feat: dynamic TLS configuration support

[jeengbe]

Changes the ssl option to accept a function that returns TLS options or a promise thereof. This is useful for ever more popular environments that run short-lived certificates that might expire during the lifetime of an application. The docs mention now SPIFFE for some SEO juice for people searching "node spiffe" 🙂

The only current alternative I can see is the stream option, but that's undocumented and would require manually sending the SSLRequest packet during the handshake. And it doesn't appear to support asynchronous creation.

All contributions except for the test spec written by humans.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.66%. Comparing base (6d0ba45) to head (211c6d7).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4191      +/-   ##
==========================================
+ Coverage   90.64%   90.66%   +0.01%     
==========================================
  Files          86       86              
  Lines       14245    14267      +22     
  Branches     1798     1804       +6     
==========================================
+ Hits        12913    12935      +22     
  Misses       1332     1332              

Flag	Coverage Δ
compression-0	89.92% <100.00%> (+0.01%)	⬆️
compression-1	90.64% <100.00%> (+0.01%)	⬆️
static-parser-0	88.35% <100.00%> (+0.01%)	⬆️
static-parser-1	89.07% <100.00%> (+0.01%)	⬆️
tls-0	90.08% <71.79%> (+<0.01%)	⬆️
tls-1	90.43% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[wellwelwel]

Thanks, @jeengbe! Does this PR resolve some issue?

To fix the website's lint/format, you can run npm --prefix website run lint 🙋🏻‍♂️

[jeengbe]

Thanks, @wellwelwel, fixed!

The issue it resovles it that you currently have to recreate your connection (pool) when client credentials change. Now, the same pool instance can continue to be used and new connections can simply fetch the latest available certificate. The docs should maybe mention this (feel free to change stuff yourself too) that this will most commonly be used to fetch cert and key rather than ca.

If you mean GitHub issue, then no 🙂 The change is small enough I figured I'd just give it a go

[jeengbe]

Could you please help me with getting this out if it looks alright?

[wellwelwel]

Could you please help me with getting this out if it looks alright?

I'm stopping for today, but I'll definitely take a closer look tomorrow 🙋🏻‍♂️

[jeengbe]

Hi @wellwelwel, please excuse the personal mention, but could you give this another look? Thank you for your time and maintaining this package 🙇🏻‍♂️

[sidorares]

Hi @jeengbe sorry for the delay! I'll add my review comments, overall looks good, lets try to release this

[sidorares]

what happens if this throws synchronously? The caller does not catches error, and unlike async error we'll have connection in a broken state

[sidorares]

worth adding extra guard

if (typeof sslConfig !== 'object' || sslConfig === null) {
  onSecure(new TypeError('SSL factory must return an object'));
  return;
}

so that if user supplied factory returns garbage its much easier to debug ( the typings do cover that, but won't hurt imo )