Commit 3c49f7f
feat(dgw): agent tunnel transparent routing + cert renewal
Builds on #1738 (core infrastructure). Follow-up PRs will add the
Windows/Linux installer integration, gateway webapp agent
management UI, Docker deployment, and Playwright E2E harness.
Transparent routing:
- `crates/agent-tunnel/src/routing.rs`: `RoutingDecision` pipeline —
explicit `jet_agent_id` from the JWT → subnet match → domain
suffix match (longest wins) → direct connect. Single `try_route`
entry point consumed by all gateway proxy paths.
- `crates/agent-tunnel/src/registry.rs`: `find_agents_for(host)` +
`RouteAdvertisementState::matches_target()` do the lookup in one
spot; offline agents are skipped.
- Gateway proxy integration: `api/fwd.rs`, `api/kdc_proxy.rs`,
`api/rdp.rs`, `rd_clean_path.rs`, `generic_client.rs`, `rdp_proxy.rs`
all call `try_route` before falling through to direct TCP.
- Tests: `agent-tunnel/src/integration_test.rs` (2 full-stack QUIC
E2E), `tests/agent_tunnel_registry.rs` (13), `tests/agent_tunnel_
routing.rs` (8).
Agent-side certificate renewal:
- `enrollment.rs`: `is_cert_expiring(cert_path, threshold_days)` and
`generate_csr_from_existing_key(key_path, agent_name)` — the key
never changes across renewals, the gateway just signs a new cert
with the same public key.
- `tunnel.rs`: on connect, if the cert is within 15 days of expiry,
the agent sends a `CertRenewalRequest` control message with a new
CSR, waits for `CertRenewalResponse::Success`, writes the renewed
cert and CA, and reconnects.
- `agent-tunnel/src/listener.rs`: gateway-side handler signs the
CSR via `CaManager::sign_agent_csr` and returns the new cert chain.
(Stub replaced: master's handler emitted a debug log and dropped
the message.)
QUIC endpoint override:
- `enrollment.rs`: new `quic_endpoint_override: Option<String>`
parameter on `enroll_agent` — if set, overrides the endpoint
returned by the enroll API. Needed because the gateway's
`quic_endpoint` is derived from `conf.hostname`, which in a
containerized deployment is often the container ID (not routable
from outside).
- `main.rs`: new `--quic-endpoint` CLI flag and `jet_quic_endpoint`
JWT claim; precedence is CLI flag > JWT claim > enroll API
response.
Agent-side routing primitives:
- `tunnel_helpers.rs`: `Target::Ip` / `Target::Domain` enum parsed
from the gateway's `ConnectRequest::target`, `resolve_target`
(domain → DNS), `connect_to_target` (happy-eyeballs).
Tests: 22 agent-tunnel lib + 3 proto version + 24 proto control +
11 proto session + 13 registry + 8 routing integration + 64 gateway
lib, all green. Zero clippy warnings; nightly fmt clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent d89dd0c commit 3c49f7f
21 files changed
Lines changed: 1486 additions & 151 deletions
File tree
- crates/agent-tunnel
- src
- devolutions-agent/src
- devolutions-gateway
- src
- api
- tests
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
46 | | - | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
11 | | - | |
| 11 | + | |
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
35 | | - | |
36 | | - | |
37 | | - | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
38 | 40 | | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
39 | 44 | | |
40 | | - | |
41 | | - | |
42 | | - | |
43 | | - | |
44 | | - | |
45 | | - | |
46 | | - | |
47 | | - | |
48 | | - | |
49 | | - | |
50 | | - | |
51 | | - | |
52 | | - | |
53 | | - | |
54 | | - | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
55 | 56 | | |
56 | | - | |
57 | | - | |
58 | 57 | | |
59 | 58 | | |
60 | 59 | | |
| |||
87 | 86 | | |
88 | 87 | | |
89 | 88 | | |
90 | | - | |
| 89 | + | |
91 | 90 | | |
92 | 91 | | |
93 | 92 | | |
| |||
0 commit comments