Fixing a bug where the token server startup check fails when mTLS is enabled (#174)

* use config variable

Signed-off-by: wfan <[email protected]>

* add forceful shutdown logic

Signed-off-by: wfan <[email protected]>

* fix all shutdown

Signed-off-by: wfan <[email protected]>

* add comment

Signed-off-by: wfan <[email protected]>

* fix: server check with tls

Signed-off-by: fum1h1to <[email protected]>

* fix: check mtls

Signed-off-by: fum1h1to <[email protected]>

* fix: comment

Signed-off-by: fum1h1to <[email protected]>

* fix: variable name

Signed-off-by: fum1h1to <[email protected]>

* refactor

Signed-off-by: fum1h1to <[email protected]>

* refactor

Signed-off-by: fum1h1to <[email protected]>
Signed-off-by: wfan <[email protected]>

---------

Signed-off-by: wfan <[email protected]>
Signed-off-by: fum1h1to <[email protected]>
Signed-off-by: Windz <[email protected]>
Co-authored-by: wfan <[email protected]>
Co-authored-by: Windz <[email protected]>

Author: fsul7o

pkg/daemon/httpchecker.go

@@ -16,6 +16,7 @@ package daemon
 
 import (
 	"crypto/tls"
+	"errors"
 	"net/http"
 	"time"
 
@@ -25,27 +26,36 @@ import (
 )
 
 // WaitForServerReady waits until the HTTP(S) server can respond to a GET request. Should NOT allow cancelling the retry as shuting down non-ready server may cause deadlock.
-func WaitForServerReady(serverAddr string, insecureSkipVerify bool) error {
+func WaitForServerReady(serverAddr string, insecureSkipVerify bool, clientCertEnabled bool) error {
 
 	t := http.DefaultTransport.(*http.Transport).Clone()
 	t.TLSClientConfig = &tls.Config{}
 	client := &http.Client{Transport: t}
 
-	var url string
+	var targetUrl string
 	if insecureSkipVerify {
 		t.TLSClientConfig.InsecureSkipVerify = true
-		url = "https://" + serverAddr
+		targetUrl = "https://" + serverAddr
 	} else {
-		url = "http://" + serverAddr
+		targetUrl = "http://" + serverAddr
 	}
 
 	get := func() error {
-		resp, err := client.Get(url)
-		if err == nil {
-			resp.Body.Close()
-			log.Debugf("Server started at %s", url)
+		resp, err := client.Get(targetUrl)
+		if err != nil {
+			// if client certificate disabled, return ALL errors.
+			// if client certificate enabled, return ALL errors but exclude client certificate verification error.
+			errCause := errors.Unwrap(err)
+			if !clientCertEnabled || errCause == nil || errCause.Error() != "remote error: tls: certificate required" {
+				return err
+			}
+			log.Debugf("Server started at %s (can response certificate required error)", targetUrl)
+			return nil
 		}
-		return err
+
+		resp.Body.Close()
+		log.Debugf("Server started at %s", targetUrl)
+		return nil
 	}
 
 	getExponentialBackoff := func() backoff.BackOff {

pkg/healthcheck/service.go

@@ -84,7 +84,7 @@ func (hs *hcService) Start(ctx context.Context) error {
 			log.Info("Stopped health check server")
 		}()
 
-		if err := daemon.WaitForServerReady(hs.hcServer.Addr, false); err != nil {
+		if err := daemon.WaitForServerReady(hs.hcServer.Addr, false, false); err != nil {
 			log.Errorf("Failed to confirm health check server ready: %s", err.Error())
 			return err
 		}

pkg/metrics/service.go

@@ -125,7 +125,7 @@ func (ms *metricsService) Start(ctx context.Context) error {
 			log.Info("Stopped metrics exporter server")
 		}()
 
-		if err := daemon.WaitForServerReady(ms.exporter.ListenAddress, false); err != nil {
+		if err := daemon.WaitForServerReady(ms.exporter.ListenAddress, false, false); err != nil {
 			log.Errorf("Failed to confirm metrics exporter server ready: %s", err.Error())
 			return err
 		}

pkg/token/service.go

@@ -190,7 +190,7 @@ func (ts *tokenService) Start(ctx context.Context) error {
 			log.Info("Stopped token provider server")
 		}()
 
-		if err := daemon.WaitForServerReady(ts.tokenServer.Addr, ts.idCfg.TokenServer.TLS.Use); err != nil {
+		if err := daemon.WaitForServerReady(ts.tokenServer.Addr, ts.idCfg.TokenServer.TLS.Use, ts.idCfg.TokenServer.TLS.CAPath != ""); err != nil {
 			log.Errorf("Failed to confirm token provider server ready: %s", err.Error())
 			return err
 		}