_ tls.Certificate) {
+			httpClientCache.DeleteAll()
+		})
+	}
 	return &client{
 		certFile:         options.CertFile,
 		keyFile:          options.KeyFile,
 		catalog:          options.Catalog,
 		registry:         options.Registry,
 		client:           options.Client,
-		httpClientsCache: cache.New[httpClientEntry](24 * time.Hour),
-	}
+		httpClientsCache: httpClientCache,
+	}, certWatcher, nil
 }
 
 var _ runtimeclient.Client = &client{}