pub fn build_server_config(
cert_path: &Path,
key_path: &Path,
client_ca_path: Option<&Path>,
) -> Result<ServerConfig>Expand description
LOADBEARING: allow_unauthenticated() is required because /v1/enroll
cannot present a client cert (it bootstraps the agent’s identity). Per-
route middleware enforces auth - don’t tighten the TLS layer to require
client certs without first carving out enroll.