caddytls: Support custom GetCertificate modules (like Tailscale)

caddyconfig/httpcaddyfile/builtins.go

@@ -82,6 +82,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //         on_demand
 //         eab    <key_id> <mac_key>
 //         issuer <module_name> [...]
+//         get_certificate <module_name> [...]
 //     }
 //
 func parseTLS(h Helper) ([]ConfigValue, error) {
@@ -93,6 +94,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 	var keyType string
 	var internalIssuer *caddytls.InternalIssuer
 	var issuers []certmagic.Issuer
+	var certGetter certmagic.CertificateGetter
 	var onDemand bool
 
 	for h.Next() {
@@ -307,6 +309,22 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 				}
 				issuers = append(issuers, issuer)
 
+			case "get_certificate":
+				if !h.NextArg() {
+					return nil, h.ArgErr()
+				}
+				modName := h.Val()
+				modID := "tls.get_certificate." + modName
+				unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
+				if err != nil {
+					return nil, err
+				}
+				var ok bool
+				certGetter, ok = unm.(certmagic.CertificateGetter)
+				if !ok {
+					return nil, h.Errf("module %s (%T) is not a certmagic.CertificateGetter", modID, unm)
+				}
+
 			case "dns":
 				if !h.NextArg() {
 					return nil, h.ArgErr()
@@ -453,6 +471,12 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			Value: true,
 		})
 	}
+	if certGetter != nil {
+		configVals = append(configVals, ConfigValue{
+			Class: "tls.cert_getter",
+			Value: certGetter,
+		})
+	}
 
 	// custom certificate selection
 	if len(certSelector.AnyTag) > 0 {

caddyconfig/httpcaddyfile/tlsapp.go

@@ -116,6 +116,11 @@ func (st ServerType) buildTLSApp(
 			if _, ok := sblock.pile["tls.on_demand"]; ok {
 				ap.OnDemand = true
 			}
+			if certGetterVals, ok := sblock.pile["tls.cert_getter"]; ok {
+				certGetter := certGetterVals[0].Value.(certmagic.CertificateGetter)
+				certGetterName := certGetter.(caddy.Module).CaddyModule().ID.Name()
+				ap.GetCertificateRaw = caddyconfig.JSONModuleObject(certGetter, "via", certGetterName, &warnings)
+			}
 
 			if keyTypeVals, ok := sblock.pile["tls.key_type"]; ok {
 				ap.KeyType = keyTypeVals[0].Value.(string)

go.mod

@@ -3,33 +3,49 @@ module github.com/caddyserver/caddy/v2
 go 1.16
 
 require (
+	cloud.google.com/go/kms v1.1.0 // indirect
+	github.com/BurntSushi/toml v0.4.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/alecthomas/chroma v0.9.2
 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
-	github.com/caddyserver/certmagic v0.15.2
+	github.com/caddyserver/certmagic v0.15.3-0.20220130005015-730398ef5e4f
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/google/cel-go v0.7.3
 	github.com/google/uuid v1.3.0
 	github.com/klauspost/compress v1.13.6
 	github.com/klauspost/cpuid/v2 v2.0.9
+	github.com/kr/pretty v0.3.0 // indirect
 	github.com/lucas-clemente/quic-go v0.23.0
+	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mholt/acmez v1.0.1
 	github.com/naoina/go-stringutil v0.1.0 // indirect
 	github.com/naoina/toml v0.1.1
+	github.com/onsi/ginkgo v1.16.5 // indirect
+	github.com/onsi/gomega v1.17.0 // indirect
 	github.com/prometheus/client_golang v1.11.0
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/rogpeppe/go-internal v1.8.1-0.20211023094830-115ce09fd6b4 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/smallstep/certificates v0.18.0
 	github.com/smallstep/cli v0.18.0
 	github.com/smallstep/nosql v0.3.9
 	github.com/smallstep/truststore v0.10.1
+	github.com/tailscale/tscert v0.0.0-20220125204807-4509a5fbaf74
 	github.com/yuin/goldmark v1.4.1
 	github.com/yuin/goldmark-highlighting v0.0.0-20210516132338-9216f9c5aa01
 	go.uber.org/zap v1.19.0
-	golang.org/x/crypto v0.0.0-20210915214749-c084706c2272
-	golang.org/x/net v0.0.0-20210913180222-943fd674d43e
-	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
-	google.golang.org/genproto v0.0.0-20210719143636-1d5a45f8e492
+	golang.org/x/crypto v0.0.0-20211202192323-5770296d904e
+	golang.org/x/net v0.0.0-20211205041911-012df41ee64c
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	golang.org/x/tools v0.1.8 // indirect
+	google.golang.org/genproto v0.0.0-20211018162055-cf77aa76bad2
 	google.golang.org/protobuf v1.27.1
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v2 v2.4.0
+	howett.net/plist v1.0.0 // indirect
 )