Skip to content

feat(mesh): enable peer mTLS from key_management.cache.mesh.peer_tls#558

Merged
rickcrawford merged 1 commit into
mainfrom
rickcrawford/wor-1564-mesh-mtls-config
Jun 27, 2026
Merged

feat(mesh): enable peer mTLS from key_management.cache.mesh.peer_tls#558
rickcrawford merged 1 commit into
mainfrom
rickcrawford/wor-1564-mesh-mtls-config

Conversation

@rickcrawford

Copy link
Copy Markdown
Contributor

What

Makes the mesh peer-mTLS transport (mechanism merged in #557) operator-configurable from sb.yml. With this, an operator turns on mutual TLS for the mesh cache fabric with:

key_management:
  cache:
    mesh:
      peer_tls:
        cert_file: /etc/sbproxy/mesh/node.crt
        key_file:  /etc/sbproxy/mesh/node.key
        ca_file:   /etc/sbproxy/mesh/ca.crt
        server_name: sbproxy-mesh   # optional, this is the default

Every inbound mesh connection must then present a CA-signed client certificate, and every outbound connection presents this node's certificate, both verified against the CA. Unset keeps the plaintext transport.

Layers wired

  • sbproxy-config: MeshPeerTlsConfig (cert_file/key_file/ca_file/server_name) on MeshClusterConfig; config JSON schema regenerated.
  • sbproxy-core key_plane: reads the PEM files (fail-closed on a read error) into PeerTlsParams on BootstrapConfig.
  • sbproxy-mesh bootstrap: builds the rustls acceptor + connector and threads them into TransportServer::start_with_security and TransportClientPool::with_security (which now constructs TLS-capable PeerClients).

Tests

  • The end-to-end mTLS roundtrip + handshake tests from feat(mesh): mutually-authenticated TLS for the peer transport #557 still pass; TransportClientPool now carries the connector to every client it builds.
  • sbproxy-config (293) and sbproxy-mesh (416) lib suites pass; sbproxy-core lib suite passes; clippy -D warnings clean on config + mesh; config schema regenerated and committed (CI's schema check will confirm it matches).

A misconfigured cert/key/CA fails the mesh bootstrap rather than silently downgrading the cluster to plaintext.

Wires the mesh peer-mTLS transport (the mechanism landed in #557) through
to operator config. A new `peer_tls` block under `key_management.cache.mesh`
takes `cert_file` / `key_file` / `ca_file`, plus an optional `server_name`
(default `sbproxy-mesh`).

Flow across the layers:
- sbproxy-config gains MeshPeerTlsConfig on MeshClusterConfig (config schema
  regenerated).
- key_plane reads the PEM files (fail-closed on a read error) into a
  PeerTlsParams on BootstrapConfig.
- bootstrap builds the rustls acceptor + connector from it and threads them
  into TransportServer::start_with_security and
  TransportClientPool::with_security (which now creates TLS PeerClients).

Unset keeps the plaintext transport. The transport mechanism and its
end-to-end handshake tests are already in place; this is the operator-facing
toggle.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01X19S6eQzKKExZ9RUPAHuGy
@rickcrawford rickcrawford merged commit 0903fd5 into main Jun 27, 2026
4 checks passed
@rickcrawford rickcrawford deleted the rickcrawford/wor-1564-mesh-mtls-config branch June 27, 2026 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant