ING-662: Add support for client cert authentication

Westwooo · Westwooo · commit 7325003e496f · 2025-09-30T12:40:51.000+01:00
diff --git a/routingclient.go b/routingclient.go
@@ -2,12 +2,14 @@ package gocbcoreps
 
 import (
 	"context"
+	"crypto/tls"
 	"crypto/x509"
-	"go.opentelemetry.io/otel/metric"
-	"go.opentelemetry.io/otel/trace"
 	"net"
 	"sync"
 
+	"go.opentelemetry.io/otel/metric"
+	"go.opentelemetry.io/otel/trace"
+
 	grpc_logsettable "github.com/grpc-ecosystem/go-grpc-middleware/logging/settable"
 	"go.uber.org/zap/zapgrpc"
 
@@ -43,7 +45,8 @@ type RoutingClient struct {
 var _ Conn = (*RoutingClient)(nil)
 
 type DialOptions struct {
-	RootCAs  *x509.CertPool
+	RootCAs            *x509.CertPool
+	Certificate        *tls.Certificate
 	Username           string
 	Password           string
 	Logger             *zap.Logger
@@ -84,7 +87,8 @@ func DialContext(ctx context.Context, target string, opts *DialOptions) (*Routin
 
 	for i := uint32(0); i < poolSize; i++ {
 		conn, err := dialRoutingConn(ctx, target, &routingConnOptions{
-			RootCAs:  opts.RootCAs,
+			RootCAs:            opts.RootCAs,
+			Certificate:        opts.Certificate,
 			Username:           opts.Username,
 			Password:           opts.Password,
 			InsecureSkipVerify: opts.InsecureSkipVerify,
diff --git a/routingconn.go b/routingconn.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+
 	"go.opentelemetry.io/otel/metric"
 	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/trace"
@@ -31,7 +32,8 @@ import (
 
 type routingConnOptions struct {
 	InsecureSkipVerify bool // used for enabling TLS, but skipping verification
-	RootCAs  *x509.CertPool
+	RootCAs            *x509.CertPool
+	Certificate        *tls.Certificate
 	Username           string
 	Password           string
 	TracerProvider     trace.TracerProvider
@@ -62,7 +64,17 @@ func dialRoutingConn(ctx context.Context, address string, opts *routingConnOptio
 	var perRpcDialOpt grpc.DialOption
 
 	if opts.RootCAs != nil || opts.InsecureSkipVerify {
-		creds := credentials.NewTLS(&tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify, RootCAs: opts.RootCAs})
+		var certificates []tls.Certificate
+		if opts.Certificate != nil {
+			certificates = append(certificates, *opts.Certificate)
+		}
+
+		creds := credentials.NewTLS(
+			&tls.Config{
+				InsecureSkipVerify: opts.InsecureSkipVerify,
+				RootCAs:            opts.RootCAs,
+				Certificates:       certificates,
+			})
 		transportDialOpt = grpc.WithTransportCredentials(creds)
 	} else { // use system certs
 		pool, err := x509.SystemCertPool()
