[feature] Allow loading TLS certs from disk (#1586)

Currently, GtS only supports using the built-in LE client directly for
TLS. However, admins may still want to use GtS directly (so without a
reverse proxy) but with certificates provided through some other
mechanism. They may have some centralised way of provisioning these
things themselves, or simply prefer to use LE but with a different
challenge like DNS-01 which is not supported by autocert.

This adds support for loading a public/private keypair from disk instead
of using LE and reconfigures the server to use a TLS listener if we
succeed in doing so.

Additionally, being able to load TLS keypair from disk opens up the path
to using a custom CA for testing purposes avoinding the need for a
constellation of containers and something like Pebble or Step CA to
provide LE APIs.

internal/router/router.go

@@ -20,6 +20,7 @@ package router
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
@@ -78,6 +79,26 @@ func (r *router) Start() {
 	// but updated to TLS if LetsEncrypt is enabled.
 	listen := r.srv.ListenAndServe
 
+	// During config validation we already checked that both Chain and Key are set
+	// so we can forego checking for both here
+	if chain := config.GetTLSCertificateChain(); chain != "" {
+		pkey := config.GetTLSCertificateKey()
+		cer, err := tls.LoadX509KeyPair(chain, pkey)
+		if err != nil {
+			log.Fatalf(
+				nil,
+				"tls: failed to load keypair from %s and %s, ensure they are PEM-encoded and can be read by this process: %s",
+				chain, pkey, err,
+			)
+		}
+		r.srv.TLSConfig = &tls.Config{
+			MinVersion:   tls.VersionTLS12,
+			Certificates: []tls.Certificate{cer},
+		}
+		// TLS is enabled, update the listen function
+		listen = func() error { return r.srv.ListenAndServeTLS("", "") }
+	}
+
 	if config.GetLetsEncryptEnabled() {
 		// LetsEncrypt support is enabled