Proposal Details

The current state of the tls.Config.RootCAs presents a challenge when it comes to dynamically reloading the Root Certificate Authorities. The existing approaches involve either disabling automatic certificate and host verification or limiting functionality to non-proxied requests. This proposal seeks to address this limitation by introducing a mechanism for dynamic reloading of Root CAs.

The current workaround for dynamically updating Root CAs involves using the VerifyPeerCertificate, but it requires disabling automatic certificate and host verification by setting the InsecureSkipVerify field to true. This approach might introduce some security risks if the custom implementation is not correct.

Alternatively, a custom TLS Dialer could be used. However, this approach falls short when dealing with proxied requests, limiting its applicability in scenarios where proxies are used.

To enhance the flexibility of TLS configurations, this issue proposes modifying the behaviour of tls.Config.RootCAs to support dynamic reloading by introducing a function similar to GetClientCertificate.

Note that in the past, a similar request was rejected. Since commenting on that issue is disabled, I decided to create a new issue to see if something has changed. Having such a mechanism in the standard library would help the Kubernetes community address kubernetes/kubernetes#119483.

Update:

It largely depends on how the tls.Config.RootCAs is used internally. Another solution would be to accept an interface instead of *x509.CertPool and allow clients to inject a thread-safe implementation, enabling trust reloading.