feat: v0.3.0 — OpenZiti Overlay, XDP Edge Protection, System Attestation#28
feat: v0.3.0 — OpenZiti Overlay, XDP Edge Protection, System Attestation#28PenguinzTech wants to merge 10 commits intomainfrom
Conversation
Unifies three disconnected policy systems (policy_rules PyDAL table, firewall_rules table, access_control_manager) into a single canonical schema enforced across WireGuard clients (Go PolicyEngine) and Kubernetes services (CiliumNetworkPolicy CRDs). ## What's new ### Phase 1 — Unified policy schema - Replace firewall_rules with policy_rules table (scope, direction, JSON array fields for domains/ports/src_cidrs/dst_cidrs/users/groups) - Policy CRUD API routes (py4web @action) + firewall compat shim - gRPC proto updated with repeated string fields ### Phase 2 — Go PolicyEngine wired - Fix REST fetch envelope unwrap in grpc_client.go - PolicyEngine enhanced with SrcCIDRs, DstCIDRs, 6-dimension matching - policy_adapter.go bridges api.Policy → policy.RawPolicy - Replace firewallManager.CheckAccess at all 5 proxy check sites ### Phase 3 — FRR iBGP + OSPF underlay - deploy/frr/ configs for us-east and eu-west (AS 65001 iBGP) - vrf_manager.py generates iBGP stanzas and pushes via RESTCONF - Helm frr-configmap + frr-daemonset templates ### Phase 4 — Cilium WireGuard + CiliumNetworkPolicy - values-cilium.yaml: WireGuard node encryption, Hubble, DSR LB - cilium_translator.py: policy_rules → CiliumNetworkPolicy CRDs - k8s_client.py: create/update/delete CRDs via kubernetes-client - networkpolicy.yaml: conditional standard/Cilium CRD selection - WireGuard manager: clientPeersOnly filter for Cilium coexistence ### Phase 5 — Zeek network analysis - deploy/zeek/: site scripts for WireGuard + TLS + DNS analysis - mirror/manager.go: Zeek VXLAN tap alongside Suricata - Helm zeek-configmap + zeek-daemonset templates ### Phase 6 — gRPC policy streaming - grpc/server.py: PolicyServicer with FetchPolicies + SubscribePolicyUpdates - Redis policy:updates channel triggers on CRUD mutations - main.py: gRPC server lifecycle wired into lifespan coroutine - Dockerfile: EXPOSE 50051 ### Phase 7 — WebUI API wiring - hub-webui/src/lib/api.ts: ApiEnvelope unwrapping, typed Policy model - PolicyManagement.tsx: live API calls replace mock data Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Three-layer identity mesh: OIDC management plane, SPIFFE/SPIRE workload identity, and cross-cloud Cilium Cluster Mesh over hub-router WireGuard. Management plane: - RFC 9068 OIDC-compliant JWTs with tenant/team/role/scope claims - Scope-based authorization middleware (require_scope decorator) - Hub-api as built-in OIDC provider (discovery, JWKS, token, userinfo) - External IdP federation with token exchange - SQLAlchemy + Alembic schema management, PyDAL runtime (migrate=False) - Multi-tenant isolation with Global → Tenant → Team → Resource hierarchy Workload identity: - Cloud-native identity first (EKS Pod Identity, GCP WI, Azure WI) - SPIRE fallback for on-prem/bare-metal (TPM, cloud IID, K8s PSAT) - Unified token exchange: any provider → Tobogganing JWT - Identity bridge: bidirectional SPIFFE ↔ OIDC mapping Cross-cloud connectivity: - Hub-to-hub WireGuard mesh bridge for Cilium Cluster Mesh - Policy engine with 9-dimension matching (tenant + scopes + SPIFFE ID) - Cilium identity-aware policy translation - SPIRE Helm chart with multi-attestor support WebUI: - Tenant, Team, and Workload Identity management pages - ScopeGate component for role-based UI rendering Includes unit tests (Python + Go), documentation, and Helm charts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rework the overlay abstraction from broken L3/HandlePacket model to correct L7/net.Listener semantics. Add config-driven overlay selection (same binary, runtime switch), dual-mode WireGuard+OpenZiti client, and XDP/eBPF kernel-level edge protection for bare-metal deployments. Overlay changes: - Revised OverlayProvider interface with Listener() net.Listener - Hub-router OpenZiti listener via edge.Listener + JWT+HOST handshake - Client dual-mode provider (WG L3 kernel + Ziti L7 userspace) - Client default overlay type changed to "dual" - OverlayScope added as 7th policy engine dimension - All 5 proxy evaluation sites now set OverlayScope: "wireguard" XDP/eBPF changes: - BPF C program: 3-stage XDP pipeline (blocklist → flood → rate limit) - Go XDP loader with build-tag gating (//go:build xdp) - AF_XDP zero-copy sockets, NUMA-aware memory pools - Blocklist sync from policy engine deny rules to BPF map - Prometheus metrics for XDP packet processing Also: desktop client migrated to unified modular client at penguintechinc/penguin — overlay library remains here. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Desktop client and mobile app (now Flutter, replacing React Native) migrated to penguintechinc/penguin unified modular client. Overlay library remains in clients/native/internal/overlay/. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…bile+embedded) Flutter for iOS/Android, Go for desktop/headless — all in penguintechinc/penguin, replacing the React Native mobile app. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
…olicy — v0.3.0 Pydantic 2.x schemas on all API endpoints (422 responses), Zod frontend schemas, PyDAL validators. Squawk DNS-over-HTTPS integration for hub-router, native client, and Docker client. WaddlePerf fabric metrics with HTTP/TCP/UDP/ICMP probes and WebUI dashboard. Default-deny NetworkPolicy for Helm and Kustomize deployments. Input validation: - Pydantic BaseModel schemas for all POST/PUT endpoints - Custom validators: IsCIDR, IsPortRange, IsProtocol - Zod schemas mirroring backend validation - PyDAL requires validators updated Squawk DNS: - Hub-router DNS forwarder (miekg/dns) - Native client DNS module with platform-specific resolv.conf - Docker client SQUAWK_ENABLED support WaddlePerf: - Hub-router FabricMonitor with multi-protocol probes - Performance API routes (POST/GET metrics, GET summary) - WebUI Fabric Metrics page with latency matrix - Prometheus gauges for latency, jitter, packet loss Default-deny NetworkPolicy: - Helm template + Kustomize base manifests - Explicit allowlists for inter-service communication Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The native Go client in clients/native/ is now explicitly scoped to hardware, VMs, bare metal servers, containers, and embedded/IoT devices. End-user desktop and mobile clients have moved to the unified modular client at penguintechinc/penguin. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
… hardware fingerprinting Add hardware-rooted trust verification for the native Go infrastructure client. Clients collect a weighted system fingerprint (TPM PCR quote, cloud instance identity, DMI, MACs, disk serials, CPU) and submit it during registration. Hub-api validates attestation, computes confidence score (0-115), embeds it in JWT claims, and detects fingerprint drift on token refresh. Go attestation package (clients/native/internal/attestation/): - Collector orchestrator with composite SHA-256 hash of stable fields - Hardware collectors: DMI, MAC, CPU, disk serials, OS info - Cloud identity auto-detection: AWS/GCP/Azure via IMDS (500ms timeout) - TPM 2.0 PCR quote with challenge-response nonce (build-tag gated: -tags tpm) - No-op stub for default builds (zero go-tpm dependency) Hub-api attestation (services/hub-api/): - AttestationValidator with weighted confidence scoring and drift detection - FleetDM client for optional server-side hardware cross-reference - Challenge endpoint (POST /api/v1/attestation/challenge) for TPM nonce - Attestation validation in client registration with confidence response - Drift detection on token refresh (product_uuid change → 403) - JWT claims: attest_conf, attest_method Tests: Go unit tests (20 passing), Python test modules, smoke tests, e2e scripts Docs: ATTESTATION.md guide, FEATURES.md, RELEASE_NOTES.md, README.md updated Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
PenguinzTech
changed the title
- GitHub Actions: pin uses: to commit SHAs (not mutable version tags) - Trivy: standardize to trivy-action@v0.35.0 with trivy-version=v0.69.3 Follows updated immutable dependency standards in .claude/rules/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 participant
Summary
-tags xdp)System Attestation Details
New in this update — hardware-rooted trust verification for native Go infrastructure clients:
-tags tpm)attest_conf,attest_methodPOST /api/v1/attestation/challengeTest plan
go vet ./...passes on clients/nativeGenerated with Claude Code