From 30575d2aeafe5203679a3d1718a3bc4d580cb557 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 1 Feb 2026 10:31:47 +0000
Subject: [PATCH] Add comment explaining locking trade-off in maybeReload

Co-authored-by: rchincha <45800463+rchincha@users.noreply.github.com>
---
 pkg/api/tlscert.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/api/tlscert.go b/pkg/api/tlscert.go
index f34b0fc1..66c32dfa 100644
--- a/pkg/api/tlscert.go
+++ b/pkg/api/tlscert.go
@@ -199,8 +199,11 @@ func (cr *CertReloader) reload() error {
 // This is used as a fallback when fsnotify is not available or fails.
 // Uses time-based caching to avoid excessive file system calls.
 func (cr *CertReloader) maybeReload() error {
-	// Use time-based cache to reduce frequency of stat calls
-	// Check and update lastCheck within the same critical section to avoid race conditions
+	// Use write lock for both check and update to prevent race conditions
+	// While less efficient than RLock+Lock upgrade, this ensures only one goroutine
+	// updates lastCheck at a time, preventing multiple goroutines from bypassing
+	// the cache check simultaneously. Since we have a 1-second cache, this lock
+	// is acquired at most once per second, making the performance impact acceptable.
 	cr.certMu.Lock()
 	if time.Since(cr.lastCheck) < cr.checkCache {
 		// Recently checked, skip stat calls