Fix loading certificates

kylecarbs · kylecarbs · commit 36f648932634 · 2023-05-22T22:03:22.000Z
diff --git a/README.md b/README.md
@@ -38,3 +38,8 @@ resource "kubernetes_deployment" "hello_world" {
 ```
 
 This ensures all pod events will be sent during initialization and startup.
+
+## Custom Certificates
+
+- [`SSL_CERT_FILE`](https://go.dev/src/crypto/x509/root_unix.go#L19): Specifies the path to an SSL certificate.
+- [`SSL_CERT_DIR`](https://go.dev/src/crypto/x509/root_unix.go#L25): Identifies which directory to check for SSL certificate files.
diff --git a/go.mod b/go.mod
@@ -32,6 +32,7 @@ require (
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/breml/rootcerts v0.2.11 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/charmbracelet/lipgloss v0.7.1 // indirect
diff --git a/go.sum b/go.sum
@@ -114,6 +114,8 @@ github.com/bep/debounce v1.2.1 h1:v67fRdBA9UQu2NhLFXrSg0Brw7CexQekrBwDMM8bzeY=
 github.com/bep/godartsass v0.16.0 h1:nTpenrZBQjVSjLkCw3AgnYmBB2czauTJa4BLLv448qg=
 github.com/bep/golibsass v1.1.0 h1:pjtXr00IJZZaOdfryNa9wARTB3Q0BmxC3/V1KNcgyTw=
 github.com/bool64/shared v0.1.5 h1:fp3eUhBsrSjNCQPcSdQqZxxh9bBwrYiZ+zOKFkM0/2E=
+github.com/breml/rootcerts v0.2.11 h1:njUAtoyZ6HUXPAPk63tGz0BEZk1/6gyfqK5fTzksHkM=
+github.com/breml/rootcerts v0.2.11/go.mod h1:S/PKh+4d1HUn4HQovEB8hPJZO6pUZYrIhmXBhsegfXw=
 github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA=
 github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
 github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
diff --git a/logger.go b/logger.go
@@ -18,6 +18,11 @@ import (
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
+
+	// *Never* remove this. Certificates are not bundled as part
+	// of the container, so this is necessary for all connections
+	// to not be insecure.
+	_ "github.com/breml/rootcerts"
 )
 
 type podEventLoggerOptions struct {
@@ -137,18 +142,17 @@ func (p *podEventLogger) init() error {
 			p.mutex.Lock()
 			defer p.mutex.Unlock()
 			tokens, ok := p.podToAgentTokens[pod.Name]
+			if !ok {
+				return
+			}
 			delete(p.podToAgentTokens, pod.Name)
-			if ok {
-				for _, token := range tokens {
-					p.sendLog(pod.Name, token, agentsdk.StartupLog{
-						CreatedAt: time.Now(),
-						Output:    fmt.Sprintf("🗑️ %s: %s", newColor(color.Bold).Sprint("Deleted pod"), pod.Name),
-						Level:     codersdk.LogLevelError,
-					})
-				}
-
+			for _, token := range tokens {
+				p.sendLog(pod.Name, token, agentsdk.StartupLog{
+					CreatedAt: time.Now(),
+					Output:    fmt.Sprintf("🗑️ %s: %s", newColor(color.Bold).Sprint("Deleted pod"), pod.Name),
+					Level:     codersdk.LogLevelError,
+				})
 			}
-
 			p.logger.Info(p.ctx, "unregistered agent pod", slog.F("pod", pod.Name))
 		},
 	})
