Upgrade sdk for release-1.1 (#1313)

Signed-off-by: Navin Chandra Rai <navinchandrarai444@gmail.com>

go.mod

@@ -41,7 +41,7 @@ require (
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
 	open-cluster-management.io/addon-framework v1.1.0
 	open-cluster-management.io/api v1.1.0
-	open-cluster-management.io/sdk-go v1.1.0
+	open-cluster-management.io/sdk-go v1.1.1
 	sigs.k8s.io/about-api v0.0.0-20250131010323-518069c31c03
 	sigs.k8s.io/cluster-inventory-api v0.0.0-20240730014211-ef0154379848
 	sigs.k8s.io/controller-runtime v0.21.0

go.sum

@@ -565,8 +565,8 @@ open-cluster-management.io/addon-framework v1.1.0 h1:GoPbg5Q9KEI+Vvgs9PUs2IjIoU/
 open-cluster-management.io/addon-framework v1.1.0/go.mod h1:KPdLM+CfUKgwVuVE9Tyu2nOuD6LgDmx94HOCnJwLIdo=
 open-cluster-management.io/api v1.1.0 h1:fu5xst9T/Ya6o41kqdd0zbNiDU+D3nNMTvoRVeF8j+U=
 open-cluster-management.io/api v1.1.0/go.mod h1:lEc5Wkc9ON5ym/qAtIqNgrE7NW7IEOCOC611iQMlnKM=
-open-cluster-management.io/sdk-go v1.1.0 h1:vYGkoihIVetyVT4ICO7HjoUHsnh6Gf+Da4ZSmWCamhc=
-open-cluster-management.io/sdk-go v1.1.0/go.mod h1:DH4EMNDMiousmaj+noHYQxm48T+dbogiAfALhDnrjMg=
+open-cluster-management.io/sdk-go v1.1.1 h1:J2Iu7Ew5y+sWBXIbYum/XuhRHFsG1OQQxhpvWcNKXjw=
+open-cluster-management.io/sdk-go v1.1.1/go.mod h1:kkw5jJp4y8Ofqpdp1Dj4GKudb5QApwnXriOvEsgn/wE=
 sigs.k8s.io/about-api v0.0.0-20250131010323-518069c31c03 h1:1ShFiMjGQOR/8jTBkmZrk1gORxnvMwm1nOy2/DbHg4U=
 sigs.k8s.io/about-api v0.0.0-20250131010323-518069c31c03/go.mod h1:F1pT4mK53U6F16/zuaPSYpBaR7x5Kjym6aKJJC0/DHU=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=

vendor/modules.txt

@@ -1817,7 +1817,7 @@ open-cluster-management.io/api/operator/v1
 open-cluster-management.io/api/utils/work/v1/workapplier
 open-cluster-management.io/api/work/v1
 open-cluster-management.io/api/work/v1alpha1
-# open-cluster-management.io/sdk-go v1.1.0
+# open-cluster-management.io/sdk-go v1.1.1
 ## explicit; go 1.24.0
 open-cluster-management.io/sdk-go/pkg/apis/cluster/v1alpha1
 open-cluster-management.io/sdk-go/pkg/apis/cluster/v1beta1

vendor/open-cluster-management.io/sdk-go/pkg/server/grpc/options.go

@@ -30,6 +30,7 @@ type GRPCServerOptions struct {
 	ServerPingInterval      time.Duration `json:"server_ping_interval" yaml:"server_ping_interval"`
 	ServerPingTimeout       time.Duration `json:"server_ping_timeout" yaml:"server_ping_timeout"`
 	PermitPingWithoutStream bool          `json:"permit_ping_without_stream" yaml:"permit_ping_without_stream"`
+	CertWatchInterval       time.Duration `json:"cert_watch_interval" yaml:"cert_watch_interval"`
 }
 
 func LoadGRPCServerOptions(configPath string) (*GRPCServerOptions, error) {
@@ -73,6 +74,7 @@ func NewGRPCServerOptions() *GRPCServerOptions {
 		ServerPingTimeout:     10 * time.Second,
 		WriteBufferSize:       32 * 1024,
 		ReadBufferSize:        32 * 1024,
+		CertWatchInterval:     1 * time.Minute, // Default: 1 minute
 	}
 }
 
@@ -92,6 +94,7 @@ func (o *GRPCServerOptions) AddFlags(flags *pflag.FlagSet) {
 	flags.StringVar(&o.TLSCertFile, "grpc-tls-cert-file", o.TLSCertFile, "The path to the tls.crt file")
 	flags.StringVar(&o.TLSKeyFile, "grpc-tls-key-file", o.TLSKeyFile, "The path to the tls.key file")
 	flags.StringVar(&o.ClientCAFile, "grpc-client-ca-file", o.ClientCAFile, "The path to the client ca file, must specify if using mtls authentication type")
+	flags.DurationVar(&o.CertWatchInterval, "grpc-cert-watch-interval", o.CertWatchInterval, "Certificate watch interval for polling certificate file changes")
 }
 
 // Validate checks option ranges and cross-field constraints.
@@ -103,5 +106,9 @@ func (o *GRPCServerOptions) Validate() error {
 	if o.TLSMinVersion > o.TLSMaxVersion {
 		return fmt.Errorf("tls_min_version (%d) must be <= tls_max_version (%d)", o.TLSMinVersion, o.TLSMaxVersion)
 	}
+	// Validate certificate watch interval to prevent time.NewTicker panic
+	if o.CertWatchInterval <= 30*time.Second {
+		return fmt.Errorf("cert_watch_interval (%v) must be greater than 30 seconds", o.CertWatchInterval)
+	}
 	return nil
 }

vendor/open-cluster-management.io/sdk-go/pkg/server/grpc/server.go

@@ -17,6 +17,7 @@ import (
 	"open-cluster-management.io/sdk-go/pkg/server/grpc/authn"
 	"open-cluster-management.io/sdk-go/pkg/server/grpc/authz"
 	"open-cluster-management.io/sdk-go/pkg/server/grpc/metrics"
+	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 
 	"k8s.io/klog/v2"
 )
@@ -79,15 +80,28 @@ func (b *GRPCServer) Run(ctx context.Context) error {
 		Timeout:          b.options.ServerPingTimeout,
 	}))
 
-	// Serve with TLS
-	serverCerts, err := tls.LoadX509KeyPair(b.options.TLSCertFile, b.options.TLSKeyFile)
+	// Serve with TLS - use certwatcher for dynamic certificate reloading
+	certWatcher, err := certwatcher.New(b.options.TLSCertFile, b.options.TLSKeyFile)
 	if err != nil {
-		return fmt.Errorf("failed to load server certificates: %v", err)
+		return fmt.Errorf("failed to create certificate watcher: %v", err)
 	}
+
+	// Configure watch interval from options (default is 1 minute, configurable via --grpc-cert-watch-interval flag or YAML config)
+	certWatcher.WithWatchInterval(b.options.CertWatchInterval)
+
+	// This uses fsnotify for immediate detection + polling fallback
+	go func() {
+		if err := certWatcher.Start(ctx); err != nil {
+			klog.FromContext(ctx).Error(err, "Certificate watcher stopped")
+		}
+	}()
+
 	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{serverCerts},
-		MinVersion:   b.options.TLSMinVersion,
-		MaxVersion:   b.options.TLSMaxVersion,
+		// Use GetCertificate callback from certwatcher
+		// This allows dynamic certificate reloading on each TLS handshake
+		GetCertificate: certWatcher.GetCertificate,
+		MinVersion:     b.options.TLSMinVersion,
+		MaxVersion:     b.options.TLSMaxVersion,
 	}
 
 	if b.options.ClientCAFile != "" {