tksadik92/wrenn-releases
1
0
Fork 0
forked from wrenn/wrenn
Code Pull Requests Activity

Enforce mandatory mTLS for CP↔agent communication

Browse Source 
Both the control plane and host agent now refuse to start without valid
mTLS configuration, closing the unauthenticated proxy/RPC attack surface
that existed when running in plain HTTP fallback mode.
This commit is contained in:
Rafeed M. Bhuiyan
2026-04-08 02:25:43 +06:00
parent 2737288a2b
commit c8615466be
2 changed files with 59 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
cmd/control-plane/main.go
View File

@ -69,24 +69,19 @@ func main() {
} }
slog.Info("connected to redis") slog.Info("connected to redis")
// mTLS: parse internal CA and build a TLS-capable host client pool. // mTLS is mandatory — parse internal CA for CP↔agent communication.
// When CA env vars are absent the pool falls back to plain HTTP (dev mode). if cfg.CACert == "" || cfg.CAKey == "" {
var ca *auth.CA slog.Error("WRENN_CA_CERT and WRENN_CA_KEY are required — mTLS is mandatory for CP↔agent communication")
if cfg.CACert != "" && cfg.CAKey != "" { os.Exit(1)
var err error }
ca, err = auth.ParseCA(cfg.CACert, cfg.CAKey) ca, err := auth.ParseCA(cfg.CACert, cfg.CAKey)
if err != nil { if err != nil {
slog.Error("failed to parse mTLS CA from environment", "error", err) slog.Error("failed to parse mTLS CA from environment", "error", err)
os.Exit(1) os.Exit(1)
} }
slog.Info("mTLS enabled: CA loaded") slog.Info("mTLS enabled: CA loaded")
} else {
slog.Warn("mTLS disabled: WRENN_CA_CERT/WRENN_CA_KEY not set — host agent connections are unencrypted")
}
// Host client pool — manages Connect RPC clients to host agents. // Host client pool — manages Connect RPC clients to host agents.
var hostPool *lifecycle.HostClientPool
if ca != nil {
cpCertStore, err := auth.NewCPCertStore(ca) cpCertStore, err := auth.NewCPCertStore(ca)
if err != nil { if err != nil {
slog.Error("failed to issue CP client certificate", "error", err) slog.Error("failed to issue CP client certificate", "error", err)
@ -110,11 +105,8 @@ func main() {
} }
} }
}() }()
hostPool = lifecycle.NewHostClientPoolTLS(auth.CPClientTLSConfig(ca, cpCertStore)) hostPool := lifecycle.NewHostClientPoolTLS(auth.CPClientTLSConfig(ca, cpCertStore))
slog.Info("host client pool: mTLS enabled") slog.Info("host client pool: mTLS enabled")
} else {
hostPool = lifecycle.NewHostClientPool()
}
// Scheduler — picks a host for each new sandbox (round-robin for now). // Scheduler — picks a host for each new sandbox (round-robin for now).
hostScheduler := scheduler.NewRoundRobinScheduler(queries) hostScheduler := scheduler.NewRoundRobinScheduler(queries)

29
cmd/host-agent/main.go
View File

@ -5,7 +5,6 @@ import (
"crypto/tls" "crypto/tls"
"flag" "flag"
"log/slog" "log/slog"
"net"
"net/http" "net/http"
"os" "os"
"os/signal" "os/signal"
@ -99,9 +98,12 @@ func main() {
// httpServer is declared here so the shutdown func can reference it. // httpServer is declared here so the shutdown func can reference it.
httpServer := &http.Server{Addr: listenAddr} httpServer := &http.Server{Addr: listenAddr}
// Set up mTLS if the CP issued a certificate during registration. // mTLS is mandatory — refuse to start without a valid certificate.
var certStore hostagent.CertStore var certStore hostagent.CertStore
if creds.CertPEM != "" && creds.KeyPEM != "" && creds.CACertPEM != "" { if creds.CertPEM == "" || creds.KeyPEM == "" || creds.CACertPEM == "" {
slog.Error("mTLS certificate not received from CP — ensure WRENN_CA_CERT and WRENN_CA_KEY are configured on the control plane")
os.Exit(1)
}
if err := certStore.ParseAndStore(creds.CertPEM, creds.KeyPEM); err != nil { if err := certStore.ParseAndStore(creds.CertPEM, creds.KeyPEM); err != nil {
slog.Error("failed to load host TLS certificate", "error", err) slog.Error("failed to load host TLS certificate", "error", err)
os.Exit(1) os.Exit(1)
@ -113,9 +115,6 @@ func main() {
} }
httpServer.TLSConfig = tlsCfg httpServer.TLSConfig = tlsCfg
slog.Info("mTLS enabled on agent server") slog.Info("mTLS enabled on agent server")
} else {
slog.Warn("mTLS disabled: no certificate received from CP — agent serving plain HTTP")
}
// doShutdown is the single shutdown path. sync.Once ensures mgr.Shutdown // doShutdown is the single shutdown path. sync.Once ensures mgr.Shutdown
// and httpServer.Shutdown are each called exactly once regardless of // and httpServer.Shutdown are each called exactly once regardless of
@ -182,10 +181,9 @@ func main() {
}() }()
slog.Info("host agent starting", "addr", listenAddr, "host_id", creds.HostID) slog.Info("host agent starting", "addr", listenAddr, "host_id", creds.HostID)
if httpServer.TLSConfig != nil { // TLSConfig is always set (mTLS is mandatory). Create the TLS listener
// When TLSConfig is pre-populated (cert via GetCertificate callback), // manually because ListenAndServeTLS requires on-disk cert/key paths
// ListenAndServeTLS does not work because it requires on-disk cert/key paths. // but we use GetCertificate callback for hot-swap support.
// Instead, create the TLS listener manually and call Serve.
ln, err := tls.Listen("tcp", listenAddr, httpServer.TLSConfig) ln, err := tls.Listen("tcp", listenAddr, httpServer.TLSConfig)
if err != nil { if err != nil {
slog.Error("failed to start TLS listener", "error", err) slog.Error("failed to start TLS listener", "error", err)
@ -195,17 +193,6 @@ func main() {
slog.Error("https server error", "error", err) slog.Error("https server error", "error", err)
os.Exit(1) os.Exit(1)
} }
} else {
ln, err := net.Listen("tcp", listenAddr)
if err != nil {
slog.Error("failed to start listener", "error", err)
os.Exit(1)
}
if err := httpServer.Serve(ln); err != nil && err != http.ErrServerClosed {
slog.Error("http server error", "error", err)
os.Exit(1)
}
}
slog.Info("host agent stopped") slog.Info("host agent stopped")
} }