TUN-6780: Add support for certReload to also include support for client certificates

tlsconfig/certreloader.go

@@ -40,12 +40,21 @@ func NewCertReloader(certPath, keyPath string) (*CertReloader, error) {
 }
 
 // Cert returns the TLS certificate most recently read by the CertReloader.
+// This method works as a direct utility method for tls.Config#Cert.
 func (cr *CertReloader) Cert(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	cr.Lock()
 	defer cr.Unlock()
 	return cr.certificate, nil
 }
 
+// ClientCert returns the TLS certificate most recently read by the CertReloader.
+// This method works as a direct utility method for tls.Config#ClientCert.
+func (cr *CertReloader) ClientCert(certRequestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+	cr.Lock()
+	defer cr.Unlock()
+	return cr.certificate, nil
+}
+
 // LoadCert loads a TLS certificate from the CertReloader's specified filepath.
 // Call this after writing a new certificate to the disk (e.g. after renewing a certificate)
 func (cr *CertReloader) LoadCert() error {

tlsconfig/tlsconfig.go

@@ -15,6 +15,7 @@ type TLSParameters struct {
 	Cert                 string
 	Key                  string
 	GetCertificate       *CertReloader
+	GetClientCertificate *CertReloader
 	ClientCAs            []string
 	RootCAs              []string
 	ServerName           string
@@ -43,6 +44,11 @@ func GetConfig(p *TLSParameters) (*tls.Config, error) {
 		tlsconfig.GetCertificate = p.GetCertificate.Cert
 	}
 
+	if p.GetClientCertificate != nil {
+		// GetClientCertificate is called when using an HTTP client library and mTLS is required.
+		tlsconfig.GetClientCertificate = p.GetClientCertificate.ClientCert
+	}
+
 	if len(p.ClientCAs) > 0 {
 		// set of root certificate authorities that servers use if required to verify a client certificate
 		// by the policy in ClientAuth