From 3ddb06dac1e13e40709d06a20aafd4b0f7c0bc1d Mon Sep 17 00:00:00 2001
From: maheshbaliga <mahesh.baliga@infracloud.io>
Date: Thu, 22 Dec 2022 10:17:45 +0530
Subject: [PATCH] Sidecar: Loads the certificate during startup.

Signed-off-by: maheshbaliga <mahesh.baliga@infracloud.io>
---
 CHANGELOG.md         |  3 +++
 pkg/tls/options.go   | 16 +++++++++++-----
 test/e2e/tls_test.go | 12 ++++++++++++
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8e05ad9faf1..2d92da02001 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re
 
 ## Unreleased
 
+### Fixed
+- [#5993] (https://github.com/thanos-io/thanos/pull/5993) Sidecar: Loads the TLS certificate during startup.
+
 ## [v0.30.0](https://github.com/thanos-io/thanos/tree/release-0.30) - in progress.
 
 ### Fixed
diff --git a/pkg/tls/options.go b/pkg/tls/options.go
index ba032c859c2..362f73740bb 100644
--- a/pkg/tls/options.go
+++ b/pkg/tls/options.go
@@ -17,8 +17,8 @@ import (
 )
 
 // NewServerConfig provides new server TLS configuration.
-func NewServerConfig(logger log.Logger, cert, key, clientCA string) (*tls.Config, error) {
-	if key == "" && cert == "" {
+func NewServerConfig(logger log.Logger, certPath, keyPath, clientCA string) (*tls.Config, error) {
+	if keyPath == "" && certPath == "" {
 		if clientCA != "" {
 			return nil, errors.New("when a client CA is used a server key and certificate must also be provided")
 		}
@@ -29,17 +29,23 @@ func NewServerConfig(logger log.Logger, cert, key, clientCA string) (*tls.Config
 
 	level.Info(logger).Log("msg", "enabling server side TLS")
 
-	if key == "" || cert == "" {
+	if keyPath == "" || certPath == "" {
 		return nil, errors.New("both server key and certificate must be provided")
 	}
 
 	tlsCfg := &tls.Config{
 		MinVersion: tls.VersionTLS13,
 	}
+	// Certificate is loaded during server startup to check for any errors.
+	certificate, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		return nil, errors.Wrap(err, "server credentials")
+	}
 
 	mngr := &serverTLSManager{
-		srvCertPath: cert,
-		srvKeyPath:  key,
+		srvCertPath: certPath,
+		srvKeyPath:  keyPath,
+		srvCert:     &certificate,
 	}
 
 	tlsCfg.GetCertificate = mngr.getCertificate
diff --git a/test/e2e/tls_test.go b/test/e2e/tls_test.go
index 8c82064927f..a898e99531b 100644
--- a/test/e2e/tls_test.go
+++ b/test/e2e/tls_test.go
@@ -179,3 +179,15 @@ type ecServer struct {
 func (s *ecServer) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) {
 	return &pb.EchoResponse{Message: req.Message}, nil
 }
+
+func TestInvalidCertAndKey(t *testing.T) {
+	defer leaktest.CheckTimeout(t, 10*time.Second)()
+	logger := log.NewLogfmtLogger(os.Stderr)
+	tmpDirSrv := t.TempDir()
+	caSrv := filepath.Join(tmpDirSrv, "ca")
+	certSrv := filepath.Join(tmpDirSrv, "cert")
+	keySrv := filepath.Join(tmpDirSrv, "key")
+	// Certificate and key are not present in the above path
+	_, err := thTLS.NewServerConfig(logger, certSrv, keySrv, caSrv)
+	testutil.NotOk(t, err)
+}