Try to use the systemd runtime directory for certs

stephank · stephank · commit 050b0f9c7a16 · 2025-04-09T15:34:02.000+02:00
diff --git a/internal/caddy/global/tls.go b/internal/caddy/global/tls.go
@@ -40,7 +40,7 @@ func (p TLSPlugin) GlobalHandler(config *converter.Config, store *store.Store) e
 	}
 
 	if len(hosts) > 0 {
-		tlsApp.CertificatesRaw["load_folders"] = json.RawMessage(`["` + controller.CertFolder + `"]`)
+		tlsApp.CertificatesRaw["load_folders"] = json.RawMessage(`["` + controller.GetCertFolder() + `"]`)
 		// do not manage certificates for those hosts
 		httpServer.AutoHTTPS.SkipCerts = hosts
 	}
diff --git a/internal/controller/action_tls.go b/internal/controller/action_tls.go
@@ -8,7 +8,21 @@ import (
 	apiv1 "k8s.io/api/core/v1"
 )
 
-var CertFolder = filepath.FromSlash("/etc/caddy/certs")
+var certFolder = ""
+
+// GetCertFolder returns the staging path for storing certificates as files.
+func GetCertFolder() string {
+	if certFolder == "" {
+		// Use the systemd cache directory if possible.
+		runtimeDir := os.Getenv("RUNTIME_DIRECTORY")
+		if runtimeDir != "" {
+			certFolder = filepath.Join(runtimeDir, "certs")
+		} else {
+			certFolder = filepath.FromSlash("/etc/caddy/certs")
+		}
+	}
+	return certFolder
+}
 
 // SecretAddedAction provides an implementation of the action interface.
 type SecretAddedAction struct {
@@ -60,7 +74,7 @@ func writeFile(s *apiv1.Secret) error {
 		content = append(content, cert...)
 	}
 
-	err := os.WriteFile(filepath.Join(CertFolder, s.Name+".pem"), content, 0644)
+	err := os.WriteFile(filepath.Join(GetCertFolder(), s.Name+".pem"), content, 0644)
 	if err != nil {
 		return err
 	}
@@ -80,13 +94,17 @@ func (r SecretUpdatedAction) handle(c *CaddyController) error {
 
 func (r SecretDeletedAction) handle(c *CaddyController) error {
 	c.logger.Infof("TLS secret deleted (%s/%s)", r.resource.Namespace, r.resource.Name)
-	return os.Remove(filepath.Join(CertFolder, r.resource.Name+".pem"))
+	return os.Remove(filepath.Join(GetCertFolder(), r.resource.Name+".pem"))
 }
 
 // watchTLSSecrets Start listening to TLS secrets if at least one ingress needs it.
 // It will sync the CertFolder with TLS secrets
 func (c *CaddyController) watchTLSSecrets() error {
 	if c.informers.TLSSecret == nil && c.resourceStore.HasManagedTLS() {
+		if err := os.MkdirAll(GetCertFolder(), 0755); err != nil && !os.IsExist(err) {
+			return err
+		}
+
 		// Init informers
 		params := k8s.TLSSecretParams{
 			InformerFactory: c.factories.WatchedNamespace,
@@ -106,13 +124,6 @@ func (c *CaddyController) watchTLSSecrets() error {
 			return err
 		}
 
-		if _, err := os.Stat(CertFolder); os.IsNotExist(err) {
-			err = os.MkdirAll(CertFolder, 0755)
-			if err != nil {
-				return err
-			}
-		}
-
 		for _, secret := range secrets {
 			if err := writeFile(secret); err != nil {
 				return err

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ func (p TLSPlugin) GlobalHandler(config converter.Config, store store.Store) e`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`if len(hosts) > 0 {`
`43`		- tlsApp.CertificatesRaw["load_folders"] = json.RawMessage(`["` + controller.CertFolder + `"]`)
	`43`	+ tlsApp.CertificatesRaw["load_folders"] = json.RawMessage(`["` + controller.GetCertFolder() + `"]`)
`44`	`44`	`// do not manage certificates for those hosts`
`45`	`45`	`httpServer.AutoHTTPS.SkipCerts = hosts`
`46`	`46`	`}`