TLS with optional client auth#584
Conversation
Removed unused dependency on github.com/negbie/cert.
Removed unused dependencies from go.sum.
Added section on HEP input listeners and configuration options.
|
|
|
Thanks a lot @qnic11 . Amazing contribution to this project! |
Grazie equipo. We’d be thrilled to see this feature implemented; please let us know if there’s anything else required from our side. BR - Q. |
There was a problem hiding this comment.
Pull request overview
This PR adds first-class TLS termination to the HEP TLS listener with support for optional/required client certificate authentication, moving away from the previous auto-generated certificate approach.
Changes:
- Load TLS server certificate/key from configured files and build a reusable
tls.Config. - Add optional mutual-TLS behavior via
TLSClientCAFileandTLSRequireClientCert. - Update configuration schema and README to reflect the new TLS configuration fields and remove the old cert-generation dependency.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
server/tls.go |
Replaces cert auto-generation with file-based TLS config loading; adds client-auth options. |
config/config.go |
Replaces TLSCertFolder with TLSCertFile/TLSKeyFile plus client-auth settings. |
README.md |
Documents listener addresses and the new TLS configuration knobs. |
go.mod |
Removes github.com/negbie/cert dependency. |
go.sum |
Removes github.com/negbie/cert checksums. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| TLSCertFile string `default:""` | ||
| TLSKeyFile string `default:""` | ||
| TLSClientCAFile string `default:""` | ||
| TLSRequireClientCert bool `default:"false"` | ||
| TLSMinVersion string `default:"1.2"` |
There was a problem hiding this comment.
This change removes TLSCertFolder (and the previous auto-generated certificate behavior) in favor of explicit TLSCertFile/TLSKeyFile. That’s a breaking configuration change for existing deployments; consider keeping TLSCertFolder as a deprecated fallback (or adding a clear migration note in docs/release notes) so existing configs don’t silently stop working when HEPTLSAddr is enabled.
|
@qnic11 Please check the Copilot report for your PR - I think there are some interesting and valid points to check. |
|
@copilot resolve the merge conflicts in this pull request |
Hi Team, we’ve created and tested the attached patch to add TLS termination directly into heplify-server.
We believe this could be a solid starting point to expand TLS-related capabilities over time and give operators more flexibility around protocol and deployment options.
Any feedback or guidance on whether this aligns with your roadmap would be greatly appreciated.