From 0885d5a3acdcb8d3c13fa475b63a2b4fd1183910 Mon Sep 17 00:00:00 2001
From: Dan Fuhry <dan@fuhry.com>
Date: Tue, 8 Apr 2025 18:00:50 -0400
Subject: [PATCH] [mtls] use fullchain for leaf and chain when individual files
 unavailable

Fixes cert loading failures in k8s with certificates from cert-manager
---
 mtls/provider_file.go | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/mtls/provider_file.go b/mtls/provider_file.go
index 284b784..3b2952d 100644
--- a/mtls/provider_file.go
+++ b/mtls/provider_file.go
@@ -118,11 +118,37 @@ func newFileBackedCertificateFromBaseDir(mtlsRootPath string, serviceIdentity st
 	logger.V(2).Debugf("trying to load identity %q from root path %q", serviceIdentity, certDirectory)
 
 	leafPath := path.Join(certDirectory, "cert.pem")
+	fullchainPath := path.Join(certDirectory, "fullchain.pem")
 	chainPath := path.Join(certDirectory, "chain.pem")
 	keyPath := path.Join(certDirectory, "privkey.pem")
 	rootPath := path.Join(mtlsRootPath, "rootca.pem")
 
-	for _, file := range []string{leafPath, chainPath, keyPath, rootPath} {
+	if leafErr := fsutil.FileExistsAndIsReadable(leafPath); leafErr != nil {
+		err := fsutil.FileExistsAndIsReadable(fullchainPath)
+		if err == nil {
+			logger.V(2).Debugf("Leaf file %s not accessible, using fullchain %s", leafPath, fullchainPath)
+			leafPath = fullchainPath
+		} else {
+			logger.V(2).Errorf(
+				"cannot load identity %q from %s: cannot read from either possible leaf "+
+					"certificate path:\n  %s: %v\n  %s: %v",
+				serviceIdentity, certDirectory, leafPath, leafErr, fullchainPath, err)
+			return nil, err
+		}
+	}
+	if chainErr := fsutil.FileExistsAndIsReadable(chainPath); chainErr != nil {
+		err := fsutil.FileExistsAndIsReadable(fullchainPath)
+		if err == nil {
+			logger.V(2).Debugf("Chain file %s not accessible, using fullchain %s", chainPath, fullchainPath)
+			chainPath = fullchainPath
+		} else {
+			logger.V(2).Errorf(
+				"cannot load identity %q from %s: cannot read from either possible "+
+					"intermediate chain path:\n  %s: %v\n  %s: %v",
+				serviceIdentity, certDirectory, chainPath, chainErr, fullchainPath, err)
+		}
+	}
+	for _, file := range []string{keyPath, rootPath} {
 		if err := fsutil.FileExistsAndIsReadable(file); err != nil {
 			logger.V(2).Errorf("cannot load identity %q from %s: error reading file %q: %v", serviceIdentity, certDirectory, file, err)
 			return nil, err
-- 
2.50.1