Potential Bug in Cert Reloader #177
Description
Background
k8s-athenz-sia's cert-reloader uses the library tls to read the X.509 certificate and its key safely:
https://github.com/AthenZ/k8s-athenz-sia/blob/main/pkg/util/cert-reloader.go#L79-L82
But the cert-reloader then reads again the X.509 Certificate and its key with manual implementation:
https://github.com/AthenZ/k8s-athenz-sia/blob/main/pkg/util/cert-reloader.go#L83-L90
This is not the safest as reading certificate and key requires many different error hangings, for example like what tls library does:
https://cs.opensource.google/go/go/+/refs/tags/go1.23.4:src/crypto/tls/tls.go;l=255-350
What should be done?
- Understand why separate
os.ReadFile()exists for cert and key, whentls.LoadX509KeyPair()is potentially enough - Understand why role certificate does not used the certificate/key read from
tls.LoadX509KeyPair() - Do appropriate actions after necessary research is done
Acknowledgment
This issue was initially identified by one of end users, raised as a concern by @y-myajima, and subsequently reported as an issue by @mlajkim.