Add mTLS to CP→agent channel

- Internal ECDSA P-256 CA (WRENN_CA_CERT/WRENN_CA_KEY env vars); when absent the system falls back to plain HTTP so dev mode works without certificates - Host leaf cert (7-day TTL, IP SAN) issued at registration and renewed on every JWT refresh; fingerprint + expiry stored in DB (cert_expires_at column replaces the removed mtls_enabled flag) - CP ephemeral client cert (24-hour TTL) via CPCertStore with atomic hot-swap; background goroutine renews it every 12 hours without restarting the server - Host agent uses tls.Listen + httpServer.Serve so GetCertificate callback is respected (ListenAndServeTLS always reads cert from disk) - Sandbox reverse proxy now uses pool.Transport() so it shares the same TLS config as the Connect RPC clients instead of http.DefaultTransport - Credentials file renamed host-credentials.json with cert_pem/key_pem/ ca_cert_pem fields; duplicate register/refresh response structs collapsed to authResponse
2026-03-30 21:24:35 +06:00
parent 88f919c4ca
commit 25ce0729d5
16 changed files with 716 additions and 144 deletions
--- a/db/migrations/20260330112050_mtls_cert_expiry.sql
+++ b/db/migrations/20260330112050_mtls_cert_expiry.sql
@ -0,0 +1,7 @@
+-- +goose Up
+ALTER TABLE hosts DROP COLUMN mtls_enabled;
+ALTER TABLE hosts ADD COLUMN cert_expires_at TIMESTAMPTZ;
+
+-- +goose Down
+ALTER TABLE hosts DROP COLUMN cert_expires_at;
+ALTER TABLE hosts ADD COLUMN mtls_enabled BOOLEAN NOT NULL DEFAULT FALSE;
--- a/db/queries/hosts.sql
+++ b/db/queries/hosts.sql
@ -20,16 +20,25 @@ SELECT * FROM hosts WHERE status = $1 ORDER BY created_at DESC;

 -- name: RegisterHost :execrows
 UPDATE hosts
-SET arch = $2,
-    cpu_cores = $3,
-    memory_mb = $4,
-    disk_gb = $5,
-    address = $6,
-    status = 'online',
+SET arch             = $2,
+    cpu_cores        = $3,
+    memory_mb        = $4,
+    disk_gb          = $5,
+    address          = $6,
+    cert_fingerprint = $7,
+    cert_expires_at  = $8,
+    status           = 'online',
    last_heartbeat_at = NOW(),
-    updated_at = NOW()
+    updated_at        = NOW()
 WHERE id = $1 AND status = 'pending';

+-- name: UpdateHostCert :exec
+UPDATE hosts
+SET cert_fingerprint = $2,
+    cert_expires_at  = $3,
+    updated_at       = NOW()
+WHERE id = $1;
+
 -- name: UpdateHostStatus :exec
 UPDATE hosts SET status = $2, updated_at = NOW() WHERE id = $1;