From 616de99cbb13b5a41fc4e4482b31a7f62ba845ec Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Tue, 9 Jun 2026 11:12:52 +0200
Subject: [PATCH] ROX-34502: read TLS certificates from disk on each gRPC
 connection attempt

---
 CHANGELOG.md            | 1 +
 fact/src/output/grpc.rs | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8853e69b..df3f5633 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ possible include a PR number for easier tracking.
 
 ## Next
 
+* ROX-34502: reload mTLS certificates on each gRPC connection attempt (#788)
 * chore: add formatting and linting to integration test code (#783, #784)
 * feat: add code coverage with cargo-llvm-cov and Codecov upload (#745)
 
diff --git a/fact/src/output/grpc.rs b/fact/src/output/grpc.rs
index 178a4f39..259d6004 100644
--- a/fact/src/output/grpc.rs
+++ b/fact/src/output/grpc.rs
@@ -121,10 +121,12 @@ impl Client {
     }
 
     async fn run(&mut self) -> anyhow::Result<bool> {
-        let connector = self.get_connector().await?;
         loop {
+            // Re-read certs on each connection attempt so rotated certificates
+            // on disk are picked up on the next reconnect.
+            let connector = self.get_connector().await?;
             info!("Attempting to connect to gRPC server...");
-            let channel = match self.create_channel(connector.clone()).await {
+            let channel = match self.create_channel(connector).await {
                 Ok(channel) => channel,
                 Err(e) => {
                     debug!("Failed to connect to server: {e:?}");