feat(server): add mTLS certificate bootstrap via JWT for Home connections

- Introduced `-home-jwt` flag and `HOME_JWT` environment variable to provide JWT for mTLS certificate generation.
- Added new APIs to handle certificate requests, validate JWT claims, and manage local certificate files.
- Updated Home TLS configuration to support client certificates, keys, and dynamic server name resolution.
This commit is contained in:
Luis Pater
2026-05-19 00:53:40 +08:00
parent cc0cb057b3
commit 77ba15f71b
4 changed files with 414 additions and 8 deletions
+28 -3
View File
@@ -172,7 +172,7 @@ func (c *Client) ensureClients() error {
}
func (c *Client) redisOptionsLocked(addr string) (*redis.Options, error) {
tlsConfig, errTLS := c.homeTLSConfigLocked()
tlsConfig, errTLS := c.homeTLSConfigLocked(addr)
if errTLS != nil {
return nil, errTLS
}
@@ -183,10 +183,14 @@ func (c *Client) redisOptionsLocked(addr string) (*redis.Options, error) {
}, nil
}
func (c *Client) homeTLSConfigLocked() (*tls.Config, error) {
func (c *Client) homeTLSConfigLocked(addr string) (*tls.Config, error) {
serverName := strings.TrimSpace(c.homeCfg.TLS.ServerName)
if serverName == "" {
serverName = strings.TrimSpace(c.seedHost)
if c.homeCfg.TLS.UseTargetServerName {
serverName = hostFromAddress(addr)
} else {
serverName = strings.TrimSpace(c.seedHost)
}
}
if serverName == "" {
serverName = strings.TrimSpace(c.homeCfg.Host)
@@ -194,6 +198,14 @@ func (c *Client) homeTLSConfigLocked() (*tls.Config, error) {
return newHomeTLSConfig(c.homeCfg.TLS, serverName)
}
func hostFromAddress(addr string) string {
host, _, errSplit := net.SplitHostPort(strings.TrimSpace(addr))
if errSplit == nil {
return strings.TrimSpace(host)
}
return strings.TrimSpace(addr)
}
func newHomeTLSConfig(cfg config.HomeTLSConfig, fallbackServerName string) (*tls.Config, error) {
if !cfg.Enable {
return nil, nil
@@ -210,6 +222,19 @@ func newHomeTLSConfig(cfg config.HomeTLSConfig, fallbackServerName string) (*tls
InsecureSkipVerify: cfg.InsecureSkipVerify,
}
clientCertPath := strings.TrimSpace(cfg.ClientCert)
clientKeyPath := strings.TrimSpace(cfg.ClientKey)
if clientCertPath != "" || clientKeyPath != "" {
if clientCertPath == "" || clientKeyPath == "" {
return nil, fmt.Errorf("home tls: client certificate and key must be set together")
}
certPair, errLoad := tls.LoadX509KeyPair(clientCertPath, clientKeyPath)
if errLoad != nil {
return nil, fmt.Errorf("home tls: load client certificate: %w", errLoad)
}
tlsConfig.Certificates = []tls.Certificate{certPair}
}
caCertPath := strings.TrimSpace(cfg.CACert)
if caCertPath == "" {
return tlsConfig, nil