Expand description
mTLS cert renewal worker. Reads the cert at cfg.client_cert on a
timer, computes the remaining-validity fraction, and POSTs
/v1/agent/renew when below cfg.renewal_threshold_fraction. The
CSR is signed by the host’s SSH ed25519 key (same key as
enrollment per RFC-0003 §2), so the renewed cert’s pubkey is
unchanged.
The renewed cert lands at the same on-disk path atomically via
enrollment::renew. Running workers (heartbeat, longpoll,
manifest_poll) keep their existing in-memory mTLS clients — those
clients still hold the OLD cert bytes. Production: the agent’s
systemd unit has Restart=always RestartSec=30, so any restart
event (next operator-driven nixos-rebuild, the cert-near-expiry
handover, or any crash) loads the freshly-written cert into the
workers’ clients. The renewal worker exists to keep the on-disk
cert from ever expiring; it does NOT hot-swap the running clients’
identities.
Disabled when cfg.renewal_threshold_fraction.is_none() — the
worker logs a single info line and exits. Use this in tests where
the cert is fixture-baked and renewal would be noise.
Constants§
- CHECK_
INTERVAL 🔒 - Cadence at which the worker re-reads the cert + checks the threshold. 60s matches the heartbeat ticker; the renewal decision is cheap (parse PEM, compute fraction) so amortised cost is trivial. Independent of the renewal HTTP cost because that only fires when the threshold trips.
- ERROR_
BACKOFF 🔒