Pass operator's TLS cert to agent container (#2363)

* Agent changes - accepting cert in env

* mirrord-protocol version bump

* Removed unused NoopVerifier

* mirrord-kube changes - passing cert via env to the agent container

* Changelog entry

* Doc extended

* Format

* Clippy ;_;

* Improved doc

* Apply suggestions from code review

Co-authored-by: t4lz <[email protected]>

* Changelog entry improved

* fmt

---------

Co-authored-by: t4lz <[email protected]>

changelog.d/2362.added.md

@@ -0,0 +1 @@
+Agent now authenticates TLS connections, using a provided X509 certificate (mirrord for Teams only).

mirrord/agent/Cargo.toml

@@ -58,6 +58,7 @@ once_cell.workspace = true
 semver.workspace = true
 drain.workspace = true
 tokio-rustls = "0.25"
+x509-parser = "0.16"
 
 [target.'cfg(target_os = "linux")'.dependencies]
 iptables = {git = "https://github.com/metalbear-co/rust-iptables.git", rev = "e66c7332e361df3c61a194f08eefe3f40763d624"}
@@ -67,3 +68,4 @@ rawsocket = {git = "https://github.com/metalbear-co/rawsocket.git"}
 [dev-dependencies]
 mockall = "0.11.2" # 0.11.3 is broken
 test_bin = "0.4"
+rcgen = "0.10"

mirrord/agent/src/cli.rs

@@ -1,7 +1,7 @@
 #![deny(missing_docs)]
 
 use clap::{Parser, Subcommand};
-use mirrord_protocol::{MeshVendor, AGENT_TLS_ENV};
+use mirrord_protocol::{MeshVendor, AGENT_OPERATOR_CERT_ENV};
 
 const DEFAULT_RUNTIME: &str = "containerd";
 
@@ -42,9 +42,12 @@ pub struct Args {
     #[arg(long, default_value = "1.2.1")]
     pub base_protocol_version: semver::Version,
 
-    /// Whether TLS should be used to encrypt incoming client connections.
-    #[arg(long, default_value_t = false, env = AGENT_TLS_ENV)]
-    pub use_tls: bool,
+    /// PEM-encoded X509 certificate that this agent will use to secure incoming TCP connections
+    /// from the clients (proxied by the operator).
+    ///
+    /// If not given, the agent will not use TLS.
+    #[arg(long, env = AGENT_OPERATOR_CERT_ENV)]
+    pub operator_tls_cert_pem: Option<String>,
 }
 
 #[derive(Clone, Debug, Default, Subcommand)]