[log] Add debug logging to LoadGatewayTLS (#5971)

lpcox · web-flow · commit e06554f4c5f2 · 2026-05-19T07:20:07.000-07:00
## Summary Enhances `internal/server/gateway_tls.go` with additional debug logging calls in `LoadGatewayTLS` to improve observability during TLS configuration setup. ## Changes File modified: `internal/server/gateway_tls.go` Log calls added/improved: 1. (improved) Log leaf certificate count after key pair loaded 2. (new) Log CA certificate pool built successfully (mTLS path) 3. (new) Log one-way TLS configured (no client certs required) 4. (new) Log final TLS configuration ready with mtls status ## Validation - `go build ./...` passes - `go vet ./...` passes ## Logger Reuses existing `var logGatewayTLS = logger.New("server:tls")` — no new logger declaration needed. > Generated by [Go Logger Enhancement](https://github.com/github/gh-aw-mcpg/actions/runs/26066891283/agentic_workflow) · ● 9.9M · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+go-logger%22&type=pullrequests)
diff --git a/internal/server/gateway_tls.go b/internal/server/gateway_tls.go
@@ -31,7 +31,7 @@ func LoadGatewayTLS(certPath, keyPath, caPath string) (*tls.Config, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to load server TLS certificate/key: %w", err)
 	}
-	logGatewayTLS.Print("server TLS key pair loaded")
+	logGatewayTLS.Printf("server TLS key pair loaded: certChainLen=%d", len(serverCert.Certificate))
 
 	cfg := &tls.Config{
 		Certificates: []tls.Certificate{serverCert},
@@ -48,12 +48,16 @@ func LoadGatewayTLS(certPath, keyPath, caPath string) (*tls.Config, error) {
 		if !caPool.AppendCertsFromPEM(caPEM) {
 			return nil, fmt.Errorf("failed to parse CA certificate from %s", caPath)
 		}
+		logGatewayTLS.Printf("CA certificate pool built: ca=%s", caPath)
 
 		// Require and verify client certificates signed by the provided CA.
 		cfg.ClientCAs = caPool
 		cfg.ClientAuth = tls.RequireAndVerifyClientCert
 		logGatewayTLS.Printf("mTLS enabled: client certificates required, CA=%s", caPath)
+	} else {
+		logGatewayTLS.Print("one-way TLS configured: client certificates not required")
 	}
 
+	logGatewayTLS.Printf("gateway TLS configuration ready: minVersion=%s, mtls=%v", tls.VersionName(cfg.MinVersion), caPath != "")
 	return cfg, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ func LoadGatewayTLS(certPath, keyPath, caPath string) (*tls.Config, error) {`
`31`	`31`	`if err != nil {`
`32`	`32`	`return nil, fmt.Errorf("failed to load server TLS certificate/key: %w", err)`
`33`	`33`	`}`
`34`		`- logGatewayTLS.Print("server TLS key pair loaded")`
	`34`	`+ logGatewayTLS.Printf("server TLS key pair loaded: certChainLen=%d", len(serverCert.Certificate))`
`35`	`35`
`36`	`36`	`cfg := &tls.Config{`
`37`	`37`	`Certificates: []tls.Certificate{serverCert},`
`@@ -48,12 +48,16 @@ func LoadGatewayTLS(certPath, keyPath, caPath string) (*tls.Config, error) {`
`48`	`48`	`if !caPool.AppendCertsFromPEM(caPEM) {`
`49`	`49`	`return nil, fmt.Errorf("failed to parse CA certificate from %s", caPath)`
`50`	`50`	`}`
	`51`	`+ logGatewayTLS.Printf("CA certificate pool built: ca=%s", caPath)`
`51`	`52`
`52`	`53`	`// Require and verify client certificates signed by the provided CA.`
`53`	`54`	`cfg.ClientCAs = caPool`
`54`	`55`	`cfg.ClientAuth = tls.RequireAndVerifyClientCert`
`55`	`56`	`logGatewayTLS.Printf("mTLS enabled: client certificates required, CA=%s", caPath)`
	`57`	`+ } else {`
	`58`	`+ logGatewayTLS.Print("one-way TLS configured: client certificates not required")`
`56`	`59`	`}`
`57`	`60`
	`61`	`+ logGatewayTLS.Printf("gateway TLS configuration ready: minVersion=%s, mtls=%v", tls.VersionName(cfg.MinVersion), caPath != "")`
`58`	`62`	`return cfg, nil`
`59`	`63`	`}`