Remove code related to deprecated config params logLevel and HTTP networking

2026-01-04 12:14:24 +00:00 · 2024-04-26 11:50:00 -05:00
parent 5ec1ee086d
commit d67238d46f
9 changed files with 69 additions and 413 deletions
--- a/internal/config/concierge/config.go
+++ b/internal/config/concierge/config.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package concierge contains functionality to load/store Config's from/to
@@ -79,7 +79,6 @@ func FromPath(ctx context.Context, path string) (*Config, error) {
 		return nil, fmt.Errorf("validate names: %w", err)
 	}

-	plog.MaybeSetDeprecatedLogLevel(config.LogLevel, &config.Log)
 	if err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, config.Log); err != nil {
 		return nil, fmt.Errorf("validate log level: %w", err)
 	}
--- a/internal/config/concierge/config_test.go
+++ b/internal/config/concierge/config_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package concierge
@@ -57,7 +57,8 @@ func TestFromPath(t *testing.T) {
 				  namePrefix: kube-cert-agent-name-prefix-
 				  image: kube-cert-agent-image
 				  imagePullSecrets: [kube-cert-agent-image-pull-secret]
-				logLevel: debug
+				log:
+				  level: debug
 			`),
 			wantConfig: &Config{
 				DiscoveryInfo: DiscoveryInfoSpec{
@@ -94,7 +95,6 @@ func TestFromPath(t *testing.T) {
 					Image:            ptr.To("kube-cert-agent-image"),
 					ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"},
 				},
-				LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelDebug),
 				Log: plog.LogSpec{
 					Level: plog.LevelDebug,
 				},
@@ -215,7 +215,6 @@ func TestFromPath(t *testing.T) {
 				  namePrefix: kube-cert-agent-name-prefix-
 				  image: kube-cert-agent-image
 				  imagePullSecrets: [kube-cert-agent-image-pull-secret]
-				logLevel: debug
 				log:
 				  level: all
 				  format: json
@@ -255,9 +254,8 @@ func TestFromPath(t *testing.T) {
 					Image:            ptr.To("kube-cert-agent-image"),
 					ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"},
 				},
-				LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelDebug),
 				Log: plog.LogSpec{
-					Level:  plog.LevelDebug,
+					Level:  plog.LevelAll,
 					Format: plog.FormatJSON,
 				},
 			},
--- a/internal/config/concierge/types.go
+++ b/internal/config/concierge/types.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package concierge
@@ -15,9 +15,7 @@ type Config struct {
 	NamesConfig                  NamesConfigSpec   `json:"names"`
 	KubeCertAgentConfig          KubeCertAgentSpec `json:"kubeCertAgent"`
 	Labels                       map[string]string `json:"labels"`
-	// Deprecated: use log.level instead
-	LogLevel *plog.LogLevel `json:"logLevel"`
-	Log      plog.LogSpec   `json:"log"`
+	Log                          plog.LogSpec      `json:"log"`
 }

 // DiscoveryInfoSpec contains configuration knobs specific to
--- a/internal/config/supervisor/config.go
+++ b/internal/config/supervisor/config.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package supervisor contains functionality to load/store Config's from/to
@@ -66,7 +66,6 @@ func FromPath(ctx context.Context, path string) (*Config, error) {
 		return nil, fmt.Errorf("validate names: %w", err)
 	}

-	plog.MaybeSetDeprecatedLogLevel(config.LogLevel, &config.Log)
 	if err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, config.Log); err != nil {
 		return nil, fmt.Errorf("validate log level: %w", err)
 	}
@@ -80,23 +79,10 @@ func FromPath(ctx context.Context, path string) (*Config, error) {
 		Network: NetworkTCP,
 		Address: ":8443",
 	})
-	maybeSetEndpointDefault(&config.Endpoints.HTTP, Endpoint{
-		Network: NetworkDisabled,
-	})

 	if err := validateEndpoint(*config.Endpoints.HTTPS); err != nil {
 		return nil, fmt.Errorf("validate https endpoint: %w", err)
 	}
-	if err := validateEndpoint(*config.Endpoints.HTTP); err != nil {
-		return nil, fmt.Errorf("validate http endpoint: %w", err)
-	}
-	if err := validateAdditionalHTTPEndpointRequirements(*config.Endpoints.HTTP, config.AllowExternalHTTP); err != nil {
-		return nil, fmt.Errorf("validate http endpoint: %w", err)
-	}
-	if err := validateAtLeastOneEnabledEndpoint(*config.Endpoints.HTTPS, *config.Endpoints.HTTP); err != nil {
-		return nil, fmt.Errorf("validate endpoints: %w", err)
-	}
-
 	return &config, nil
 }

@@ -142,42 +128,12 @@ func validateEndpoint(endpoint Endpoint) error {
 		}
 		return nil
 	case NetworkDisabled:
-		if len(endpoint.Address) != 0 {
-			return fmt.Errorf("address set to %q when disabled, should be empty", endpoint.Address)
-		}
-		return nil
+		return fmt.Errorf("must not be disabled")
 	default:
 		return fmt.Errorf("unknown network %q", n)
 	}
 }

-func validateAdditionalHTTPEndpointRequirements(endpoint Endpoint, allowExternalHTTP stringOrBoolAsBool) error {
-	if endpoint.Network == NetworkTCP && !addrIsOnlyOnLoopback(endpoint.Address) {
-		if allowExternalHTTP {
-			// Log that the validation should have been triggered.
-			plog.Warning("Listening on non-loopback interfaces for the HTTP port is deprecated and will be removed " +
-				"in a future release. Your current configuration would not be allowed in that future release. " +
-				"Please see comments in deploy/supervisor/values.yaml and review your settings.")
-			// Skip enforcement of the validation.
-			return nil
-		}
-		return fmt.Errorf(
-			"http listener address %q for %q network may only bind to loopback interfaces",
-			endpoint.Address,
-			endpoint.Network)
-	}
-	return nil
-}
-
-func validateAtLeastOneEnabledEndpoint(endpoints ...Endpoint) error {
-	for _, endpoint := range endpoints {
-		if endpoint.Network != NetworkDisabled {
-			return nil
-		}
-	}
-	return constable.Error("all endpoints are disabled")
-}
-
 // For tcp networks, the address can be in several formats: host:port, host:, and :port.
 // See address description in https://pkg.go.dev/net#Listen and https://pkg.go.dev/net#Dial.
 // The host may be a literal IP address, or a host name that can be resolved to IP addresses,
--- a/internal/config/supervisor/config_test.go
+++ b/internal/config/supervisor/config_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package supervisor
@@ -24,7 +24,7 @@ func TestFromPath(t *testing.T) {
 		wantError  string
 	}{
 		{
-			name: "Happy",
+			name: "Happy (with new log field)",
 			yaml: here.Doc(`
 				---
 				apiGroupSuffix: some.suffix.com
@@ -37,58 +37,6 @@ func TestFromPath(t *testing.T) {
 				  https:
 				    network: unix
 				    address: :1234
-				  http:
-				    network: tcp
-					address: 127.0.0.1:1234
-				insecureAcceptExternalUnencryptedHttpRequests: false
-				logLevel: trace
-				aggregatedAPIServerPort: 12345
-			`),
-			wantConfig: &Config{
-				APIGroupSuffix: ptr.To("some.suffix.com"),
-				Labels: map[string]string{
-					"myLabelKey1": "myLabelValue1",
-					"myLabelKey2": "myLabelValue2",
-				},
-				NamesConfig: NamesConfigSpec{
-					DefaultTLSCertificateSecret: "my-secret-name",
-				},
-				Endpoints: &Endpoints{
-					HTTPS: &Endpoint{
-						Network: "unix",
-						Address: ":1234",
-					},
-					HTTP: &Endpoint{
-						Network: "tcp",
-						Address: "127.0.0.1:1234",
-					},
-				},
-				AllowExternalHTTP: false,
-				LogLevel:          func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelTrace),
-				Log: plog.LogSpec{
-					Level: plog.LevelTrace,
-				},
-				AggregatedAPIServerPort: ptr.To[int64](12345),
-			},
-		},
-		{
-			name: "Happy with new log field",
-			yaml: here.Doc(`
-				---
-				apiGroupSuffix: some.suffix.com
-				labels:
-				  myLabelKey1: myLabelValue1
-				  myLabelKey2: myLabelValue2
-				names:
-				  defaultTLSCertificateSecret: my-secret-name
-				endpoints:
-				  https:
-				    network: unix
-				    address: :1234
-				  http:
-				    network: tcp
-				    address: 127.0.0.1:1234
-				insecureAcceptExternalUnencryptedHttpRequests: false
 				log:
 				  level: info
 				  format: text
@@ -108,12 +56,7 @@ func TestFromPath(t *testing.T) {
 						Network: "unix",
 						Address: ":1234",
 					},
-					HTTP: &Endpoint{
-						Network: "tcp",
-						Address: "127.0.0.1:1234",
-					},
 				},
-				AllowExternalHTTP: false,
 				Log: plog.LogSpec{
 					Level:  plog.LevelInfo,
 					Format: plog.FormatText,
@@ -121,57 +64,6 @@ func TestFromPath(t *testing.T) {
 				AggregatedAPIServerPort: ptr.To[int64](12345),
 			},
 		},
-		{
-			name: "Happy with old and new log field",
-			yaml: here.Doc(`
-				---
-				apiGroupSuffix: some.suffix.com
-				labels:
-				  myLabelKey1: myLabelValue1
-				  myLabelKey2: myLabelValue2
-				names:
-				  defaultTLSCertificateSecret: my-secret-name
-				endpoints:
-				  https:
-				    network: unix
-				    address: :1234
-				  http:
-				    network: tcp
-				    address: 127.0.0.1:1234
-				insecureAcceptExternalUnencryptedHttpRequests: false
-				logLevel: trace
-				log:
-				  level: info
-				  format: text
-			`),
-			wantConfig: &Config{
-				APIGroupSuffix: ptr.To("some.suffix.com"),
-				Labels: map[string]string{
-					"myLabelKey1": "myLabelValue1",
-					"myLabelKey2": "myLabelValue2",
-				},
-				NamesConfig: NamesConfigSpec{
-					DefaultTLSCertificateSecret: "my-secret-name",
-				},
-				Endpoints: &Endpoints{
-					HTTPS: &Endpoint{
-						Network: "unix",
-						Address: ":1234",
-					},
-					HTTP: &Endpoint{
-						Network: "tcp",
-						Address: "127.0.0.1:1234",
-					},
-				},
-				AllowExternalHTTP: false,
-				LogLevel:          func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelTrace),
-				Log: plog.LogSpec{
-					Level:  plog.LevelTrace,
-					Format: plog.FormatText,
-				},
-				AggregatedAPIServerPort: ptr.To[int64](10250),
-			},
-		},
 		{
 			name: "bad log format",
 			yaml: here.Doc(`
@@ -202,11 +94,7 @@ func TestFromPath(t *testing.T) {
 						Network: "tcp",
 						Address: ":8443",
 					},
-					HTTP: &Endpoint{
-						Network: "disabled",
-					},
 				},
-				AllowExternalHTTP:       false,
 				AggregatedAPIServerPort: ptr.To[int64](10250),
 			},
 		},
@@ -219,10 +107,8 @@ func TestFromPath(t *testing.T) {
 				endpoints:
 				  https:
 				    network: disabled
-				  http:
-				    network: disabled
 			`),
-			wantError: "validate endpoints: all endpoints are disabled",
+			wantError: "validate https endpoint: must not be disabled",
 		},
 		{
 			name: "invalid https endpoint",
@@ -238,141 +124,6 @@ func TestFromPath(t *testing.T) {
 			`),
 			wantError: `validate https endpoint: unknown network "foo"`,
 		},
-		{
-			name: "invalid http endpoint",
-			yaml: here.Doc(`
-				---
-				names:
-				  defaultTLSCertificateSecret: my-secret-name
-				endpoints:
-				  https:
-				    network: disabled
-				  http:
-				    network: bar
-			`),
-			wantError: `validate http endpoint: unknown network "bar"`,
-		},
-		{
-			name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests missing",
-			yaml: here.Doc(`
-				---
-				names:
-				  defaultTLSCertificateSecret: my-secret-name
-				endpoints:
-				  https:
-				    network: disabled
-				  http:
-				    network: tcp
-					address: :8080
-			`),
-			wantError: `validate http endpoint: http listener address ":8080" for "tcp" network may only bind to loopback interfaces`,
-		},
-		{
-			name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to boolean false",
-			yaml: here.Doc(`
-				---
-				names:
-				  defaultTLSCertificateSecret: my-secret-name
-				endpoints:
-				  https:
-				    network: disabled
-				  http:
-				    network: tcp
-					address: :8080
-				insecureAcceptExternalUnencryptedHttpRequests: false
-			`),
-			wantError: `validate http endpoint: http listener address ":8080" for "tcp" network may only bind to loopback interfaces`,
-		},
-		{
-			name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to unsupported value",
-			yaml: here.Doc(`
-				---
-				names:
-				  defaultTLSCertificateSecret: my-secret-name
-				insecureAcceptExternalUnencryptedHttpRequests: "garbage" # this will be treated as the default, which is false
-			`),
-			wantError: `decode yaml: error unmarshaling JSON: while decoding JSON: invalid value for boolean`,
-		},
-		{
-			name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to string false",
-			yaml: here.Doc(`
-				---
-				names:
-				  defaultTLSCertificateSecret: my-secret-name
-				endpoints:
-				  https:
-				    network: disabled
-				  http:
-				    network: tcp
-					address: :8080
-				insecureAcceptExternalUnencryptedHttpRequests: "false"
-			`),
-			wantError: `validate http endpoint: http listener address ":8080" for "tcp" network may only bind to loopback interfaces`,
-		},
-		{
-			name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to boolean true",
-			yaml: here.Doc(`
-				---
-				names:
-				  defaultTLSCertificateSecret: my-secret-name
-				endpoints:
-				  http:
-				    network: tcp
-					address: :1234
-				insecureAcceptExternalUnencryptedHttpRequests: true
-			`),
-			wantConfig: &Config{
-				APIGroupSuffix: ptr.To("pinniped.dev"),
-				Labels:         map[string]string{},
-				NamesConfig: NamesConfigSpec{
-					DefaultTLSCertificateSecret: "my-secret-name",
-				},
-				Endpoints: &Endpoints{
-					HTTPS: &Endpoint{
-						Network: "tcp",
-						Address: ":8443",
-					},
-					HTTP: &Endpoint{
-						Network: "tcp",
-						Address: ":1234",
-					},
-				},
-				AllowExternalHTTP:       true,
-				AggregatedAPIServerPort: ptr.To[int64](10250),
-			},
-		},
-		{
-			name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to string true",
-			yaml: here.Doc(`
-				---
-				names:
-				  defaultTLSCertificateSecret: my-secret-name
-				endpoints:
-				  http:
-				    network: tcp
-					address: :1234
-				insecureAcceptExternalUnencryptedHttpRequests: "true"
-			`),
-			wantConfig: &Config{
-				APIGroupSuffix: ptr.To("pinniped.dev"),
-				Labels:         map[string]string{},
-				NamesConfig: NamesConfigSpec{
-					DefaultTLSCertificateSecret: "my-secret-name",
-				},
-				Endpoints: &Endpoints{
-					HTTPS: &Endpoint{
-						Network: "tcp",
-						Address: ":8443",
-					},
-					HTTP: &Endpoint{
-						Network: "tcp",
-						Address: ":1234",
-					},
-				},
-				AllowExternalHTTP:       true,
-				AggregatedAPIServerPort: ptr.To[int64](10250),
-			},
-		},
 		{
 			name: "endpoint disabled with non-empty address",
 			yaml: here.Doc(`
@@ -384,7 +135,7 @@ func TestFromPath(t *testing.T) {
 				    network: disabled
 				    address: wee
 			`),
-			wantError: `validate https endpoint: address set to "wee" when disabled, should be empty`,
+			wantError: `validate https endpoint: must not be disabled`,
 		},
 		{
 			name: "endpoint tcp with empty address",
@@ -393,10 +144,10 @@ func TestFromPath(t *testing.T) {
 				names:
 				  defaultTLSCertificateSecret: my-secret-name
 				endpoints:
-				  http:
+				  https:
 				    network: tcp
 			`),
-			wantError: `validate http endpoint: address must be set with "tcp" network`,
+			wantError: `validate https endpoint: address must be set with "tcp" network`,
 		},
 		{
 			name: "endpoint unix with empty address",
--- a/internal/config/supervisor/types.go
+++ b/internal/config/supervisor/types.go
@@ -1,25 +1,20 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package supervisor

 import (
-	"errors"
-
 	"go.pinniped.dev/internal/plog"
 )

 // Config contains knobs to setup an instance of the Pinniped Supervisor.
 type Config struct {
-	APIGroupSuffix *string           `json:"apiGroupSuffix,omitempty"`
-	Labels         map[string]string `json:"labels"`
-	NamesConfig    NamesConfigSpec   `json:"names"`
-	// Deprecated: use log.level instead
-	LogLevel                *plog.LogLevel     `json:"logLevel"`
-	Log                     plog.LogSpec       `json:"log"`
-	Endpoints               *Endpoints         `json:"endpoints"`
-	AllowExternalHTTP       stringOrBoolAsBool `json:"insecureAcceptExternalUnencryptedHttpRequests"`
-	AggregatedAPIServerPort *int64             `json:"aggregatedAPIServerPort"`
+	APIGroupSuffix          *string           `json:"apiGroupSuffix,omitempty"`
+	Labels                  map[string]string `json:"labels"`
+	NamesConfig             NamesConfigSpec   `json:"names"`
+	Log                     plog.LogSpec      `json:"log"`
+	Endpoints               *Endpoints        `json:"endpoints"`
+	AggregatedAPIServerPort *int64            `json:"aggregatedAPIServerPort"`
 }

 // NamesConfigSpec configures the names of some Kubernetes resources for the Supervisor.
@@ -30,24 +25,9 @@ type NamesConfigSpec struct {

 type Endpoints struct {
 	HTTPS *Endpoint `json:"https,omitempty"`
-	HTTP  *Endpoint `json:"http,omitempty"`
 }

 type Endpoint struct {
 	Network string `json:"network"`
 	Address string `json:"address"`
 }
-
-type stringOrBoolAsBool bool
-
-func (sb *stringOrBoolAsBool) UnmarshalJSON(b []byte) error {
-	switch string(b) {
-	case "true", `"true"`:
-		*sb = true
-	case "false", `"false"`:
-		*sb = false
-	default:
-		return errors.New("invalid value for boolean")
-	}
-	return nil
-}
--- a/internal/plog/config.go
+++ b/internal/plog/config.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package plog
@@ -50,13 +50,6 @@ type LogSpec struct {
 	Format LogFormat `json:"format,omitempty"`
 }

-func MaybeSetDeprecatedLogLevel(level *LogLevel, log *LogSpec) {
-	if level != nil {
-		Warning("logLevel is deprecated, set log.level instead")
-		log.Level = *level
-	}
-}
-
 func ValidateAndSetLogLevelAndFormatGlobally(ctx context.Context, spec LogSpec) error {
 	klogLevel := klogLevelForPlogLevel(spec.Level)
 	if klogLevel < 0 {
--- a/internal/plog/config_test.go
+++ b/internal/plog/config_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package plog
@@ -166,7 +166,7 @@ testing.tRunner
 	// check for the deprecation warning
 	require.True(t, scanner.Scan())
 	require.NoError(t, scanner.Err())
-	require.Equal(t, fmt.Sprintf(`I1121 23:37:26.953313%8d config.go:96] "setting log.format to 'text' is deprecated - this option will be removed in a future release" warning=true`,
+	require.Equal(t, fmt.Sprintf(`I1121 23:37:26.953313%8d config.go:89] "setting log.format to 'text' is deprecated - this option will be removed in a future release" warning=true`,
 		pid), scanner.Text())

 	Debug("what is happening", "does klog", "work?")
--- a/internal/supervisor/server/server.go
+++ b/internal/supervisor/server/server.go
@@ -508,80 +508,61 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis
 		return fmt.Errorf("could not create aggregated API server: %w", err)
 	}

-	if e := cfg.Endpoints.HTTP; e.Network != supervisor.NetworkDisabled {
-		finishSetupPerms := maybeSetupUnixPerms(e, supervisorPod)
+	finishSetupPerms := maybeSetupUnixPerms(cfg.Endpoints.HTTPS, supervisorPod)

-		httpListener, err := net.Listen(e.Network, e.Address)
-		if err != nil {
-			return fmt.Errorf("cannot create http listener with network %q and address %q: %w", e.Network, e.Address, err)
-		}
-
-		if err := finishSetupPerms(); err != nil {
-			return fmt.Errorf("cannot setup http listener permissions for network %q and address %q: %w", e.Network, e.Address, err)
-		}
-
-		defer func() { _ = httpListener.Close() }()
-		startServer(ctx, shutdown, httpListener, oidProvidersManager)
-		plog.Debug("supervisor http listener started", "address", httpListener.Addr().String())
+	bootstrapCert, err := getBootstrapCert() // generate this in-memory once per process startup
+	if err != nil {
+		return fmt.Errorf("https listener bootstrap error: %w", err)
 	}

-	if e := cfg.Endpoints.HTTPS; e.Network != supervisor.NetworkDisabled { //nolint:nestif
-		finishSetupPerms := maybeSetupUnixPerms(e, supervisorPod)
+	c := ptls.Default(nil)
+	c.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		cert := dynamicTLSCertProvider.GetTLSCert(strings.ToLower(info.ServerName))
+		foundServerNameCert := cert != nil

-		bootstrapCert, err := getBootstrapCert() // generate this in-memory once per process startup
-		if err != nil {
-			return fmt.Errorf("https listener bootstrap error: %w", err)
+		defaultCert := dynamicTLSCertProvider.GetDefaultTLSCert()
+
+		if !foundServerNameCert {
+			cert = defaultCert
 		}

-		c := ptls.Default(nil)
-		c.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			cert := dynamicTLSCertProvider.GetTLSCert(strings.ToLower(info.ServerName))
-			foundServerNameCert := cert != nil
-
-			defaultCert := dynamicTLSCertProvider.GetDefaultTLSCert()
-
-			if !foundServerNameCert {
-				cert = defaultCert
-			}
-
-			// If we still don't have a cert for the request at this point, then using the bootstrapping cert,
-			// but in that case also set the request to fail unless it is a health check request.
-			usingBootstrapCert := false
-			if cert == nil {
-				usingBootstrapCert = true
-				setIsBootstrapConn(info.Context()) // make this connection only work for bootstrap requests
-				cert = bootstrapCert
-			}
-
-			// Emit logs visible at a higher level of logging than the default. Using Info level so the user
-			// can safely configure a production Supervisor to show this message if they choose.
-			plog.Info("choosing TLS cert for incoming request",
-				"requestSNIServerName", info.ServerName,
-				"foundCertForSNIServerNameFromFederationDomain", foundServerNameCert,
-				"foundDefaultCertFromSecret", defaultCert != nil,
-				"defaultCertSecretName", cfg.NamesConfig.DefaultTLSCertificateSecret,
-				"servingBootstrapHealthzCert", usingBootstrapCert,
-				"requestLocalAddr", info.Conn.LocalAddr().String(),
-				"requestRemoteAddr", info.Conn.RemoteAddr().String(),
-			)
-
-			return cert, nil
+		// If we still don't have a cert for the request at this point, then using the bootstrapping cert,
+		// but in that case also set the request to fail unless it is a health check request.
+		usingBootstrapCert := false
+		if cert == nil {
+			usingBootstrapCert = true
+			setIsBootstrapConn(info.Context()) // make this connection only work for bootstrap requests
+			cert = bootstrapCert
 		}

-		httpsListener, err := tls.Listen(e.Network, e.Address, c)
-		if err != nil {
-			return fmt.Errorf("cannot create https listener with network %q and address %q: %w", e.Network, e.Address, err)
-		}
+		// Emit logs visible at a higher level of logging than the default. Using Info level so the user
+		// can safely configure a production Supervisor to show this message if they choose.
+		plog.Info("choosing TLS cert for incoming request",
+			"requestSNIServerName", info.ServerName,
+			"foundCertForSNIServerNameFromFederationDomain", foundServerNameCert,
+			"foundDefaultCertFromSecret", defaultCert != nil,
+			"defaultCertSecretName", cfg.NamesConfig.DefaultTLSCertificateSecret,
+			"servingBootstrapHealthzCert", usingBootstrapCert,
+			"requestLocalAddr", info.Conn.LocalAddr().String(),
+			"requestRemoteAddr", info.Conn.RemoteAddr().String(),
+		)

-		if err := finishSetupPerms(); err != nil {
-			return fmt.Errorf("cannot setup https listener permissions for network %q and address %q: %w", e.Network, e.Address, err)
-		}
-
-		defer func() { _ = httpsListener.Close() }()
-		startServer(ctx, shutdown, httpsListener, oidProvidersManager)
-		plog.Debug("supervisor https listener started", "address", httpsListener.Addr().String())
+		return cert, nil
 	}

+	httpsListener, err := tls.Listen(cfg.Endpoints.HTTPS.Network, cfg.Endpoints.HTTPS.Address, c)
+	if err != nil {
+		return fmt.Errorf("cannot create https listener with network %q and address %q: %w", cfg.Endpoints.HTTPS.Network, cfg.Endpoints.HTTPS.Address, err)
+	}
+
+	if err := finishSetupPerms(); err != nil {
+		return fmt.Errorf("cannot setup https listener permissions for network %q and address %q: %w", cfg.Endpoints.HTTPS.Network, cfg.Endpoints.HTTPS.Address, err)
+	}
+
+	defer func() { _ = httpsListener.Close() }()
+	startServer(ctx, shutdown, httpsListener, oidProvidersManager)
+	plog.Debug("supervisor https listener started", "address", httpsListener.Addr().String())
+
 	plog.Debug("supervisor started")
 	defer plog.Debug("supervisor exiting")