From 73fc2590658d09fe2cc9b6ea273ca4f0c2abe6bd Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Tue, 8 Aug 2023 13:23:18 -0700
Subject: [PATCH] config: deprecate tls_downstream_client_ca

Log a deprecation warning for any route where tls_downstream_client_ca
or tls_downstream_client_ca_file is non-empty.
---
 config/policy.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/policy.go b/config/policy.go
index cbc7af62fcd..88a0332f785 100644
--- a/config/policy.go
+++ b/config/policy.go
@@ -496,7 +496,11 @@ func (p *Policy) Validate() error {
 		}
 	}
 
+	const clientCADeprecationMsg = "config: %s is deprecated, see https://www.pomerium.com/docs/" +
+		"reference/routes/tls#tls-downstream-client-certificate-authority for more information"
+
 	if p.TLSDownstreamClientCA != "" {
+		log.Warn(context.Background()).Msgf(clientCADeprecationMsg, "tls_downstream_client_ca")
 		_, err := base64.StdEncoding.DecodeString(p.TLSDownstreamClientCA)
 		if err != nil {
 			return fmt.Errorf("config: couldn't decode downstream client ca: %w", err)
@@ -504,6 +508,7 @@ func (p *Policy) Validate() error {
 	}
 
 	if p.TLSDownstreamClientCAFile != "" {
+		log.Warn(context.Background()).Msgf(clientCADeprecationMsg, "tls_downstream_client_ca_file")
 		bs, err := os.ReadFile(p.TLSDownstreamClientCAFile)
 		if err != nil {
 			return fmt.Errorf("config: couldn't load downstream client ca: %w", err)