feat(metrics): enable mTLS support

Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-23 00:26:42 +00:00 · 2026-04-22 19:40:21 -04:00
parent dfeb02b4ae
commit 11f944128f
1 changed files with 17 additions and 0 deletions
@@ -3,11 +3,13 @@ package metrics
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"net/http/pprof"
+	"os"
 	"time"

 	"github.com/TecharoHQ/anubis/internal"
@@ -78,6 +80,21 @@ func (s *Server) run(ctx context.Context, lg *slog.Logger) error {
 		srv.TLSConfig = &tls.Config{
 			GetCertificate: kpr.GetCertificate,
 		}
+
+		if s.Config.TLS.CA != "" {
+			caCert, err := os.ReadFile(s.Config.TLS.CA)
+			if err != nil {
+				return fmt.Errorf("%w %s: %w", config.ErrCantReadFile, s.Config.TLS.CA, err)
+			}
+
+			certPool := x509.NewCertPool()
+			if !certPool.AppendCertsFromPEM(caCert) {
+				return fmt.Errorf("%w %s", config.ErrInvalidMetricsCACertificate, s.Config.TLS.CA)
+			}
+
+			srv.TLSConfig.ClientCAs = certPool
+			srv.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		}
 	}

 	lg.Debug("listening for metrics", "url", metricsURL)