From f6e46098c66a48cca255d2abd39e444344a0cb95 Mon Sep 17 00:00:00 2001
From: James Chacon <james.chacon@snowflake.com>
Date: Wed, 2 Mar 2022 21:08:00 -0800
Subject: [PATCH] Add comments indicating CA's are self contained. (#82)

* Add comments indicating CA's are self contained.

i.e. one should start with a system pool copy and append most likely.

* Update comment. Better wording
---
 auth/mtls/mtls.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/auth/mtls/mtls.go b/auth/mtls/mtls.go
index 76d34c04..ca12f180 100644
--- a/auth/mtls/mtls.go
+++ b/auth/mtls/mtls.go
@@ -36,10 +36,16 @@ var (
 type CredentialsLoader interface {
 	// LoadClientCA returns a CertPool which should be used by a server to
 	// validate client certificates.
+	// NOTE: The pool returned here will be the only pool used to validate certificates.
+	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
+	//       with any custom certificates appended.
 	LoadClientCA(context.Context) (*x509.CertPool, error)
 
 	// LoadRootCA returns a CertPool which should be used by clients to
 	// validate server certificates.
+	// NOTE: The pool returned here will be the only pool used to validate certificates.
+	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
+	//       with any custom certificates appended.
 	LoadRootCA(context.Context) (*x509.CertPool, error)
 
 	// LoadClientCertificates returns the certificate that should be presented