feat: TLS support (#3862)

* feat: TLS support * add comment * fix comment
2025-08-11 21:27:42 +00:00 · 2022-06-24 14:38:22 +02:00
parent 70a108deeb
commit ed5721d39e
12 changed files with 186 additions and 19 deletions
--- a/internal/config/network/config.go
+++ b/internal/config/network/config.go
@@ -0,0 +1,56 @@
+package network
+
+import (
+	"crypto/tls"
+	"errors"
+	"os"
+)
+
+var (
+	ErrMissingConfig = errors.New("")
+)
+
+type TLS struct {
+	//If enabled, ZITADEL will serve all traffic over TLS (HTTPS and gRPC)
+	//you must then also provide a private key and certificate to be used for the connection
+	//either directly or by a path to the corresponding file
+	Enabled bool
+	//Path to the private key of the TLS certificate, it will be loaded into the Key
+	//and overwrite any exising value
+	KeyPath string
+	//Path to the certificate for the TLS connection, it will be loaded into the Cert
+	//and overwrite any exising value
+	CertPath string
+	//Private key of the TLS certificate (KeyPath will this overwrite, if specified)
+	Key []byte
+	//Certificate for the TLS connection (CertPath will this overwrite, if specified)
+	Cert []byte
+}
+
+func (t *TLS) Config() (_ *tls.Config, err error) {
+	if !t.Enabled {
+		return nil, nil
+	}
+	if t.KeyPath != "" {
+		t.Key, err = os.ReadFile(t.KeyPath)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if t.CertPath != "" {
+		t.Cert, err = os.ReadFile(t.CertPath)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if t.Key == nil || t.Cert == nil {
+		return nil, ErrMissingConfig
+	}
+	tlsCert, err := tls.X509KeyPair(t.Cert, t.Key)
+	if err != nil {
+		return nil, err
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{tlsCert},
+	}, nil
+}