@@ -4,16 +4,19 @@ import (
44 "context"
55 "crypto/tls"
66 "errors"
7+ "fmt"
78 "net"
89 "net/http"
910 "net/http/httputil"
1011 "net/url"
1112 "syscall"
1213 "time"
14+
15+ "sigs.k8s.io/gateway-api-inference-extension/pkg/common"
1316)
1417
1518// startHTTP starts the HTTP reverse proxy.
16- func (s * Server ) startHTTP (ctx context.Context , cert * tls. Certificate ) error {
19+ func (s * Server ) startHTTP (ctx context.Context ) error {
1720 // Start SSRF protection validator
1821 if err := s .allowlistValidator .Start (ctx ); err != nil {
1922 s .logger .Error (err , "Failed to start allowlist validator" )
@@ -35,11 +38,36 @@ func (s *Server) startHTTP(ctx context.Context, cert *tls.Certificate) error {
3538 MaxHeaderBytes : 1 << 20 , // 1 MB for headers is sufficient
3639 }
3740
38- // Create TLS certificates
41+ var cert * tls.Certificate
42+ if s .config .SecureServing {
43+ var tempCert tls.Certificate
44+ if s .config .CertPath != "" {
45+ tempCert , err = tls .LoadX509KeyPair (s .config .CertPath + "/tls.crt" , s .config .CertPath + "/tls.key" )
46+ } else {
47+ tempCert , err = CreateSelfSignedTLSCertificate ()
48+ }
49+ if err != nil {
50+ return fmt .Errorf ("failed to create TLS certificate: %w" , err )
51+ }
52+ cert = & tempCert
53+ }
54+
3955 if cert != nil {
56+ getCertificate := func (info * tls.ClientHelloInfo ) (* tls.Certificate , error ) {
57+ return cert , nil
58+ }
59+ if s .config .CertPath != "" {
60+ reloader , err := common .NewCertReloader (ctx , "" , cert )
61+ if err != nil {
62+ return fmt .Errorf ("failed to start reloader: %w" , err )
63+ }
64+ getCertificate = func (info * tls.ClientHelloInfo ) (* tls.Certificate , error ) {
65+ return reloader .Get (), nil
66+ }
67+ }
68+
4069 server .TLSConfig = & tls.Config {
41- Certificates : []tls.Certificate {* cert },
42- MinVersion : tls .VersionTLS12 ,
70+ MinVersion : tls .VersionTLS12 ,
4371 CipherSuites : []uint16 {
4472 tls .TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,
4573 tls .TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,
@@ -48,6 +76,7 @@ func (s *Server) startHTTP(ctx context.Context, cert *tls.Certificate) error {
4876 tls .TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 ,
4977 tls .TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 ,
5078 },
79+ GetCertificate : getCertificate ,
5180 }
5281 s .logger .Info ("server TLS configured" )
5382 }
0 commit comments