When resolveInboundMTLSProfileForRoute fails for the global profile, emit a
zerolog error and continue without applying that pool. Apply inbound mTLS from
the global profile only when err is nil and pool is non-nil.
Add yaml struct tags to InboundMTLSProfile alongside json for YAML config
loading.
Clarify no-op stub methods in inbound_mtls_validation_test with comments.
compileInboundMTLSProfiles now returns a nil map when compilation fails,
instead of a partially populated map alongside the error. This avoids
callers accidentally using incomplete state when err != nil.
Add TestCompileInboundMTLSProfilesReturnsNilMapOnError for a mixed ok/bad
profile map. Reformat fakeHTTPRoute stub methods in the test file.
Add lookupInboundMTLSProfile so global and route-scoped refs must exist
in the loaded profile map. Propagate resolver errors through TLS
GetConfigForClient; in HTTP dispatch, return 421 only for SNI and
misdirected secure-route cases and log 500 for other resolution
failures.
Support adding routes with an existing listener for tests, reserve the
port via net.Listen without a race, and use t.Cleanup for server
teardown. Move relay_proxy_protocol_header documentation to per-route
TCP config in config.example.yml.
Add root-level inbound_mtls_profiles combining optional system CAs with PEM
CA files, and entrypoint.inbound_mtls_profile to require client certificates
on every HTTPS connection. Route-level inbound_mtls_profile is allowed only
without a global profile; per-handshake TLS picks ClientCAs from SNI, and
requests fail with 421 when Host and SNI would select different mTLS routes.
Compile pools at init (SetInboundMTLSProfiles from state.initEntrypoint) and
reject unknown profile refs or mixed global-plus-route configuration.
Extend config.example.yml and package READMEs; add entrypoint and config
tests for TLS mutation, handshakes, and validation.
