Add automatic TLS certificate reloading for EPP (#1765)

* Add automatic TLS certificate reloading for EPP

Enables the server to reload certificates without restart when they are
rotated, which is particularly useful in Kubernetes environments where
certificate rotation is automated.

Adds --enable-cert-refresh flag (default: false) to control this behavior.
Uses file watching with debouncing to handle rapid file system events
during certificate updates.

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Add path to watch before before creating background gorouting

avoid the case where defer of the goroutine is called before w.Add

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Debug level logging returns error

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

---------

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

Author: pierDipi

cmd/epp/runner/runner.go

@@ -125,6 +125,7 @@ var (
 	certPath            = flag.String("cert-path", runserver.DefaultCertPath, "The path to the certificate for secure serving. The certificate and private key files "+
 		"are assumed to be named tls.crt and tls.key, respectively. If not set, and secureServing is enabled, "+
 		"then a self-signed certificate is used.")
+	enableCertReload = flag.Bool("enable-cert-reload", runserver.DefaultCertReload, "Enables certificate reloading of the certificates specified in --cert-path")
 	// metric flags
 	totalQueuedRequestsMetric    = flag.String("total-queued-requests-metric", runserver.DefaultTotalQueuedRequestsMetric, "Prometheus metric for the number of queued requests.")
 	totalRunningRequestsMetric   = flag.String("total-running-requests-metric", runserver.DefaultTotalRunningRequestsMetric, "Prometheus metric for the number of running requests.")
@@ -366,6 +367,7 @@ func (r *Runner) Run(ctx context.Context) error {
 		SecureServing:                    *secureServing,
 		HealthChecking:                   *healthChecking,
 		CertPath:                         *certPath,
+		EnableCertReload:                 *enableCertReload,
 		RefreshPrometheusMetricsInterval: *refreshPrometheusMetricsInterval,
 		MetricsStalenessThreshold:        *metricsStalenessThreshold,
 		Director:                         director,

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/elastic/crd-ref-docs v0.2.0
 	github.com/envoyproxy/go-control-plane/envoy v1.36.0
+	github.com/fsnotify/fsnotify v1.9.0
 	github.com/go-logr/logr v1.4.3
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
@@ -60,7 +61,6 @@ require (
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.2 // indirect

pkg/common/certs.go

@@ -0,0 +1,103 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package common
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"sync/atomic"
+	"time"
+
+	"github.com/fsnotify/fsnotify"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	logutil "sigs.k8s.io/gateway-api-inference-extension/pkg/epp/util/logging"
+)
+
+// debounceDelay wait for events to settle before reloading
+const debounceDelay = 250 * time.Millisecond
+
+type CertReloader struct {
+	cert *atomic.Pointer[tls.Certificate]
+}
+
+func NewCertReloader(ctx context.Context, path string, init *tls.Certificate) (*CertReloader, error) {
+	certPtr := &atomic.Pointer[tls.Certificate]{}
+	certPtr.Store(init)
+
+	w, err := fsnotify.NewWatcher()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cert watcher: %w", err)
+	}
+
+	logger := log.FromContext(ctx).
+		WithName("cert-reloader").
+		WithValues("path", path)
+	traceLogger := logger.V(logutil.TRACE)
+
+	if err := w.Add(path); err != nil {
+		_ = w.Close() // Clean up watcher before returning
+		return nil, fmt.Errorf("failed to watch %q: %w", path, err)
+	}
+
+	go func() {
+		defer w.Close()
+
+		var debounceTimer *time.Timer
+
+		for {
+			select {
+			case ev := <-w.Events:
+				traceLogger.Info("Cert changed", "event", ev)
+
+				if ev.Op&(fsnotify.Write|fsnotify.Create) == 0 {
+					continue
+				}
+
+				// Debounce: reset the timer if we get another event
+				if debounceTimer != nil {
+					debounceTimer.Stop()
+				}
+
+				debounceTimer = time.AfterFunc(debounceDelay, func() {
+					// This runs after the delay with no new events
+					cert, err := tls.LoadX509KeyPair(path+"/tls.crt", path+"/tls.key")
+					if err != nil {
+						logger.Error(err, "Failed to reload TLS certificate")
+						return
+					}
+					certPtr.Store(&cert)
+					traceLogger.Info("Reloaded TLS certificate")
+				})
+
+			case err := <-w.Errors:
+				if err != nil {
+					logger.Error(err, "cert watcher failed")
+				}
+			case <-ctx.Done():
+				return
+			}
+		}
+	}()
+
+	return &CertReloader{cert: certPtr}, nil
+}
+
+func (r *CertReloader) Get() *tls.Certificate {
+	return r.cert.Load()
+}