Documentation
¶
Overview ¶
Package tlsutil provides small helpers for building outbound TLS trust from operator-provided CA files.
It exists so the process-wide --extra-ca-file trust (installed on http.DefaultTransport at startup) and the explicit per-client CA pools that mcp-oauth's permissive JWKS / token-exchange clients now require are built from one place and therefore verify against an identical pool (system roots plus the operator's extra CAs).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoadCAPool ¶
LoadCAPool reads PEM-encoded certificates from path and returns a pool containing the system trust roots plus those certificates. It is the single place that turns an operator-provided CA file into an outbound trust pool, so every consumer (the process-wide http.DefaultTransport install and the explicit CA pools handed to mcp-oauth's permissive JWKS / token-exchange clients) verifies against an identical pool.
A missing/unreadable file or unparseable PEM is an error: muster's outbound dependencies should never silently fall back to the unaugmented system pool when the operator asked for an internal CA.
Types ¶
This section is empty.