Load certificate when they are updated

Currently we need to restart activator when certificates are updated.
This patch fixes it by:
* Using `GetCertificate` for server certs.
* Using `VerifyPeerCertificate` for custom CA verification.
* Caching the cert for peformance.

Fix knative#13694

cmd/activator/main.go

@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"errors"
 	"fmt"
 	"log"
@@ -41,7 +40,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 
-	"knative.dev/control-protocol/pkg/certificates"
 	network "knative.dev/networking/pkg"
 	netcfg "knative.dev/networking/pkg/config"
 	netprobe "knative.dev/networking/pkg/http/probe"
@@ -60,6 +58,7 @@ import (
 	tracingconfig "knative.dev/pkg/tracing/config"
 	"knative.dev/pkg/version"
 	"knative.dev/pkg/websocket"
+	"knative.dev/serving/pkg/activator/certificate"
 	activatorconfig "knative.dev/serving/pkg/activator/config"
 	activatorhandler "knative.dev/serving/pkg/activator/handler"
 	activatornet "knative.dev/serving/pkg/activator/net"
@@ -162,29 +161,21 @@ func main() {
 	// Enable TLS against queue-proxy when internal-encryption is enabled.
 	tlsEnabled := networkConfig.InternalEncryption
 
+	var certCache *certificate.CertCache
+	if tlsEnabled {
+		logger.Info("Internal Encryption is enabled")
+		certCache = certificate.NewCertCache(ctx)
+	}
+
 	// Enable TLS client when queue-proxy-ca is specified.
 	// At this moment activator with TLS does not disable HTTP.
 	// See also https://github.com/knative/serving/issues/12808.
 	if tlsEnabled {
-		logger.Info("Internal Encryption is enabled")
-		caSecret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, netcfg.ServingInternalCertName, metav1.GetOptions{})
-		if err != nil {
-			logger.Fatalw("Failed to get secret", zap.Error(err))
-		}
-
-		pool, err := x509.SystemCertPool()
-		if err != nil {
-			pool = x509.NewCertPool()
-		}
-
-		if ok := pool.AppendCertsFromPEM(caSecret.Data[certificates.CaCertName]); !ok {
-			logger.Fatalw("Failed to append ca cert to the RootCAs")
-		}
-
 		tlsConf := &tls.Config{
-			RootCAs:            pool,
-			InsecureSkipVerify: false,
-			ServerName:         certificates.FakeDnsName,
+			VerifyPeerCertificate: certCache.ValidateCert,
+			// nolint:gosec
+			// Validate certificates by a custom function via VerifyPeerCertificate.
+			InsecureSkipVerify: true,
 			MinVersion:         tls.VersionTLS12,
 		}
 		transport = pkgnet.NewProxyAutoTLSTransport(env.MaxIdleProxyConns, env.MaxIdleProxyConnsPerHost, tlsConf)
@@ -300,20 +291,12 @@ func main() {
 	// At this moment activator with TLS does not disable HTTP.
 	// See also https://github.com/knative/serving/issues/12808.
 	if tlsEnabled {
-		secret, err := kubeClient.CoreV1().Secrets(system.Namespace()).Get(ctx, netcfg.ServingInternalCertName, metav1.GetOptions{})
-		if err != nil {
-			logger.Fatalw("failed to get secret", zap.Error(err))
-		}
-		cert, err := tls.X509KeyPair(secret.Data[certificates.CertName], secret.Data[certificates.PrivateKeyName])
-		if err != nil {
-			logger.Fatalw("failed to load certs", zap.Error(err))
-		}
-
-		// TODO: Implement the secret (certificate) rotation like knative.dev/pkg/webhook/certificates/.
-		// Also, the current activator must be restarted when updating the secret.
 		name, server := "https", pkgnet.NewServer(":"+strconv.Itoa(networking.BackendHTTPSPort), ah)
 		go func(name string, s *http.Server) {
-			s.TLSConfig = &tls.Config{Certificates: []tls.Certificate{cert}, MinVersion: tls.VersionTLS12}
+			s.TLSConfig = &tls.Config{
+				MinVersion:     tls.VersionTLS12,
+				GetCertificate: certCache.GetCertificate,
+			}
 			// Don't forward ErrServerClosed as that indicates we're already shutting down.
 			if err := s.ListenAndServeTLS("", ""); err != nil && !errors.Is(err, http.ErrServerClosed) {
 				errCh <- fmt.Errorf("%s server failed: %w", name, err)

pkg/activator/certificate/cache.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2023 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificate
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"sync"
+
+	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/client-go/informers/core/v1"
+	"k8s.io/client-go/tools/cache"
+
+	"knative.dev/control-protocol/pkg/certificates"
+	netcfg "knative.dev/networking/pkg/config"
+	"knative.dev/pkg/controller"
+	secretinformer "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret"
+	"knative.dev/pkg/logging"
+	"knative.dev/pkg/system"
+)
+
+// CertCache caches certificates and CA pool.
+type CertCache struct {
+	secretInformer v1.SecretInformer
+	logger         *zap.SugaredLogger
+
+	certificates *tls.Certificate
+	pool         *x509.CertPool
+
+	certificatesMux sync.RWMutex
+}
+
+// NewCertCache starts secretInformer.
+func NewCertCache(ctx context.Context) *CertCache {
+	secretInformer := secretinformer.Get(ctx)
+
+	cr := &CertCache{
+		secretInformer: secretInformer,
+		certificates:   nil,
+		pool:           nil,
+		logger:         logging.FromContext(ctx),
+	}
+
+	secretInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
+		FilterFunc: controller.FilterWithNameAndNamespace(system.Namespace(), netcfg.ServingInternalCertName),
+		Handler: cache.ResourceEventHandlerFuncs{
+			UpdateFunc: cr.handleCertificateUpdate,
+			AddFunc:    cr.handleCertificateAdd,
+			DeleteFunc: cr.handleCertificateDelete,
+		},
+	})
+
+	return cr
+}
+
+func (cr *CertCache) handleCertificateAdd(added interface{}) {
+	if secret, ok := added.(*corev1.Secret); ok {
+		cr.certificatesMux.Lock()
+		defer cr.certificatesMux.Unlock()
+
+		cert, err := tls.X509KeyPair(secret.Data[certificates.CertName], secret.Data[certificates.PrivateKeyName])
+		if err != nil {
+			cr.logger.Warnw("failed to parse secret", zap.Error(err))
+			return
+		}
+		cr.certificates = &cert
+
+		pool := x509.NewCertPool()
+		block, _ := pem.Decode(secret.Data[certificates.CaCertName])
+		ca, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			cr.logger.Warnw("Failed to parse CA: %v", zap.Error(err))
+			return
+		}
+		pool.AddCert(ca)
+
+		cr.pool = pool
+	}
+}
+
+func (cr *CertCache) handleCertificateUpdate(_, new interface{}) {
+	cr.handleCertificateAdd(new)
+}
+
+func (cr *CertCache) handleCertificateDelete(_ interface{}) {
+	cr.certificatesMux.Lock()
+	defer cr.certificatesMux.Unlock()
+	cr.certificates = nil
+	cr.pool = nil
+}
+
+// GetCertificate returns the cached certificates.
+func (cr *CertCache) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	cr.certificatesMux.RLock()
+	defer cr.certificatesMux.RUnlock()
+	return cr.certificates, nil
+}
+
+// ValidateCert validates the certificate with the CA pool and DNS name.
+func (cr *CertCache) ValidateCert(rawCerts [][]byte, _ [][]*x509.Certificate) error {
+	cr.certificatesMux.RLock()
+	defer cr.certificatesMux.RUnlock()
+
+	for _, rawCert := range rawCerts {
+		cert, err := x509.ParseCertificate(rawCert)
+		if err != nil {
+			return err
+		}
+
+		opts := x509.VerifyOptions{
+			Roots:         cr.pool,
+			DNSName:       certificates.FakeDnsName,
+			Intermediates: x509.NewCertPool(),
+		}
+
+		if _, err := cert.Verify(opts); err != nil {
+			cr.logger.Warnw("invalid cert found", zap.Error(err))
+		} else {
+			return nil
+		}
+	}
+	return errors.New("failed to validate certificate")
+}