AthenZ · mlajkim · Mar 29, 2024 · Mar 22, 2024 · Mar 27, 2024 · Mar 27, 2024
diff --git a/pkg/certificate/service.go b/pkg/certificate/service.go
@@ -192,9 +192,11 @@ func New(ctx context.Context, idCfg *config.IdentityConfig) (daemon.Daemon, erro
 			if err != nil {
 				log.Errorf("Failed to retrieve x509 certificate from identity provider: %s", err.Error())
 			}
-			err = idCfg.Reloader.UpdateCertificate([]byte(identity.X509CertificatePEM), keyPEM)
-			if err != nil {
-				log.Errorf("Failed to reload x509 certificate from identity provider: %s", err.Error())
+			if identity != nil && len(keyPEM) != 0 {
+				errUpdate := idCfg.Reloader.UpdateCertificate([]byte(identity.X509CertificatePEM), keyPEM)
+				if errUpdate != nil {
+					log.Errorf("Failed to update x509 certificate into certificate reloader: %s", errUpdate.Error())
+				}
 			}
 		} else if idCfg.KeyFile != "" && idCfg.CertFile != "" {
 			log.Debug("Attempting to load x509 certificate from cert reloader...")
@@ -232,10 +234,11 @@ func New(ctx context.Context, idCfg *config.IdentityConfig) (daemon.Daemon, erro
 					identity = k8sSecretBackupIdentity
 					keyPEM = k8sSecretBackupKeyPEM
 					log.Infof("Successfully loaded x509 certificate from kubernetes secret")
-
-					err = idCfg.Reloader.UpdateCertificate([]byte(identity.X509CertificatePEM), keyPEM)
-					if err != nil {
-						log.Errorf("Failed to reload x509 certificate from identity provider: %s", err.Error())
+					if identity != nil && len(keyPEM) != 0 {
+						errUpdate := idCfg.Reloader.UpdateCertificate([]byte(identity.X509CertificatePEM), keyPEM)
+						if errUpdate != nil {
+							log.Errorf("Failed to update x509 certificate into certificate reloader: %s", errUpdate.Error())
+						}
 					}
 				}
 			} else {
@@ -255,9 +258,12 @@ func New(ctx context.Context, idCfg *config.IdentityConfig) (daemon.Daemon, erro
 			} else {
 				identity = forceInitIdentity
 				keyPEM = forceInitKeyPEM
-				err = idCfg.Reloader.UpdateCertificate([]byte(identity.X509CertificatePEM), keyPEM)
-				if err != nil {
-					log.Errorf("Failed to reload x509 certificate from identity provider: %s", err.Error())
+
+				if identity != nil && len(keyPEM) != 0 {
+					errUpdate := idCfg.Reloader.UpdateCertificate([]byte(identity.X509CertificatePEM), keyPEM)
+					if errUpdate != nil {
+						log.Errorf("Failed to update x509 certificate into certificate reloader: %s", errUpdate.Error())
+					}
 				}
 			}
 		}

diff --git a/pkg/token/service.go b/pkg/token/service.go
@@ -143,7 +143,7 @@ func New(ctx context.Context, idCfg *config.IdentityConfig) (daemon.Daemon, erro
 		return ts, nil
 	}
 	if idCfg.TokenServerAddr == "" || tt == 0 {
-		log.Infof("Token server is disabled due to insufficient options: address[%s], roles[%s], token-type[%s]", idCfg.TokenServerAddr, idCfg.TargetDomainRoles, idCfg.TokenType)
+		log.Infof("Token server is disabled due to insufficient options: address[%s], token-type[%s]", idCfg.TokenServerAddr, idCfg.TokenType)
 		return ts, nil
 	}
 	tokenServer := &http.Server{

diff --git a/pkg/util/tls-reload.go b/pkg/util/tls-reload.go
@@ -168,7 +168,7 @@ func NewCertReloader(config ReloadConfig) (*CertReloader, error) {
 		return nil, err
 	}
 	// If SIA is not issuing certificates, use pollRefresh function to periodically read certificate files and update cert reloader.
-	if config.ProviderService == "" {
+	if config.ProviderService == "" && config.CertFile != "" && config.KeyFile != "" {
 		go r.pollRefresh()
 	}
 	return r, nil