feat(ae-control): TLS on the control surface (CONTROL_TLS)

[entlein]

Why

Wire audit (tcpdump on dx→AE :9100) caught 720 cleartext Authorization: Bearer eyJ… JWTs in 70s — the #68 control-surface auth token crosses the CNI in plaintext (AE_CONTROL_ADDR is a ClusterIP svc over http). Sniffable + replayable. Auth without TLS is half a control.

What

CONTROL_TLS=true → the control surface serves TLS (httpSrv.ListenAndServeTLS) with server.crt/server.key from the service-tls-certs secret the broker/PEM already use (verified present in pl). dx skip-verifies (entlein/dx#88). Default-OFF, symmetric to CONTROL_REQUIRE_AUTH — safe incremental rollout.

• adaptive_export_deployment.yaml: mounts service-tls-certs at /certs.
• ALPN: ListenAndServeTLS offers h2+http/1.1; dx's net/http client speaks http/1.1 over TLS — negotiates cleanly.

Stacking

Based on ae-followup-auth (#68). Rollout: CONTROL_REQUIRE_AUTH=true + CONTROL_TLS=true together, dx AE_CONTROL_ADDR→https://.

Validation

Being tested now on a live PG (one image change at a time, NFRs + tcpdump confirming the :9100 exchange — incl. the auth bearer — is encrypted end-to-end). Evidence to follow.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 611a824d-a229-4867-8ede-965457f917c4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/ae-control-tls

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[entlein]

Validated on PG 6a3998d9 (aeprod21, tcpdump + NFR). With CONTROL_TLS=true+CONTROL_REQUIRE_AUTH=true (cert from service-tls-certs at /certs, PL_JWT_SIGNING_KEY from pl-cluster-secrets) + dx AE_CONTROL_ADDR=https: AE logs TLS ENABLED+auth ENABLED; tcpdump :9100 → 0 cleartext bearer (was 1224), 482 TLS handshakes, 4283 pkts ciphertext; dx→AE→CH writes land over TLS+auth (185→193), recall 1.00/prec 1.00, 0 errors. ALPN negotiates http/1.1 with dx's net/http client cleanly.