caddytls: Support tags for manually-loaded certificates

3 files changed, 22 insertions, 11 deletions

diff --git a/modules/caddytls/fileloader.go b/modules/caddytls/fileloader.go
index 63592f9..d8e2d21 100644
--- a/modules/caddytls/fileloader.go
+++ b/modules/caddytls/fileloader.go
@@ -21,14 +21,15 @@ type fileLoader []CertKeyFilePair
 // CertKeyFilePair pairs certificate and key file names along with their
 // encoding format so that they can be loaded from disk.
 type CertKeyFilePair struct {
-	Certificate string `json:"certificate"`
-	Key         string `json:"key"`
-	Format      string `json:"format,omitempty"` // "pem" is default
+	Certificate string   `json:"certificate"`
+	Key         string   `json:"key"`
+	Format      string   `json:"format,omitempty"` // "pem" is default
+	Tags        []string `json:"tags,omitempty"`
 }
 
 // LoadCertificates returns the certificates to be loaded by fl.
-func (fl fileLoader) LoadCertificates() ([]tls.Certificate, error) {
-	var certs []tls.Certificate
+func (fl fileLoader) LoadCertificates() ([]Certificate, error) {
+	var certs []Certificate
 	for _, pair := range fl {
 		certData, err := ioutil.ReadFile(pair.Certificate)
 		if err != nil {
@@ -52,7 +53,7 @@ func (fl fileLoader) LoadCertificates() ([]tls.Certificate, error) {
 			return nil, err
 		}
 
-		certs = append(certs, cert)
+		certs = append(certs, Certificate{Certificate: cert, Tags: pair.Tags})
 	}
 	return certs, nil
 }
diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go
index bcc22d8..c491708 100644
--- a/modules/caddytls/folderloader.go
+++ b/modules/caddytls/folderloader.go
@@ -29,8 +29,8 @@ type folderLoader []string
 // listed in fl from all files ending with .pem. This method of loading
 // certificates expects the certificate and key to be bundled into the
 // same file.
-func (fl folderLoader) LoadCertificates() ([]tls.Certificate, error) {
-	var certs []tls.Certificate
+func (fl folderLoader) LoadCertificates() ([]Certificate, error) {
+	var certs []Certificate
 	for _, dir := range fl {
 		err := filepath.Walk(dir, func(fpath string, info os.FileInfo, err error) error {
 			if err != nil {
@@ -48,7 +48,7 @@ func (fl folderLoader) LoadCertificates() ([]tls.Certificate, error) {
 				return err
 			}
 
-			certs = append(certs, cert)
+			certs = append(certs, Certificate{Certificate: cert})
 
 			return nil
 		})
@@ -120,3 +120,5 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
 
 	return cert, nil
 }
+
+var _ CertificateLoader = (folderLoader)(nil)
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 63bc21d..7f5b1e9 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -98,7 +98,7 @@ func (t *TLS) Start() error {
 			Storage: t.ctx.Storage(),
 		})
 		for _, cert := range certs {
-			err := magic.CacheUnmanagedTLSCertificate(cert)
+			err := magic.CacheUnmanagedTLSCertificate(cert.Certificate, cert.Tags)
 			if err != nil {
 				return fmt.Errorf("caching unmanaged certificate: %v", err)
 			}
@@ -182,8 +182,16 @@ func (t *TLS) getAutomationPolicyForName(name string) AutomationPolicy {
 }
 
 // CertificateLoader is a type that can load certificates.
+// Certificates can optionally be associated with tags.
 type CertificateLoader interface {
-	LoadCertificates() ([]tls.Certificate, error)
+	LoadCertificates() ([]Certificate, error)
+}
+
+// Certificate is a TLS certificate, optionally
+// associated with arbitrary tags.
+type Certificate struct {
+	tls.Certificate
+	Tags []string
 }
 
 // AutomationConfig designates configuration for the