Use sigs.k8s.io/controller-runtime/pkg/certwatcher

Signed-off-by: GitHub <noreply@github.com>

constraint/go.mod

@@ -42,6 +42,7 @@ require (
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/felixge/httpsnoop v1.0.2 // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect

constraint/pkg/client/drivers/local/args.go

@@ -2,14 +2,14 @@ package local
 
 import (
 	"fmt"
-	"os"
 
 	"github.com/open-policy-agent/frameworks/constraint/pkg/client/errors"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/externaldata"
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/storage"
 	"github.com/open-policy-agent/opa/topdown/print"
 	opatypes "github.com/open-policy-agent/opa/types"
+	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 )
 
 type Arg func(*Driver) error
@@ -48,10 +48,6 @@ func Defaults() Arg {
 			d.sendRequestToProvider = externaldata.DefaultSendRequestToProvider
 		}
 
-		if d.fs == nil {
-			d.fs = os.DirFS("/")
-		}
-
 		return nil
 	}
 }
@@ -120,10 +116,9 @@ func DisableBuiltins(builtins ...string) Arg {
 	}
 }
 
-func AddClientTLSKeyPair(certFile, keyFile string) Arg {
+func AddExternalDataClientCertWatcher(clientCertWatcher *certwatcher.CertWatcher) Arg {
 	return func(d *Driver) error {
-		d.clientCertFile = certFile
-		d.clientKeyFile = keyFile
+		d.clientCertWatcher = clientCertWatcher
 
 		return nil
 	}

constraint/pkg/client/drivers/local/driver.go

@@ -6,8 +6,6 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"io/fs"
-	"io/ioutil"
 	"sort"
 	"strings"
 	"sync"
@@ -25,6 +23,7 @@ import (
 	"github.com/open-policy-agent/opa/topdown/print"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/utils/pointer"
+	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 )
 
 const (
@@ -69,14 +68,8 @@ type Driver struct {
 	// that is used to communicate with providers.
 	enableExternalDataClientAuth bool
 
-	// fs is the filesystem to use for reading files.
-	fs fs.FS
-
-	// clientCertFile is the path to the client's certificate file.
-	clientCertFile string
-
-	// clientKeyFile is the path to the client's key file.
-	clientKeyFile string
+	// clientCertWatcher is a watcher for the TLS certificate used to communicate with providers.
+	clientCertWatcher *certwatcher.CertWatcher
 }
 
 // AddTemplate adds templ to Driver. Normalizes modules into usable forms for
@@ -337,38 +330,16 @@ func (d *Driver) Dump(ctx context.Context) (string, error) {
 	return string(b), nil
 }
 
-// readFile reads a file from driver's filesystem and returns its contents.
-func (d *Driver) readFile(name string) ([]byte, error) {
-	file, err := d.fs.Open(name)
-	if err != nil {
-		return nil, fmt.Errorf("failed to open file %s: %w", name, err)
-	}
-	defer file.Close()
-
-	return ioutil.ReadAll(file)
-}
-
 func (d *Driver) getTLSCertificate() (*tls.Certificate, error) {
 	if !d.enableExternalDataClientAuth {
 		return nil, nil
 	}
 
-	certPEM, err := d.readFile(d.clientCertFile)
-	if err != nil {
-		return nil, err
-	}
-
-	keyPEM, err := d.readFile(d.clientKeyFile)
-	if err != nil {
-		return nil, err
-	}
-
-	clientCert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
+	if d.clientCertWatcher == nil {
+		return nil, fmt.Errorf("certWatcher should not be nil when enableExternalDataClientAuth is true")
 	}
 
-	return &clientCert, nil
+	return d.clientCertWatcher.GetCertificate(nil)
 }
 
 // rewriteModulePackage rewrites the module's package path to path.

constraint/pkg/client/drivers/local/driver_unit_test.go

@@ -5,11 +5,11 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"io/fs"
+	"io/ioutil"
 	"net/http"
+	"os"
 	"sort"
 	"testing"
-	"testing/fstest"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
@@ -24,6 +24,7 @@ import (
 	"github.com/open-policy-agent/opa/storage/inmem"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 )
 
 const (
@@ -177,73 +178,16 @@ func TestDriver_ExternalData(t *testing.T) {
 	for _, tt := range []struct {
 		name                  string
 		provider              *v1alpha1.Provider
-		fs                    fs.FS
+		clientCertContent     string
+		clientKeyContent      string
 		sendRequestToProvider externaldata.SendRequestToProvider
 		errorExpected         bool
 	}{
 		{
-			name:          "provider not found",
-			errorExpected: true,
-		},
-		{
-			name: "invalid client cert path",
-			provider: &v1alpha1.Provider{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "dummy-provider",
-				},
-				Spec: v1alpha1.ProviderSpec{
-					URL:      "https://example.com",
-					Timeout:  1,
-					CABundle: caBundle,
-				},
-			},
-			fs: fstest.MapFS{
-				"client.key": {
-					Data: []byte("test"),
-				},
-			},
-			errorExpected: true,
-		},
-		{
-			name: "invalid client key path",
-			provider: &v1alpha1.Provider{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "dummy-provider",
-				},
-				Spec: v1alpha1.ProviderSpec{
-					URL:      "https://example.com",
-					Timeout:  1,
-					CABundle: caBundle,
-				},
-			},
-			fs: fstest.MapFS{
-				"client.crt": {
-					Data: []byte("test"),
-				},
-			},
-			errorExpected: true,
-		},
-		{
-			name: "invalid client cert and key content",
-			provider: &v1alpha1.Provider{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "dummy-provider",
-				},
-				Spec: v1alpha1.ProviderSpec{
-					URL:      "https://example.com",
-					Timeout:  1,
-					CABundle: caBundle,
-				},
-			},
-			fs: fstest.MapFS{
-				"client.crt": {
-					Data: []byte("test"),
-				},
-				"client.key": {
-					Data: []byte("test"),
-				},
-			},
-			errorExpected: true,
+			name:              "provider not found",
+			clientCertContent: clientCert,
+			clientKeyContent:  clientKey,
+			errorExpected:     true,
 		},
 		{
 			name: "error from SendRequestToProvider",
@@ -257,14 +201,8 @@ func TestDriver_ExternalData(t *testing.T) {
 					CABundle: caBundle,
 				},
 			},
-			fs: fstest.MapFS{
-				"client.crt": {
-					Data: []byte(clientCert),
-				},
-				"client.key": {
-					Data: []byte(clientKey),
-				},
-			},
+			clientCertContent: clientCert,
+			clientKeyContent:  clientKey,
 			sendRequestToProvider: func(ctx context.Context, provider *v1alpha1.Provider, keys []string, clientCert *tls.Certificate) (*externaldata.ProviderResponse, int, error) {
 				return nil, http.StatusBadRequest, errors.New("error from SendRequestToProvider")
 			},
@@ -282,14 +220,8 @@ func TestDriver_ExternalData(t *testing.T) {
 					CABundle: caBundle,
 				},
 			},
-			fs: fstest.MapFS{
-				"client.crt": {
-					Data: []byte(clientCert),
-				},
-				"client.key": {
-					Data: []byte(clientKey),
-				},
-			},
+			clientCertContent: clientCert,
+			clientKeyContent:  clientKey,
 			sendRequestToProvider: func(ctx context.Context, provider *v1alpha1.Provider, keys []string, clientCert *tls.Certificate) (*externaldata.ProviderResponse, int, error) {
 				return &externaldata.ProviderResponse{
 					APIVersion: "v1alpha1",
@@ -308,9 +240,37 @@ func TestDriver_ExternalData(t *testing.T) {
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
+			clientCertFile, err := ioutil.TempFile("", "client-cert")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.Remove(clientCertFile.Name())
+
+			_, _ = clientCertFile.WriteString(tt.clientCertContent)
+			clientCertFile.Close()
+
+			clientKeyFile, err := ioutil.TempFile("", "client-key")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.Remove(clientKeyFile.Name())
+
+			_, _ = clientKeyFile.WriteString(tt.clientKeyContent)
+			clientKeyFile.Close()
+
+			clientCertWatcher, err := certwatcher.New(clientCertFile.Name(), clientKeyFile.Name())
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			go func() {
+				_ = clientCertWatcher.Start(context.Background())
+			}()
+
 			d, err := New(
 				AddExternalDataProviderCache(externaldata.NewCache()),
 				EnableExternalDataClientAuth(),
+				AddExternalDataClientCertWatcher(clientCertWatcher),
 			)
 			if err != nil {
 				t.Fatal(err)
@@ -322,12 +282,6 @@ func TestDriver_ExternalData(t *testing.T) {
 				}
 			}
 
-			if tt.fs != nil {
-				d.fs = tt.fs
-				d.clientCertFile = "client.crt"
-				d.clientKeyFile = "client.key"
-			}
-
 			if tt.sendRequestToProvider != nil {
 				d.sendRequestToProvider = tt.sendRequestToProvider
 			}