Merge pull request #158 from fayzal-g/pass-tls-config-inline

Allow passing of TLS certificates inline
prometheus · Jul 14, 2023 · c1b76fe · c1b76fe
2 parents ef8864f + 6192b91
commit c1b76fe
Show file tree

Hide file tree

Showing 7 changed files with 261 additions and 30 deletions.
diff --git a/docs/web-configuration.md b/docs/web-configuration.md
@@ -23,6 +23,24 @@ Generic placeholders are defined as follows:
 
 ```
 tls_server_config:
+  # Certificate for server to use to authenticate to client.
+  # Expected to be passed as a PEM encoded sequence of bytes as a string.
+  #
+  # NOTE: If passing the cert inline, cert_file should not be specified below.
+  [ cert: <string> ]
+
+  # Key for server to use to authenticate to client.
+  # Expected to be passed as a PEM encoded sequence of bytes as a string.
+  #
+  # NOTE: If passing the key inline, key_file should not be specified below.
+  [ key: <secret> ]
+
+  # CA certificate for client certificate authentication to the server.
+  # Expected to be passed as a PEM encoded sequence of bytes as a string.
+  #
+  # NOTE: If passing the client_ca inline, client_ca_file should not be specified below.
+  [ client_ca: <string> ]
+
   # Certificate and key files for server to use to authenticate to client.
   cert_file: <filename>
   key_file: <filename>
@@ -37,14 +55,14 @@ tls_server_config:
 
   # CA certificate for client certificate authentication to the server.
   [ client_ca_file: <filename> ]
-  
-  # Verify that the client certificate has a Subject Alternate Name (SAN) 
-  # which is an exact match to an entry in this list, else terminate the 
-  # connection. SAN match can be one or multiple of the following: DNS, 
+
+  # Verify that the client certificate has a Subject Alternate Name (SAN)
+  # which is an exact match to an entry in this list, else terminate the
+  # connection. SAN match can be one or multiple of the following: DNS,
   # IP, e-mail, or URI address from https://pkg.go.dev/crypto/x509#Certificate.
   [ client_allowed_sans:
     [ - <string> ] ]
-    
+
   # Minimum TLS version that is acceptable.
   [ min_version: <string> | default = "TLS12" ]
 

diff --git a/web/testdata/tls_config_noAuth.requireanyclientcertkeyinline.good.yml b/web/testdata/tls_config_noAuth.requireanyclientcertkeyinline.good.yml
@@ -0,0 +1,56 @@
+tls_server_config:
+  cert_file: "server.crt"
+  key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDT5dSL/8/jPIxx
+    1EoIDobwkv9CHzYvNvjqa8GpZoUi9Rckaxnhw6SgKyKx4Wpe6LpIsyavesCk3XVF
+    boYz0e7K0mF+ydqD85429hZix5w/Mvs8TvN1zQOVggwdMgPyoVh4Q5ndqYoU02Tq
+    PY7xot/i8iKl1HosCKcbjZx9oIaFMvg08zQpJy5CCgFZwz6DNQCNFrtuK7NeAPGV
+    Vor82Pz/MRsJTJg53a6x8CczEhDHh+yCYvYceMyWpaaGE1aumdEb9Pu0qUvorMIv
+    3jCCw4Zkry8NEeMd9cZM7DzrVLKHFY4AQhhhh6O9CErAMbC+hPUBXtrsGUr2wSn6
+    LiWjNLcUSGWoTHh8uXoIdvidPL7mSqPTwwVsCsKkGeCm+1rYHpIsnC5hWvzmBy1F
+    /jsPEF7uR1Pb/V5T/RldhUA5GtiLjE7UuSQhLeXvXXUm+ClW5EQIXy9rJwPsNJ5q
+    3wgZa5U4Rc+RL8uUDQKNTkcIhPvIDVHNdhALvSt0yvVklGDaywm5Dd6AS/g1afGO
+    qqrlKShGxJYbCfVePRK69yz2l6c+Wlu04eqBau1Dge3IaikNkjZd/4U5TVMPMBW/
+    UIvAF7PuEsx6ONSBHvUGQb6XrnFZnXsGySrzUvFMbNsJrU6thtgHt6hs1pevNie2
+    lMNV+mOOjmp0AzbQ1ULxjdQluZLwlwIDAQABAoICAQCxGs9jlBQ1YU4hdcXKphmy
+    yan/ogavv8qcZCQhakasyRzmm32ubM8T7/m3oyg821eXm+Uhlf+dzFtQBOi2NyjW
+    7LAAQMYas2vxlA1x0lSNnhbOeU6Tjx8HvwJRBJS4HpLLMfVQh3uZnHYkMf9fhzqJ
+    fMfowoa6dyD0ro+1kI3elpNN7lgSbWUEXUhztfRxxcMIKY/OrUflsfQ5VXQlkVck
+    E+78/r/c3aQ9pPOeg+LyYnETKZN6iJy27Q0Z0uAIXxefvksC3N1NQ9eqGpOBN9sE
+    HEe/LMwfJmTvtiPUrZ3pueJN5PBr0+rO/Dc+HEoVcxs0Yguoehtl0l07dYaPumep
+    TmXdrKvCkwM5cwnbXSWrCpqMS8Medb3zWvNnWO/mjRwTZyhmNdscjh3Ilvo+YCus
+    wM8HJFD4FuMtL3GtIfoKeszppACTkOOYiViGHmKUiQaSEwF7nhuIQqgN3ULCP7Z5
+    mhL2RhLWacPfATITNkm4g2o16mFohZ9HPZSkPGm8rw7yhB1s2emoocXsms2iR1oa
+    mggNnUS3m87Z/HmOEyObIQZtYf1ZNuVAGGP4kmhhtNfMTmq3CPYM3oMRR1nb8Ci8
+    zYwjEIvLYuDVlZFff4+IA7tCBZPichieoioaxutnYtO+nvuzDRiitL4my2EcXeE7
+    tcIunkP9u5BNiXsfNcy3gQKCAQEA3X9eZ/IPF9Rrsjwtqkt7Oxn/uJ8JCotVBLnq
+    SCd7sCSaM06jUzMjMoj4SYyjzBYLycH/q+euT4UoPdPMKCfwx2NgR87MfuehWzwG
+    pmPbAbLJtLmZ+M/Bz5QzGS3J3f4qYxLptLHX971JgtTdcJhOAc+p/Elt3l43d/fr
+    sMVrZ8hqHlXmA6WuwqHjHnGP1ML6xFfsjDZ2jQ3VEV17XKtinucgitvkVuHYmtdQ
+    wm/yrM8vDkyglgk47j9CyfQdL10elBxe32WY5B0g9TmhIMypmlJk7inPPnAqJ4TF
+    JJBMvZOB9cJAjrtsDN3tAW/1q+wPF1HLwurqTLluZEc5MVjaOQKCAQEA9OenKlxB
+    5HiANjH0riaokFDtjC27iHoeBkbEt+CyegGXVHEotVcKnG+N4Tw/GXcS9m33vu/X
+    Lmeowp/Z2BKxB7xvw81jQh8gEoUHFlH6DgksTPjVVSEa4wnESrqlFjRquBexpU6e
+    X//xVD72b0txAqJvpvtbxZC41WIwUBTBkHDlj2hegEzUvgzdO92FPRUDrAgB0wSv
+    05U6fh1/4c3XTHqIHK4/gxiVRmjnpEdjEbOZsfbN8LGQK2eq4FkIS870VKigUZ/U
+    m2YB+8PKKyqKdXpWQHMZ9QvXoU9AwMw4Q+NEk4a/ZrnnMo59voKP1Qoqhd/rEAP7
+    xa1AMOAl2DhhTwKCAQBdY4Z6bSTP91AxJg5a7thWYu/e967oMzb1dy3AnmUYL1aU
+    q2NRgQ4mEHofCJ1HP0RZHOKfqF9mR85fwx0hETYD23KM1DSEjUULIpPrM87zOF6z
+    RE4XCgG9c87XnuauIqvceezvssxMOBL2hqmW/6BkQxp4tL0ONMtOWcmWDqbqayXT
+    BISmpQS6K2eHPnpWSp9QiYHC3HO/pUVgvPl2aQx70xd1dKEhwLeDEaWLVYgMNI6y
+    iLxshhbq3OFcJQDpJ2ntKMkXh86e32k1+8Zj/ebEmljT0ez/dmtPnjtA31Z71+XD
+    qNNvWraD9k4nfP0oL69tNZ+j30hKcSSKQz1qAPyBAoIBAGBaI3KPCX2Ryx+HV/SM
+    URU2Qb883uM66EUf4pVVWeKWbatTOejebdZOLUvIICsspdE+QpJkWgxvy/2GVnak
+    I/IfOPmX/M0u4bdnjvpBFlgfU8aUv5nWhHV+ijO8aubpiHMVH1ciLz0lvRSgEOSI
+    kdWvgq33houb/Jw3HTrkb6McR7S8IzHnCGwdM40yAhGeCuvL2qvi1CoyM+kaQg3c
+    pi/4pURjaalyKoihDUGctGVqe7WAnFVuBoKNLrVFUfZBXe9QyIJUl5jr8SvUQ93n
+    xsGhd/2zSysVlahpPdicgCZ1a61+/h60VTmWxfIF/ACdF03EYv7SEmQbXX3dMgZ3
+    aBECggEBALXqdEIkb9pBhwCvUHFG+c/IKBhS6j7BUj9PrZ3MATPXHo6Iy09d/dlV
+    psFQzWVvBmf3pcI0MEi7xdUMSN0jhZ8xp1owDlOQSM8DCQPFLaC38sfhZNThIfz0
+    Q+fWYPe1lkRBtMVSokN1PtE5zETHlUKkh3fdQs0wihX4Wikc64rjCgXqXc8ng8Lk
+    NCUNBY/7pNfrEm0Zxz+8CvmRaBbL4OT2/hFsdcMiO3P24mCdAPgJ4v97pr8KxRHe
+    SmOyiSdaAyXHr/6+3KgO5pX8YUn9WiTF2hxo4SG3NQuuva0SBZT9B8iFXt1uFUtP
+    Rri7hsjysanKPyaPM1oofbRyWApMyRo=
+    -----END PRIVATE KEY-----
+  client_auth_type: "RequireAnyClientCert"
diff --git a/web/testdata/web_config_noAuth_cert_empty.bad.yml b/web/testdata/web_config_noAuth_cert_empty.bad.yml
@@ -0,0 +1,3 @@
+tls_server_config:
+  cert: ""
+  key_file: "server.key"
diff --git a/web/testdata/web_config_noAuth_key_empty.bad.yml b/web/testdata/web_config_noAuth_key_empty.bad.yml
@@ -0,0 +1,3 @@
+tls_server_config:
+  cert_file: "server.crt"
+  key: ""
diff --git a/web/testdata/web_config_noAuth_tlsInline.good.yml b/web/testdata/web_config_noAuth_tlsInline.good.yml
@@ -0,0 +1,89 @@
+tls_server_config:
+  cert: |
+    -----BEGIN CERTIFICATE-----
+    MIIFsDCCA5igAwIBAgIRAMMSh5NoexSCjSvDRf1fpgMwDQYJKoZIhvcNAQELBQAw
+    aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy
+    b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo
+    ZXVzIFRMUyBDQTAgFw0yMjA3MDgwOTE1MDdaGA8yMDcyMDYyNTA5MTUwN1owNjEL
+    MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs
+    aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANPl1Iv/z+M8jHHU
+    SggOhvCS/0IfNi82+OprwalmhSL1FyRrGeHDpKArIrHhal7oukizJq96wKTddUVu
+    hjPR7srSYX7J2oPznjb2FmLHnD8y+zxO83XNA5WCDB0yA/KhWHhDmd2pihTTZOo9
+    jvGi3+LyIqXUeiwIpxuNnH2ghoUy+DTzNCknLkIKAVnDPoM1AI0Wu24rs14A8ZVW
+    ivzY/P8xGwlMmDndrrHwJzMSEMeH7IJi9hx4zJalpoYTVq6Z0Rv0+7SpS+iswi/e
+    MILDhmSvLw0R4x31xkzsPOtUsocVjgBCGGGHo70ISsAxsL6E9QFe2uwZSvbBKfou
+    JaM0txRIZahMeHy5egh2+J08vuZKo9PDBWwKwqQZ4Kb7WtgekiycLmFa/OYHLUX+
+    Ow8QXu5HU9v9XlP9GV2FQDka2IuMTtS5JCEt5e9ddSb4KVbkRAhfL2snA+w0nmrf
+    CBlrlThFz5Evy5QNAo1ORwiE+8gNUc12EAu9K3TK9WSUYNrLCbkN3oBL+DVp8Y6q
+    quUpKEbElhsJ9V49Err3LPaXpz5aW7Th6oFq7UOB7chqKQ2SNl3/hTlNUw8wFb9Q
+    i8AXs+4SzHo41IEe9QZBvpeucVmdewbJKvNS8Uxs2wmtTq2G2Ae3qGzWl682J7aU
+    w1X6Y46OanQDNtDVQvGN1CW5kvCXAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg
+    MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8G
+    A1UdIwQYMBaAFMaaHh5g0+YopeLd1IkizXyK9K/zMCAGA1UdEQQZMBeCCWxvY2Fs
+    aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEAUXL/lzbgbs6whVrE
+    3wkp0oDGVZ0Jti1hpeQk7Slt3PHsgu9OQOSGcv9QHs0ybhkDWZQjoCH6Nurx5QaY
+    GnpNQjylfy3zAziO0c7C1uXf7Z9AEMQwbOHFLefnvq86MtnwJ7sadQo+ViwtMgOW
+    He4YhkTyu2CqK8GFXRQUNm/SunffXp5zErPCNQURh4hrDUGlXPzyxgx1DyqFvF4S
+    X8IpsoED3d7cbEL7E9dgXNl7wuy3qoPi9P9KydFTIELBGt1oco980S1attSM9159
+    t9iUIUMT4EdzmZxpIyJMCD+Lz9Y3zWVyz7DTqFWOtAtmhM4lu44K4S4d/JfAGEal
+    3h3SMCbBPKwpsloO4r9TeGi2f+T7hfiFMdCezEyG8sXrObCDyVudyUnXnxDkZ5TQ
+    NOzqJaUJHeKzb+Z9WSovce3Pb8ok3GoDugmwqyjuN/rz/0jsDTJm18I6HHtONbUp
+    AIV/H/4+Kewc+Ztv97J7MeQB/2VKcY3vpZpMSEkg2ummRhXUfi0haxfoSCKvRwiD
+    BElUVtwHTsn3OBnKMGcBt32iLVsvbb/0AtNpohznPdQT7dqDVguejmwHn/fc4u4Q
+    vfAay/ACARti9XKGplQi7xn+OoYcAVPLYitYBRNEc6t+4f3EKehrDIMRCnxOFBVX
+    9Dnm1DebturSQQEOuX5rP15lG1I=
+    -----END CERTIFICATE-----
+  key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDT5dSL/8/jPIxx
+    1EoIDobwkv9CHzYvNvjqa8GpZoUi9Rckaxnhw6SgKyKx4Wpe6LpIsyavesCk3XVF
+    boYz0e7K0mF+ydqD85429hZix5w/Mvs8TvN1zQOVggwdMgPyoVh4Q5ndqYoU02Tq
+    PY7xot/i8iKl1HosCKcbjZx9oIaFMvg08zQpJy5CCgFZwz6DNQCNFrtuK7NeAPGV
+    Vor82Pz/MRsJTJg53a6x8CczEhDHh+yCYvYceMyWpaaGE1aumdEb9Pu0qUvorMIv
+    3jCCw4Zkry8NEeMd9cZM7DzrVLKHFY4AQhhhh6O9CErAMbC+hPUBXtrsGUr2wSn6
+    LiWjNLcUSGWoTHh8uXoIdvidPL7mSqPTwwVsCsKkGeCm+1rYHpIsnC5hWvzmBy1F
+    /jsPEF7uR1Pb/V5T/RldhUA5GtiLjE7UuSQhLeXvXXUm+ClW5EQIXy9rJwPsNJ5q
+    3wgZa5U4Rc+RL8uUDQKNTkcIhPvIDVHNdhALvSt0yvVklGDaywm5Dd6AS/g1afGO
+    qqrlKShGxJYbCfVePRK69yz2l6c+Wlu04eqBau1Dge3IaikNkjZd/4U5TVMPMBW/
+    UIvAF7PuEsx6ONSBHvUGQb6XrnFZnXsGySrzUvFMbNsJrU6thtgHt6hs1pevNie2
+    lMNV+mOOjmp0AzbQ1ULxjdQluZLwlwIDAQABAoICAQCxGs9jlBQ1YU4hdcXKphmy
+    yan/ogavv8qcZCQhakasyRzmm32ubM8T7/m3oyg821eXm+Uhlf+dzFtQBOi2NyjW
+    7LAAQMYas2vxlA1x0lSNnhbOeU6Tjx8HvwJRBJS4HpLLMfVQh3uZnHYkMf9fhzqJ
+    fMfowoa6dyD0ro+1kI3elpNN7lgSbWUEXUhztfRxxcMIKY/OrUflsfQ5VXQlkVck
+    E+78/r/c3aQ9pPOeg+LyYnETKZN6iJy27Q0Z0uAIXxefvksC3N1NQ9eqGpOBN9sE
+    HEe/LMwfJmTvtiPUrZ3pueJN5PBr0+rO/Dc+HEoVcxs0Yguoehtl0l07dYaPumep
+    TmXdrKvCkwM5cwnbXSWrCpqMS8Medb3zWvNnWO/mjRwTZyhmNdscjh3Ilvo+YCus
+    wM8HJFD4FuMtL3GtIfoKeszppACTkOOYiViGHmKUiQaSEwF7nhuIQqgN3ULCP7Z5
+    mhL2RhLWacPfATITNkm4g2o16mFohZ9HPZSkPGm8rw7yhB1s2emoocXsms2iR1oa
+    mggNnUS3m87Z/HmOEyObIQZtYf1ZNuVAGGP4kmhhtNfMTmq3CPYM3oMRR1nb8Ci8
+    zYwjEIvLYuDVlZFff4+IA7tCBZPichieoioaxutnYtO+nvuzDRiitL4my2EcXeE7
+    tcIunkP9u5BNiXsfNcy3gQKCAQEA3X9eZ/IPF9Rrsjwtqkt7Oxn/uJ8JCotVBLnq
+    SCd7sCSaM06jUzMjMoj4SYyjzBYLycH/q+euT4UoPdPMKCfwx2NgR87MfuehWzwG
+    pmPbAbLJtLmZ+M/Bz5QzGS3J3f4qYxLptLHX971JgtTdcJhOAc+p/Elt3l43d/fr
+    sMVrZ8hqHlXmA6WuwqHjHnGP1ML6xFfsjDZ2jQ3VEV17XKtinucgitvkVuHYmtdQ
+    wm/yrM8vDkyglgk47j9CyfQdL10elBxe32WY5B0g9TmhIMypmlJk7inPPnAqJ4TF
+    JJBMvZOB9cJAjrtsDN3tAW/1q+wPF1HLwurqTLluZEc5MVjaOQKCAQEA9OenKlxB
+    5HiANjH0riaokFDtjC27iHoeBkbEt+CyegGXVHEotVcKnG+N4Tw/GXcS9m33vu/X
+    Lmeowp/Z2BKxB7xvw81jQh8gEoUHFlH6DgksTPjVVSEa4wnESrqlFjRquBexpU6e
+    X//xVD72b0txAqJvpvtbxZC41WIwUBTBkHDlj2hegEzUvgzdO92FPRUDrAgB0wSv
+    05U6fh1/4c3XTHqIHK4/gxiVRmjnpEdjEbOZsfbN8LGQK2eq4FkIS870VKigUZ/U
+    m2YB+8PKKyqKdXpWQHMZ9QvXoU9AwMw4Q+NEk4a/ZrnnMo59voKP1Qoqhd/rEAP7
+    xa1AMOAl2DhhTwKCAQBdY4Z6bSTP91AxJg5a7thWYu/e967oMzb1dy3AnmUYL1aU
+    q2NRgQ4mEHofCJ1HP0RZHOKfqF9mR85fwx0hETYD23KM1DSEjUULIpPrM87zOF6z
+    RE4XCgG9c87XnuauIqvceezvssxMOBL2hqmW/6BkQxp4tL0ONMtOWcmWDqbqayXT
+    BISmpQS6K2eHPnpWSp9QiYHC3HO/pUVgvPl2aQx70xd1dKEhwLeDEaWLVYgMNI6y
+    iLxshhbq3OFcJQDpJ2ntKMkXh86e32k1+8Zj/ebEmljT0ez/dmtPnjtA31Z71+XD
+    qNNvWraD9k4nfP0oL69tNZ+j30hKcSSKQz1qAPyBAoIBAGBaI3KPCX2Ryx+HV/SM
+    URU2Qb883uM66EUf4pVVWeKWbatTOejebdZOLUvIICsspdE+QpJkWgxvy/2GVnak
+    I/IfOPmX/M0u4bdnjvpBFlgfU8aUv5nWhHV+ijO8aubpiHMVH1ciLz0lvRSgEOSI
+    kdWvgq33houb/Jw3HTrkb6McR7S8IzHnCGwdM40yAhGeCuvL2qvi1CoyM+kaQg3c
+    pi/4pURjaalyKoihDUGctGVqe7WAnFVuBoKNLrVFUfZBXe9QyIJUl5jr8SvUQ93n
+    xsGhd/2zSysVlahpPdicgCZ1a61+/h60VTmWxfIF/ACdF03EYv7SEmQbXX3dMgZ3
+    aBECggEBALXqdEIkb9pBhwCvUHFG+c/IKBhS6j7BUj9PrZ3MATPXHo6Iy09d/dlV
+    psFQzWVvBmf3pcI0MEi7xdUMSN0jhZ8xp1owDlOQSM8DCQPFLaC38sfhZNThIfz0
+    Q+fWYPe1lkRBtMVSokN1PtE5zETHlUKkh3fdQs0wihX4Wikc64rjCgXqXc8ng8Lk
+    NCUNBY/7pNfrEm0Zxz+8CvmRaBbL4OT2/hFsdcMiO3P24mCdAPgJ4v97pr8KxRHe
+    SmOyiSdaAyXHr/6+3KgO5pX8YUn9WiTF2hxo4SG3NQuuva0SBZT9B8iFXt1uFUtP
+    Rri7hsjysanKPyaPM1oofbRyWApMyRo=
+    -----END PRIVATE KEY-----
+  client_auth_type: "VerifyClientCertIfGiven"
diff --git a/web/tls_config.go b/web/tls_config.go
@@ -43,16 +43,19 @@ type Config struct {
 }
 
 type TLSConfig struct {
-	TLSCertPath              string     `yaml:"cert_file"`
-	TLSKeyPath               string     `yaml:"key_file"`
-	ClientAuth               string     `yaml:"client_auth_type"`
-	ClientCAs                string     `yaml:"client_ca_file"`
-	CipherSuites             []Cipher   `yaml:"cipher_suites"`
-	CurvePreferences         []Curve    `yaml:"curve_preferences"`
-	MinVersion               TLSVersion `yaml:"min_version"`
-	MaxVersion               TLSVersion `yaml:"max_version"`
-	PreferServerCipherSuites bool       `yaml:"prefer_server_cipher_suites"`
-	ClientAllowedSans        []string   `yaml:"client_allowed_sans"`
+	TLSCert                  string             `yaml:"cert"`
+	TLSKey                   config_util.Secret `yaml:"key"`
+	ClientCAsText            string             `yaml:"client_ca"`
+	TLSCertPath              string             `yaml:"cert_file"`
+	TLSKeyPath               string             `yaml:"key_file"`
+	ClientAuth               string             `yaml:"client_auth_type"`
+	ClientCAs                string             `yaml:"client_ca_file"`
+	CipherSuites             []Cipher           `yaml:"cipher_suites"`
+	CurvePreferences         []Curve            `yaml:"curve_preferences"`
+	MinVersion               TLSVersion         `yaml:"min_version"`
+	MaxVersion               TLSVersion         `yaml:"max_version"`
+	PreferServerCipherSuites bool               `yaml:"prefer_server_cipher_suites"`
+	ClientAllowedSans        []string           `yaml:"client_allowed_sans"`
 }
 
 type FlagConfig struct {
@@ -132,22 +135,54 @@ func getTLSConfig(configPath string) (*tls.Config, error) {
 	return ConfigToTLSConfig(&c.TLSConfig)
 }
 
-// ConfigToTLSConfig generates the golang tls.Config from the TLSConfig struct.
-func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) {
-	if c.TLSCertPath == "" && c.TLSKeyPath == "" && c.ClientAuth == "" && c.ClientCAs == "" {
-		return nil, errNoTLSConfig
+func validateTLSPaths(c *TLSConfig) error {
+	if c.TLSCertPath == "" && c.TLSCert == "" &&
+		c.TLSKeyPath == "" && c.TLSKey == "" &&
+		c.ClientCAs == "" && c.ClientCAsText == "" &&
+		c.ClientAuth == "" {
+		return errNoTLSConfig
 	}
 
-	if c.TLSCertPath == "" {
-		return nil, errors.New("missing cert_file")
+	if c.TLSCertPath == "" && c.TLSCert == "" {
+		return errors.New("missing one of cert or cert_file")
 	}
 
-	if c.TLSKeyPath == "" {
-		return nil, errors.New("missing key_file")
+	if c.TLSKeyPath == "" && c.TLSKey == "" {
+		return errors.New("missing one of key or key_file")
+	}
+
+	return nil
+}
+
+// ConfigToTLSConfig generates the golang tls.Config from the TLSConfig struct.
+func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) {
+	if err := validateTLSPaths(c); err != nil {
+		return nil, err
 	}
 
 	loadCert := func() (*tls.Certificate, error) {
-		cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)
+		var certData, keyData []byte
+		var err error
+
+		if c.TLSCertPath != "" {
+			certData, err = os.ReadFile(c.TLSCertPath)
+			if err != nil {
+				return nil, fmt.Errorf("failed to read cert_file (%s): %s", c.TLSCertPath, err)
+			}
+		} else {
+			certData = []byte(c.TLSCert)
+		}
+
+		if c.TLSKeyPath != "" {
+			keyData, err = os.ReadFile(c.TLSKeyPath)
+			if err != nil {
+				return nil, fmt.Errorf("failed to read key_file (%s): %s", c.TLSKeyPath, err)
+			}
+		} else {
+			keyData = []byte(c.TLSKey)
+		}
+
+		cert, err := tls.X509KeyPair(certData, keyData)
 		if err != nil {
 			return nil, fmt.Errorf("failed to load X509KeyPair: %w", err)
 		}
@@ -193,6 +228,10 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) {
 		}
 		clientCAPool.AppendCertsFromPEM(clientCAFile)
 		cfg.ClientCAs = clientCAPool
+	} else if c.ClientCAsText != "" {
+		clientCAPool := x509.NewCertPool()
+		clientCAPool.AppendCertsFromPEM([]byte(c.ClientCAsText))
+		cfg.ClientCAs = clientCAPool
 	}
 
 	if c.ClientAllowedSans != nil {
@@ -215,7 +254,7 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) {
 		return nil, errors.New("Invalid ClientAuth: " + c.ClientAuth)
 	}
 
-	if c.ClientCAs != "" && cfg.ClientAuth == tls.NoClientCert {
+	if (c.ClientCAs != "" || c.ClientCAsText != "") && cfg.ClientAuth == tls.NoClientCert {
 		return nil, errors.New("Client CA's have been configured without a Client Auth Policy")
 	}
 

diff --git a/web/tls_config_test.go b/web/tls_config_test.go
@@ -51,8 +51,8 @@ var (
 		"Invalid ClientAuth":           regexp.MustCompile(`invalid ClientAuth`),
 		"TLS handshake":                regexp.MustCompile(`tls`),
 		"HTTP Request to HTTPS server": regexp.MustCompile(`HTTP`),
-		"Invalid CertPath":             regexp.MustCompile(`missing cert_file`),
-		"Invalid KeyPath":              regexp.MustCompile(`missing key_file`),
+		"Invalid Cert or CertPath":     regexp.MustCompile(`missing one of cert or cert_file`),
+		"Invalid Key or KeyPath":       regexp.MustCompile(`missing one of key or key_file`),
 		"ClientCA set without policy":  regexp.MustCompile(`Client CA's have been configured without a Client Auth Policy`),
 		"Bad password":                 regexp.MustCompile(`hashedSecret too short to be a bcrypted password`),
 		"Unauthorized":                 regexp.MustCompile(`Unauthorized`),
@@ -127,17 +127,27 @@ func TestYAMLFiles(t *testing.T) {
 		{
 			Name:           `invalid config yml (cert path empty)`,
 			YAMLConfigPath: "testdata/web_config_noAuth_certPath_empty.bad.yml",
-			ExpectedError:  ErrorMap["Invalid CertPath"],
+			ExpectedError:  ErrorMap["Invalid Cert or CertPath"],
+		},
+		{
+			Name:           `invalid config yml (cert empty)`,
+			YAMLConfigPath: "testdata/web_config_noAuth_cert_empty.bad.yml",
+			ExpectedError:  ErrorMap["Invalid Cert or CertPath"],
 		},
 		{
 			Name:           `invalid config yml (key path empty)`,
 			YAMLConfigPath: "testdata/web_config_noAuth_keyPath_empty.bad.yml",
-			ExpectedError:  ErrorMap["Invalid KeyPath"],
+			ExpectedError:  ErrorMap["Invalid Key or KeyPath"],
+		},
+		{
+			Name:           `invalid config yml (key empty)`,
+			YAMLConfigPath: "testdata/web_config_noAuth_key_empty.bad.yml",
+			ExpectedError:  ErrorMap["Invalid Key or KeyPath"],
 		},
 		{
 			Name:           `invalid config yml (cert path and key path empty)`,
 			YAMLConfigPath: "testdata/web_config_noAuth_certPath_keyPath_empty.bad.yml",
-			ExpectedError:  ErrorMap["Invalid CertPath"],
+			ExpectedError:  ErrorMap["Invalid Cert or CertPath"],
 		},
 		{
 			Name:           `invalid config yml (cert path invalid)`,
@@ -215,6 +225,12 @@ func TestServerBehaviour(t *testing.T) {
 			UseTLSClient:   true,
 			ExpectedError:  nil,
 		},
+		{
+			Name:           `valid tls config yml (cert and key inline) and tls client`,
+			YAMLConfigPath: "testdata/web_config_noAuth_tlsInline.good.yml",
+			UseTLSClient:   true,
+			ExpectedError:  nil,
+		},
 		{
 			Name:                `valid tls config yml with TLS 1.1 client`,
 			YAMLConfigPath:      "testdata/web_config_noAuth.good.yml",
@@ -328,6 +344,13 @@ func TestServerBehaviour(t *testing.T) {
 			ClientCertificate: "client_selfsigned",
 			ExpectedError:     nil,
 		},
+		{
+			Name:              `valid tls config yml (cert from file, key inline) and tls client with RequireAnyClientCert (present certificate)`,
+			YAMLConfigPath:    "testdata/tls_config_noAuth.requireanyclientcert.good.yml",
+			UseTLSClient:      true,
+			ClientCertificate: "client_selfsigned",
+			ExpectedError:     nil,
+		},
 		{
 			Name:           `valid tls config yml and tls client with RequireAndVerifyClientCert`,
 			YAMLConfigPath: "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",