Skip to content

v0.4.0 — Mutual TLS for the mesh

Choose a tag to compare

View all tags
@h-wata h-wata released this 31 May 15:39
· 53 commits to main since this release
v0.4.0
8b1dd68
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v0.4.0 — Mutual TLS for the mesh

This release adds optional mutual TLS (mTLS) peer authentication for the
Zenoh mesh, plus a low-friction enrollment flow. Network admission (Tailscale /
WireGuard / trusted LAN) remains the first line of defense; mTLS adds
transport-level peer authentication on top for deployments that want it.

Highlights

  • Mutual TLS via a CSR-based private CA (kioku-mesh tls). A new tls
    command group provisions a small private PKI: tls init-ca creates the CA,
    tls request --san <addr> generates a peer key (which never leaves the host)
    plus a CSR, tls sign issues the certificate on the CA host, and
    tls install places the signed cert + CA cert into
    ~/.config/kioku-mesh/tls/. tls info reports subjects, SANs, and expiry.
    Only non-secret material (CSRs, signed certs, the CA cert) is ever exchanged
    between hosts. kioku-mesh init --mode <hub|spoke> --tls emits a
    tls/-scheme config with a transport.link.tls block (enable_mtls,
    verify_name_on_connect) and refuses to run until the certs exist. Keys are
    EC P-256; peer certs carry both serverAuth and clientAuth.

  • Copy-paste enrollment + one-command tls enroll. Replaces the scp
    round-trip that proved fiddly in practice. tls request / tls sign print a
    single armored, copy-pasteable block (-----BEGIN KIOKU-MESH CSR/CERT BUNDLE-----) you paste into the next command on the other host — no SSH, no
    path juggling, works over any channel. The signed block bundles the peer cert
    and the CA cert, so the peer pastes one block instead of shuttling two
    files. For anyone with SSH to the CA host, tls enroll <ca-host> --san <addr>
    folds request → sign-over-SSH → install into a single command.

  • doctor gains a tls_certs check. WARN under 30 days to expiry, FAIL if
    expired or missing while the config enables mTLS.

See docs/mtls.md for the full walkthrough and trust model.

Upgrade notes

  • Adds a cryptography runtime dependency.
  • mTLS is opt-in — existing non-TLS meshes are unaffected and need no changes.
  • No on-disk storage-schema changes.

Install / upgrade

uv tool install --upgrade kioku-mesh
Assets 2
Loading