Refactor CA certificate config operations to match registry pattern (#2476)

This change moves CA certificate configuration operations from CLI command
functions into the pkg/config package, following the established pattern
used by registry operations.

Changes:
- Add pkg/config/cacert.go with helper functions (setCACert, getCACert, unsetCACert)
- Extend Provider interface with CA cert methods
- Implement CA cert methods in DefaultProvider, PathProvider, and KubernetesProvider
- Refactor CLI commands to use provider methods, reducing CLI code by 60%
- Add comprehensive table-driven tests (9 test cases)

This establishes consistent patterns across all config operations and
improves separation of concerns by moving validation logic out of the
CLI layer.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>

Author: JAORMX

cmd/thv/app/config.go

@@ -7,7 +7,6 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"github.com/stacklok/toolhive/pkg/certs"
 	"github.com/stacklok/toolhive/pkg/config"
 )
 
@@ -99,73 +98,51 @@ func init() {
 }
 
 func setCACertCmdFunc(_ *cobra.Command, args []string) error {
-	certPath := filepath.Clean(args[0])
+	certPath := args[0]
 
-	// Validate that the file exists and is readable
-	if _, err := os.Stat(certPath); err != nil {
-		return fmt.Errorf("CA certificate file not found or not accessible: %w", err)
-	}
-
-	// Read and validate the certificate
-	certContent, err := os.ReadFile(certPath)
-	if err != nil {
-		return fmt.Errorf("failed to read CA certificate file: %w", err)
-	}
-
-	// Validate the certificate format
-	if err := certs.ValidateCACertificate(certContent); err != nil {
-		return fmt.Errorf("invalid CA certificate: %w", err)
-	}
-
-	// Update the configuration
-	err = config.UpdateConfig(func(c *config.Config) {
-		c.CACertificatePath = certPath
-	})
+	provider := config.NewDefaultProvider()
+	err := provider.SetCACert(certPath)
 	if err != nil {
-		return fmt.Errorf("failed to update configuration: %w", err)
+		return err
 	}
 
-	fmt.Printf("Successfully set CA certificate path: %s\n", certPath)
+	fmt.Printf("Successfully set CA certificate path: %s\n", filepath.Clean(certPath))
 	return nil
 }
 
 func getCACertCmdFunc(_ *cobra.Command, _ []string) error {
-	configProvider := config.NewDefaultProvider()
-	cfg := configProvider.GetConfig()
+	provider := config.NewDefaultProvider()
+	certPath, exists, accessible := provider.GetCACert()
 
-	if cfg.CACertificatePath == "" {
+	if !exists {
 		fmt.Println("No CA certificate is currently configured.")
 		return nil
 	}
 
-	fmt.Printf("Current CA certificate path: %s\n", cfg.CACertificatePath)
+	fmt.Printf("Current CA certificate path: %s\n", certPath)
 
-	// Check if the file still exists
-	if _, err := os.Stat(cfg.CACertificatePath); err != nil {
-		fmt.Printf("Warning: The configured CA certificate file is not accessible: %v\n", err)
+	if !accessible {
+		fmt.Printf("Warning: The configured CA certificate file is not accessible\n")
 	}
 
 	return nil
 }
 
 func unsetCACertCmdFunc(_ *cobra.Command, _ []string) error {
-	configProvider := config.NewDefaultProvider()
-	cfg := configProvider.GetConfig()
+	provider := config.NewDefaultProvider()
+	certPath, exists, _ := provider.GetCACert()
 
-	if cfg.CACertificatePath == "" {
+	if !exists {
 		fmt.Println("No CA certificate is currently configured.")
 		return nil
 	}
 
-	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
-		c.CACertificatePath = ""
-	})
+	err := provider.UnsetCACert()
 	if err != nil {
-		return fmt.Errorf("failed to update configuration: %w", err)
+		return err
 	}
 
-	fmt.Println("Successfully removed CA certificate configuration.")
+	fmt.Printf("Successfully removed CA certificate configuration: %s\n", certPath)
 	return nil
 }
 

pkg/config/cacert.go

@@ -0,0 +1,97 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/stacklok/toolhive/pkg/certs"
+)
+
+// setCACert validates and sets the CA certificate path using the provided provider.
+// It performs the following validations:
+//   - Verifies the file exists and is readable
+//   - Reads the certificate content
+//   - Validates the certificate format using pkg/certs.ValidateCACertificate
+//   - Cleans the file path
+//
+// The function returns an error if any validation fails or if updating the configuration fails.
+func setCACert(provider Provider, certPath string) error {
+	// Clean the path
+	certPath = filepath.Clean(certPath)
+
+	// Validate that the file exists and is readable
+	if _, err := os.Stat(certPath); err != nil {
+		return fmt.Errorf("CA certificate file not found or not accessible: %w", err)
+	}
+
+	// Read and validate the certificate
+	certContent, err := os.ReadFile(certPath)
+	if err != nil {
+		return fmt.Errorf("failed to read CA certificate file: %w", err)
+	}
+
+	// Validate the certificate format
+	if err := certs.ValidateCACertificate(certContent); err != nil {
+		return fmt.Errorf("invalid CA certificate: %w", err)
+	}
+
+	// Update the configuration
+	err = provider.UpdateConfig(func(c *Config) {
+		c.CACertificatePath = certPath
+	})
+	if err != nil {
+		return fmt.Errorf("failed to update configuration: %w", err)
+	}
+
+	return nil
+}
+
+// getCACert returns the currently configured CA certificate path and its accessibility status.
+// It returns three values:
+//   - certPath: the configured certificate path (empty string if not set)
+//   - exists: true if a CA certificate is configured in the config
+//   - accessible: true if the certificate file exists and is accessible on the filesystem
+//
+// Note: exists can be true while accessible is false if the file was deleted after configuration.
+func getCACert(provider Provider) (certPath string, exists bool, accessible bool) {
+	cfg := provider.GetConfig()
+
+	if cfg.CACertificatePath == "" {
+		return "", false, false
+	}
+
+	certPath = cfg.CACertificatePath
+	exists = true
+
+	// Check if the file is still accessible
+	if _, err := os.Stat(certPath); err != nil {
+		accessible = false
+	} else {
+		accessible = true
+	}
+
+	return certPath, exists, accessible
+}
+
+// unsetCACert removes the CA certificate configuration from the config file.
+// If no CA certificate is currently configured, this function is a no-op and returns nil.
+// Returns an error if updating the configuration fails.
+func unsetCACert(provider Provider) error {
+	cfg := provider.GetConfig()
+
+	if cfg.CACertificatePath == "" {
+		// Already unset, no-op
+		return nil
+	}
+
+	// Update the configuration
+	err := provider.UpdateConfig(func(c *Config) {
+		c.CACertificatePath = ""
+	})
+	if err != nil {
+		return fmt.Errorf("failed to update configuration: %w", err)
+	}
+
+	return nil
+}