refactor(server): extract TLS / ACME helpers into server/tlscert

[fuziontech]

Summary

• Step 4 of the binary-split plan, stacked on PR refactor(server): extract auth and sysinfo helpers into pure subpackages #483
• Extracts the TLS-cert and ACME (HTTP-01, DNS-01) helpers out of server/ into a focused server/tlscert/ subpackage with zero duckdb-go dependency
• 5 files moved (3 source + 2 test); backward compatibility preserved via type aliases and re-export shims in server/tlscert_aliases.go
• go list -deps ./server/tlscert | grep duckdb-go returns empty

Files moved

From	To
server/certs.go	server/tlscert/certs.go
server/acme.go	server/tlscert/acme.go
server/acme_dns.go	server/tlscert/acme_dns.go
server/acme_test.go	server/tlscert/acme_test.go
server/acme_dns_test.go	server/tlscert/acme_dns_test.go

Backward-compat shim

server/tlscert_aliases.go keeps existing references compiling unchanged:

type (
    ACMEManager    = tlscert.ACMEManager
    ACMEDNSManager = tlscert.ACMEDNSManager
)
var (
    NewACMEManager        = tlscert.NewACMEManager
    NewACMEDNSManager     = tlscert.NewACMEDNSManager
    EnsureCertificates    = tlscert.EnsureCertificates
    generateSelfSignedCert = tlscert.GenerateSelfSignedCert
)

The previously-private generateSelfSignedCert is now exported as tlscert.GenerateSelfSignedCert because server_test.go calls it directly to generate cert pairs without the EnsureCertificates file-existence check.

Note on scope

PR #4 originally targeted querylog.go + checkpoint.go extraction (those would do more for the goal — they directly link duckdb-go via sql.Open("duckdb", ...)). That hit a chicken-and-egg problem: those constructors take server.Config (which embeds DuckLakeConfig and QueryLogConfig), and the duckdb-bound config types haven't moved to a leaf package on this branch yet. PR #1.5 (a parallel branch) does that work for DuckLakeConfig. Once #1.5 merges and this stack rebases, the querylog/checkpoint extraction lands in a follow-up PR.

Pivoted to TLS/ACME for this PR because it's clean, self-contained, and progresses the goal in the same shape as PR #3.

Test plan

• go build ./... clean
• go build -tags kubernetes ./... clean
• go test -short ./server/tlscert/... ./server/... ./controlplane/... — all green
• go list -deps ./server/tlscert | grep duckdb-go returns empty

Stack

• ✅ PR refactor(duckdbservice): extract DuckDB-free arrow helpers into arrowmap subpackage #477 (add test user #1): arrowmap extraction
• ✅ PR refactor(server): move DuckLakeConfig + migration into server/ducklake #480 (add test user #1.5): ducklake extraction (parallel branch)
• ✅ PR refactor: AppendValue split + auth/sysinfo subpackage extraction #482 (Add pg_catalog compatibility and binary format support #2): AppendValue split
• ✅ PR refactor(server): extract auth and sysinfo helpers into pure subpackages #483 (Add connection rate limiting to prevent brute-force attacks #3): auth + sysinfo subpackages — base of this PR
• ⚠️ This PR (Add configurable DuckDB extension loading #4): tlscert subpackage
• ⏳ PR Update README with new features #5 (after add test user #1.5 merges): querylog + checkpoint into server/exec/
• ⏳ PR Add COPY protocol, graceful shutdown, and enhanced pg_catalog support #6: split server.go / conn.go / types.go's duckdb-bound branches
• ⏳ PR Fix DuckLake ATTACH command format #7: introduce cmd/duckgres-controlplane and cmd/duckgres-worker
• ⏳ PR Add DuckLake with MinIO object storage support #8: flip CI/CD + Helm + per-DuckDB-version matrix

🤖 Generated with Claude Code