3636ErrNoListeners = errors .New ("no web listen address or systemd socket flag specified" )
3737)
3838
39+ type SecretReader interface {
40+ ReadSecret (path string ) ([]byte ,error )
41+ }
42+
43+ type fileReader struct {}
44+
45+ func (f * fileReader )ReadSecret (path string ) ([]byte ,error ) {
46+ return os .ReadFile (path )
47+ }
48+
3949type Config struct {
4050TLSConfig TLSConfig `yaml:"tls_server_config"`
4151HTTPConfig HTTPConfig `yaml:"http_server_config"`
@@ -52,6 +62,8 @@ type TLSConfig struct {
5262MinVersion TLSVersion `yaml:"min_version"`
5363MaxVersion TLSVersion `yaml:"max_version"`
5464PreferServerCipherSuites bool `yaml:"prefer_server_cipher_suites"`
65+
66+ Reader SecretReader `yaml:"-"`
5567}
5668
5769type FlagConfig struct {
@@ -115,12 +127,26 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) {
115127return nil ,errors .New ("missing key_file" )
116128}
117129
130+ reader := c .Reader
131+ if reader == nil {
132+ reader = & fileReader {}
133+ }
134+
118135loadCert := func () (* tls.Certificate ,error ) {
119- cert ,err := tls .LoadX509KeyPair (c .TLSCertPath ,c .TLSKeyPath )
136+ cert ,err := reader .ReadSecret (c .TLSCertPath )
137+ if err != nil {
138+ return nil ,fmt .Errorf ("error loading cert: %w" ,err )
139+ }
140+ key ,err := reader .ReadSecret (c .TLSKeyPath )
141+ if err != nil {
142+ return nil ,fmt .Errorf ("error loading key: %w" ,err )
143+ }
144+
145+ tlsCert ,err := tls .X509KeyPair (cert ,key )
120146if err != nil {
121147return nil ,fmt .Errorf ("failed to load X509KeyPair: %w" ,err )
122148}
123- return & cert ,nil
149+ return & tlsCert ,nil
124150}
125151
126152// Confirm that certificate and key paths are valid.
@@ -156,7 +182,7 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) {
156182
157183if c .ClientCAs != "" {
158184clientCAPool := x509 .NewCertPool ()
159- clientCAFile ,err := os . ReadFile (c .ClientCAs )
185+ clientCAFile ,err := reader . ReadSecret (c .ClientCAs )
160186if err != nil {
161187return nil ,err
162188}