R5: relay enrolment — 'beacon gen-csr' (CSR-over-SSH)#4
Merged
Conversation
Implements beacon R5 against helm's published relay-enrolment contract (helm/BUILD.md, "Relay enrollment contract"; DESIGN §5, decision 14 — CSR-over-SSH, no bootstrap token). Mirrors buoy's node onboarding. - internal/pki.GenerateCSR generates the relay's ECDSA P-256 keypair on the host (key written 0600, never leaves the host) and emits a plain PKCS#10 CSR carrying only the public key. Idempotent — an existing key is reused so a retried enrolment never orphans it. - The CSR deliberately asserts no Organization and no SANs: helm is the sole authority on relay identity and overrides them at signing time (O="PharosVPN Relay", dual ServerAuth+ClientAuth EKU, public-endpoint DNS SAN). A relay host must not self-assert the delegation marker. - `beacon gen-csr [--config-dir]` prints the CSR to stdout (helm captures it over SSH) and diagnostics to stderr. helm then pushes back relay.crt, fleet-ca.crt and device-ca.crt — the files `beacon run` already loads from the config dir. Signed-off-by: Khalefa <Khalefa@alahmad.org>
beacon/BUILD.md R5 still described a "bootstrap token" — superseded by DESIGN decision 14 (CSR-over-SSH, no token). Correct the milestone line and update the README status now that gen-csr enrolment is built. Signed-off-by: Khalefa <Khalefa@alahmad.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
beacon milestone R5 — relay enrolment
Implements beacon's side of helm's published relay-enrolment contract
(helm/BUILD.md, "Relay enrollment contract"; DESIGN §5, decision 14 —
CSR-over-SSH, no bootstrap token). Mirrors
buoy's node onboarding.beacon gen-csrinternal/pki.GenerateCSRgenerates the relay's ECDSA P-256 keypairon the host — the private key is written
0600torelay.keyand never leaves the host. Idempotent: a retried enrolment reuses the
existing key rather than orphaning it.
Organizationand no SANs:helmis the sole authority on relayidentity and overrides them when it signs off the Fleet CA
(
O="PharosVPN Relay", dual ServerAuth+ClientAuth EKU, public-endpointDNS SAN). A relay host must not self-assert the delegation marker.
Command surface (helm's relay-deploy invokes these)
beacon gen-csr [--config-dir]beacon run --config-dir /etc/beaconExecStart)beacon versionAfter signing,
helmpushes backrelay.crt,fleet-ca.crtanddevice-ca.crt— exactly the filesbeacon runalready loads from theconfig dir, alongside the
gen-csr-writtenrelay.key.Also
CSR-over-SSH, decision 14) and updates the README status.
Quality
gofmt/go vet/go test -race/golangci-lintall clean; newunit tests cover key generation, idempotency, the plain-subject
guarantee, and corrupt-key handling. Zero origin-project trace.
Next and last: R6 — static-binary packaging + deploy docs.