🔥 feat: Add TLSConfig to ListenConfig

[gaby]

Description

• This pull request significantly enhances the TLS configuration options by introducing a dedicated TLSConfig field to the ListenConfig struct. This change provides greater flexibility for users to supply TLS certificates from various sources, such as in-memory PEM data or environment variables, and integrates seamlessly with external certificate providers. The update also includes robust validation to prevent incompatible TLS settings and clear documentation with practical examples to guide users. The implementation correctly handles precedence, ensuring that TLSConfig takes priority over other TLS-related fields, and includes comprehensive test cases to verify the new functionality and error conditions.

Replaces #4019 and #4021

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a new public TLSConfig *tls.Config field to ListenConfig (cloned and preferred), updates Listen() to pick TLS source from TLSConfig, cert files, or AutoCertManager, enforces mutual exclusivity (returns an exported error), and adds TLS-related docs and tests.

Changes

Cohort / File(s)	Summary
Documentation docs/api/fiber.md, docs/whats_new.md	Introduced TLSConfig docs, precedence/conflicts section, rewritten TLS examples (external providers, in-memory/env certs), and updated AutoCert example and usage notes.
Errors error.go	Added exported error: ErrAutoCertWithCertFile.
Core TLS & Listen listen.go	Added TLSConfig *tls.Config to ListenConfig; Listen() now prefers/clones TLSConfig, otherwise handles CertFile+CertKeyFile or AutoCertManager; enforces mutual exclusivity; retains TLSConfigFunc invocation and client CA handling flow.
Tests listen_test.go	Added TLS-related tests covering TLSConfig usage, conflict scenarios, cert-file paths, TLSConfigFunc invocation, and AutoCert conflicts (imports autocert).

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer/Test
  participant Listen as Listen()
  participant Decision as TLS Decision
  participant TLSCfg as TLSConfig (base)
  participant File as Cert Files
  participant Auto as AutoCertManager
  participant Apply as applyClientCert

  Dev->>Listen: Start listener with ListenConfig
  Listen->>Decision: Determine TLS source
  Decision-->>TLSCfg: if TLSConfig provided -> clone tls.Config
  Decision-->>File: else if CertFile & CertKeyFile -> load pair + set GetCertificate
  Decision-->>Auto: else if AutoCertManager -> use manager.GetCertificate + NextProtos
  Decision->>Listen: return tls.Config
  Listen->>Apply: if CertClientFile present -> applyClientCert(tls.Config, CertClientFile)
  Apply-->>Listen: client CA appended / error
  Listen->>Dev: Listener started (or error)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 🔥 feat: Add support for configuring TLS Min Version #3248: Related edits to ListenConfig and TLS construction selection/handling.
• 🔥 feat: Add support for AutoTLS / ACME #3201: Related adjustments to AutoCertManager and GetCertificate/TLS handling.

Suggested reviewers

• sixcolors
• ReneWerner87
• efectn

Poem

🐰
I hop through configs soft and fleet,
Clone a TLS blanket, snug and neat;
No mixed certs to cause a fray,
Client CAs tucked in the hay,
Secure the burrow—connections sleep.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete; it lacks required sections including Changes Introduced (with checkboxes), Type of Change selection, and a Checklist of pre-submission requirements.	Complete the PR description by adding the Changes Introduced section (with checkboxes for Benchmarks, Documentation, Changelog, Migration Guide, etc.), selecting the Type of Change, and marking off the Checklist items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main feature addition—introducing a TLSConfig field to ListenConfig—which is the primary change across all modified files.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @gaby, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the TLS configuration options by introducing a dedicated TLSConfig field to the ListenConfig struct. This change provides greater flexibility for users to supply TLS certificates from various sources, such as in-memory PEM data or environment variables, and integrates seamlessly with external certificate providers. The update also includes robust validation to prevent incompatible TLS settings and clear documentation with practical examples to guide users.

Highlights

• New TLSConfig Field: Introduced a new TLSConfig field within the ListenConfig struct, allowing for direct provision of a tls.Config object. This enables more flexible TLS certificate management, especially for external providers.
• Documentation and Examples: Added comprehensive documentation and code examples in docs/api/fiber.md demonstrating how to use TLSConfig to load certificates from in-memory PEM bytes and environment variables. This simplifies external certificate provisioning.
• Configuration Conflict Validation: Implemented validation checks to prevent conflicting TLS configuration options. TLSConfig cannot be combined with CertFile/CertKeyFile or AutoCertManager, and AutoCertManager cannot be used with CertFile/CertKeyFile.
• Client Certificate Refactoring: Refactored the logic for applying client certificates into a new helper function, applyClientCert, improving code organization and reusability.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

❌ Patch coverage is 78.78788% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.29%. Comparing base (7104ad1) to head (0f4a053).
⚠️ Report is 50 commits behind head on main.

Files with missing lines	Patch %	Lines
listen.go	78.78%	6 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4024      +/-   ##
==========================================
+ Coverage   91.23%   91.29%   +0.05%     
==========================================
  Files         119      119              
  Lines       11007    11057      +50     
==========================================
+ Hits        10042    10094      +52     
  Misses        610      610              
+ Partials      355      353       -2     

Flag	Coverage Δ
unittests	91.29% <78.78%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request introduces a new TLSConfig option in ListenConfig, enabling more flexible TLS configuration, particularly for external certificate providers. The implementation includes adding the field, handling configuration conflicts, and refactoring existing TLS logic. The changes are well-supported by comprehensive documentation updates and new tests. Overall, this is a solid contribution. I have a few suggestions to further improve documentation clarity and error handling.

[github-actions]

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.50.

Benchmark suite	Current: d068ec4	Previous: 7104ad1	Ratio
Benchmark_FiberHandlerFunc/No_Content	5778 ns/op 33039 B/op 8 allocs/op	3805 ns/op 33048 B/op 8 allocs/op	1.52
Benchmark_FiberHandlerFunc/No_Content - ns/op	5778 ns/op	3805 ns/op	1.52
Benchmark_FiberHandlerFunc/1MB	6006 ns/op 33069 B/op 8 allocs/op	3816 ns/op 33059 B/op 8 allocs/op	1.57
Benchmark_FiberHandlerFunc/1MB - ns/op	6006 ns/op	3816 ns/op	1.57
Benchmark_FiberHandlerFunc/5MB	5795 ns/op 33155 B/op 8 allocs/op	3857 ns/op 33125 B/op 8 allocs/op	1.50
Benchmark_FiberHandlerFunc/5MB - ns/op	5795 ns/op	3857 ns/op	1.50

This comment was automatically generated by workflow using github-action-benchmark.

[gaby]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a significant enhancement to the TLS configuration by adding a TLSConfig field to ListenConfig. This provides greater flexibility, allowing users to supply TLS certificates from various sources like in-memory data or external providers. The implementation is robust, with clear validation for conflicting settings and good refactoring of the existing TLS setup logic. The documentation has been updated comprehensively with clear examples and explanations of the new feature and its precedence. The added unit tests effectively cover the new functionality.

I have one suggestion to improve the robustness of the client certificate handling by checking the return value of AppendCertsFromPEM to ensure certificates are actually loaded from the provided file.

Overall, this is an excellent contribution that improves the flexibility and usability of Fiber's TLS configuration.

[gaby]

/gemini review

[gemini-code-assist]

Code Review

This pull request significantly enhances the TLS configuration options by introducing a dedicated TLSConfig field to the ListenConfig struct. This change provides greater flexibility for users to supply TLS certificates from various sources, such as in-memory PEM data or environment variables, and integrates seamlessly with external certificate providers. The update also includes robust validation to prevent incompatible TLS settings and clear documentation with practical examples to guide users. The refactoring of client certificate handling into a dedicated function improves code modularity and readability. Comprehensive test cases have been added to ensure the correctness of the new features and conflict checks. Overall, this is a well-implemented and well-documented enhancement.

[gaby]

/gemini review

[gemini-code-assist]

Code Review

This pull request significantly enhances the TLS configuration options by introducing a dedicated TLSConfig field to the ListenConfig struct. This change provides greater flexibility for users to supply TLS certificates from various sources, such as in-memory PEM data or environment variables, and integrates seamlessly with external certificate providers. The update also includes robust validation to prevent incompatible TLS settings and clear documentation with practical examples to guide users. The implementation correctly handles precedence, ensuring that TLSConfig takes priority over other TLS-related fields, and includes comprehensive test cases to verify the new functionality and error conditions.

[gaby]

@simonnix We plan on using TLSConfig as provided, else we will use existing fields. I just removed the logic to merge them since that was adding complexity.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

[simonnix]

Hi @gaby,

I'm fine with that, having TLSConfig is really more than I hoped to have.

Just thinking about it (I'm not an Express.js user, I just looked it up) but, are you moving to just offer TLSConfig and nothing else, just to align more with Express.js which does not handle directly TLS ?

Is that your idea? I'm fine with it, just asking.

[gaby]

Hi @gaby,

I'm fine with that, having TLSConfig is really more than I hoped to have.

Just thinking about it (I'm not an Express.js user, I just looked it up) but, are you moving to just offer TLSConfig and nothing else, just to align more with Express.js which does not handle directly TLS ?

Is that your idea? I'm fine with it, just asking.

@simonnix Priority is TLSConfig, but we are leaving the other fields since we are in Release Candidate status already.

Edit: net/http server uses TLSConfig too.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

[gaby]

/gemini review

[gemini-code-assist]

Code Review

This is an excellent pull request that significantly enhances Fiber's TLS configuration capabilities. The introduction of the TLSConfig field is a great addition, providing much-needed flexibility for advanced use cases like external certificate providers and in-memory certificates. The implementation is robust, correctly handling configuration precedence and safely cloning the tls.Config to prevent side effects. The accompanying documentation updates are thorough and clear, with plenty of useful examples. The tests are comprehensive, covering new functionality, error conditions, and precedence logic. I have one minor suggestion to improve the documentation's clarity by removing a redundant section.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.