57 lines
1.5 KiB
Go
Raw Normal View History

package network
import (
"crypto/tls"
"errors"
"os"
)
var (
ErrMissingConfig = errors.New("TLS is enabled: please specify a key (path) and a cert (path) or disable TLS if needed (e.g. by setting flag `--tlsMode external` or `--tlsMode disabled")
)
type TLS struct {
//If enabled, ZITADEL will serve all traffic over TLS (HTTPS and gRPC)
//you must then also provide a private key and certificate to be used for the connection
//either directly or by a path to the corresponding file
Enabled bool
//Path to the private key of the TLS certificate, it will be loaded into the Key
//and overwrite any exising value
KeyPath string
//Path to the certificate for the TLS connection, it will be loaded into the Cert
//and overwrite any exising value
CertPath string
//Private key of the TLS certificate (KeyPath will this overwrite, if specified)
Key []byte
//Certificate for the TLS connection (CertPath will this overwrite, if specified)
Cert []byte
}
func (t *TLS) Config() (_ *tls.Config, err error) {
if !t.Enabled {
return nil, nil
}
if t.KeyPath != "" {
t.Key, err = os.ReadFile(t.KeyPath)
if err != nil {
return nil, err
}
}
if t.CertPath != "" {
t.Cert, err = os.ReadFile(t.CertPath)
if err != nil {
return nil, err
}
}
if t.Key == nil || t.Cert == nil {
return nil, ErrMissingConfig
}
tlsCert, err := tls.X509KeyPair(t.Cert, t.Key)
if err != nil {
return nil, err
}
return &tls.Config{
Certificates: []tls.Certificate{tlsCert},
}, nil
}