Add support for mTLS (#3136)

brancz · web-flow · commit 932370b42368 · 2026-03-19T11:50:59.000+01:00
This PR adds two new flags to the agent to accept a client certificate
and a client key, so it can authenticate with the server via `mTLS`.
diff --git a/flags/flags.go b/flags/flags.go
@@ -342,6 +342,9 @@ type FlagsRemoteStore struct {
 	GRPCConnectionTimeout    time.Duration     `default:"3s" help:"The timeout duration for gRPC connection establishment."`
 	GRPCMaxConnectionRetries uint32            `default:"5" help:"The maximum number of retries to establish a gRPC connection."`
 	GRPCHeaders              map[string]string `help:"Additional gRPC headers to send with each request (key=value pairs)."`
+
+	ClientCert string `help:"Client certificate for mTLS"`
+	ClientKey  string `help:"Client key for mTLS"`
 }
 
 // FlagsDebuginfo contains flags to configure debuginfo.
diff --git a/flags/grpc.go b/flags/grpc.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -83,12 +84,27 @@ func (f FlagsRemoteStore) setupGrpcConnection(parent context.Context, metrics *g
 	if f.Insecure {
 		opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
 	} else {
-		opts = append(opts,
-			grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
-				// Support only TLS1.3+ with valid CA certificates
-				MinVersion:         tls.VersionTLS13,
-				InsecureSkipVerify: f.InsecureSkipVerify,
-			})))
+		tlsConfig := tls.Config{
+			// Support only TLS1.3+ with valid CA certificates
+			MinVersion:         tls.VersionTLS13,
+			InsecureSkipVerify: f.InsecureSkipVerify,
+		}
+
+		if f.ClientKey != "" && f.ClientCert != "" {
+			cert, err := tls.LoadX509KeyPair(f.ClientCert, f.ClientKey)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load client certificates: %w", err)
+			}
+			tlsConfig.Certificates = []tls.Certificate{cert}
+
+			url, err := url.Parse(f.Address)
+			if err != nil {
+				return nil, fmt.Errorf("couldn't parse address (%s): %w", f.Address, err)
+			}
+			tlsConfig.ServerName = url.Hostname()
+		}
+
+		opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(&tlsConfig)))
 	}
 
 	// Auth

Original file line number	Diff line number	Diff line change
`@@ -342,6 +342,9 @@ type FlagsRemoteStore struct {`
`342`	`342`	GRPCConnectionTimeout time.Duration `default:"3s" help:"The timeout duration for gRPC connection establishment."`
`343`	`343`	GRPCMaxConnectionRetries uint32 `default:"5" help:"The maximum number of retries to establish a gRPC connection."`
`344`	`344`	GRPCHeaders map[string]string `help:"Additional gRPC headers to send with each request (key=value pairs)."`
	`345`	`+`
	`346`	+ ClientCert string `help:"Client certificate for mTLS"`
	`347`	+ ClientKey string `help:"Client key for mTLS"`
`345`	`348`	`}`
`346`	`349`
`347`	`350`	`// FlagsDebuginfo contains flags to configure debuginfo.`