ansible/roles/fleet_mtls_certs/defaults/main.yml

---
# Default paths on the *control node* where certs are read from.
# Override these in your inventory / group_vars as needed.

# Fleet CA certificate (public; safe to push to all nodes)
fleet_mtls_ca_cert_src: "{{ lookup('env', 'HOME') }}/.hermes/pki/ca/fleet-ca.crt"

# Per-agent cert/key source dir on the control node.
# Expected layout:  <fleet_mtls_agent_certs_dir>/<agent_name>/<agent_name>.{crt,key}
fleet_mtls_agent_certs_dir: "{{ lookup('env', 'HOME') }}/.hermes/pki/agents"

# Remote destination paths on the fleet node
fleet_mtls_remote_pki_dir: "/etc/hermes/pki"
fleet_mtls_remote_ca_dir: "{{ fleet_mtls_remote_pki_dir }}/ca"
fleet_mtls_remote_agent_dir: "{{ fleet_mtls_remote_pki_dir }}/agent"

# The agent name to deploy (set per-host in inventory, e.g. timmy / allegro / ezra)
fleet_mtls_agent_name: "{{ inventory_hostname_short }}"

# Hermes service name (for reload notification)
fleet_mtls_hermes_service: "hermes-a2a"
feat: A2A auth — mutual TLS between fleet agents Implements mutual TLS for secure agent-to-agent communication (#806). - scripts/gen_fleet_ca.sh: generate fleet CA (4096-bit RSA, 10-year) - scripts/gen_agent_cert.sh: per-agent cert signed by fleet CA (timmy, allegro, ezra) - agent/a2a_mtls.py: A2AServer requiring client cert verification (CERT_REQUIRED), build_server_ssl_context / build_client_ssl_context helpers, server_from_env() - ansible/roles/fleet_mtls_certs/: distribute CA + per-agent certs to fleet nodes, write /etc/hermes/a2a.env, notify hermes-a2a service on change - ansible/fleet_mtls.yml + ansible/inventory/fleet.ini.example: playbook + example inventory - tests/agent/test_a2a_mtls.py: 11 tests — authorized agent accepted (200/202), self-signed cert rejected, no-cert rejected, lifecycle, env-var wiring Fixes #806 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-21 13:28:28 -04:00			`---`
			`# Default paths on the control node where certs are read from.`
			`# Override these in your inventory / group_vars as needed.`

			`# Fleet CA certificate (public; safe to push to all nodes)`
			`fleet_mtls_ca_cert_src: "{{ lookup('env', 'HOME') }}/.hermes/pki/ca/fleet-ca.crt"`

			`# Per-agent cert/key source dir on the control node.`
			`# Expected layout: <fleet_mtls_agent_certs_dir>/<agent_name>/<agent_name>.{crt,key}`
			`fleet_mtls_agent_certs_dir: "{{ lookup('env', 'HOME') }}/.hermes/pki/agents"`

			`# Remote destination paths on the fleet node`
			`fleet_mtls_remote_pki_dir: "/etc/hermes/pki"`
			`fleet_mtls_remote_ca_dir: "{{ fleet_mtls_remote_pki_dir }}/ca"`
			`fleet_mtls_remote_agent_dir: "{{ fleet_mtls_remote_pki_dir }}/agent"`

			`# The agent name to deploy (set per-host in inventory, e.g. timmy / allegro / ezra)`
			`fleet_mtls_agent_name: "{{ inventory_hostname_short }}"`

			`# Hermes service name (for reload notification)`
			`fleet_mtls_hermes_service: "hermes-a2a"`