Sidecar: Loads the certificate during startup. (#5995)

Signed-off-by: maheshbaliga <[email protected]> Signed-off-by: maheshbaliga <[email protected]>
thanos-io · Jan 3, 2023 · 6ef005c · 6ef005c
1 parent 45f9db7
commit 6ef005c
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,9 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re
 
 - [#5990](https://github.com/thanos-io/thanos/pull/5990) Cache/Redis: add support for Redis Sentinel via new option `master_name`.
 
+### Fixed
+- [#5995] (https://github.com/thanos-io/thanos/pull/5993) Sidecar: Loads the TLS certificate during startup.
+
 ## [v0.30.0](https://github.com/thanos-io/thanos/tree/release-0.30) - in progress.
 
 ### Fixed

diff --git a/pkg/tls/options.go b/pkg/tls/options.go
@@ -17,8 +17,8 @@ import (
 )
 
 // NewServerConfig provides new server TLS configuration.
-func NewServerConfig(logger log.Logger, cert, key, clientCA string) (*tls.Config, error) {
-	if key == "" && cert == "" {
+func NewServerConfig(logger log.Logger, certPath, keyPath, clientCA string) (*tls.Config, error) {
+	if keyPath == "" && certPath == "" {
 		if clientCA != "" {
 			return nil, errors.New("when a client CA is used a server key and certificate must also be provided")
 		}
@@ -29,17 +29,23 @@ func NewServerConfig(logger log.Logger, cert, key, clientCA string) (*tls.Config
 
 	level.Info(logger).Log("msg", "enabling server side TLS")
 
-	if key == "" || cert == "" {
+	if keyPath == "" || certPath == "" {
 		return nil, errors.New("both server key and certificate must be provided")
 	}
 
 	tlsCfg := &tls.Config{
 		MinVersion: tls.VersionTLS13,
 	}
+	// Certificate is loaded during server startup to check for any errors.
+	certificate, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		return nil, errors.Wrap(err, "server credentials")
+	}
 
 	mngr := &serverTLSManager{
-		srvCertPath: cert,
-		srvKeyPath:  key,
+		srvCertPath: certPath,
+		srvKeyPath:  keyPath,
+		srvCert:     &certificate,
 	}
 
 	tlsCfg.GetCertificate = mngr.getCertificate

diff --git a/test/e2e/tls_test.go b/test/e2e/tls_test.go
@@ -179,3 +179,15 @@ type ecServer struct {
 func (s *ecServer) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) {
 	return &pb.EchoResponse{Message: req.Message}, nil
 }
+
+func TestInvalidCertAndKey(t *testing.T) {
+	defer leaktest.CheckTimeout(t, 10*time.Second)()
+	logger := log.NewLogfmtLogger(os.Stderr)
+	tmpDirSrv := t.TempDir()
+	caSrv := filepath.Join(tmpDirSrv, "ca")
+	certSrv := filepath.Join(tmpDirSrv, "cert")
+	keySrv := filepath.Join(tmpDirSrv, "key")
+	// Certificate and key are not present in the above path
+	_, err := thTLS.NewServerConfig(logger, certSrv, keySrv, caSrv)
+	testutil.NotOk(t, err)
+}