91faf6f956
All checks were successful
Lint / lint (pull_request) Successful in 10s
Implements mutual TLS for secure agent-to-agent communication (#806). - scripts/gen_fleet_ca.sh: generate fleet CA (4096-bit RSA, 10-year) - scripts/gen_agent_cert.sh: per-agent cert signed by fleet CA (timmy, allegro, ezra) - agent/a2a_mtls.py: A2AServer requiring client cert verification (CERT_REQUIRED), build_server_ssl_context / build_client_ssl_context helpers, server_from_env() - ansible/roles/fleet_mtls_certs/: distribute CA + per-agent certs to fleet nodes, write /etc/hermes/a2a.env, notify hermes-a2a service on change - ansible/fleet_mtls.yml + ansible/inventory/fleet.ini.example: playbook + example inventory - tests/agent/test_a2a_mtls.py: 11 tests — authorized agent accepted (200/202), self-signed cert rejected, no-cert rejected, lifecycle, env-var wiring Fixes #806 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
22 lines
939 B
YAML
22 lines
939 B
YAML
---
|
|
# Default paths on the *control node* where certs are read from.
|
|
# Override these in your inventory / group_vars as needed.
|
|
|
|
# Fleet CA certificate (public; safe to push to all nodes)
|
|
fleet_mtls_ca_cert_src: "{{ lookup('env', 'HOME') }}/.hermes/pki/ca/fleet-ca.crt"
|
|
|
|
# Per-agent cert/key source dir on the control node.
|
|
# Expected layout: <fleet_mtls_agent_certs_dir>/<agent_name>/<agent_name>.{crt,key}
|
|
fleet_mtls_agent_certs_dir: "{{ lookup('env', 'HOME') }}/.hermes/pki/agents"
|
|
|
|
# Remote destination paths on the fleet node
|
|
fleet_mtls_remote_pki_dir: "/etc/hermes/pki"
|
|
fleet_mtls_remote_ca_dir: "{{ fleet_mtls_remote_pki_dir }}/ca"
|
|
fleet_mtls_remote_agent_dir: "{{ fleet_mtls_remote_pki_dir }}/agent"
|
|
|
|
# The agent name to deploy (set per-host in inventory, e.g. timmy / allegro / ezra)
|
|
fleet_mtls_agent_name: "{{ inventory_hostname_short }}"
|
|
|
|
# Hermes service name (for reload notification)
|
|
fleet_mtls_hermes_service: "hermes-a2a"
|