[proxy] add pre-shared key support (#5377)

2026-04-16 07:16:38 +00:00 · 2026-02-23 16:31:29 +01:00
parent 5d171f181a
commit 9d123ec059
4 changed files with 39 additions and 12 deletions
--- a/proxy/internal/roundtrip/netbird.go
+++ b/proxy/internal/roundtrip/netbird.go
@@ -86,6 +86,13 @@ func (e *clientEntry) acquireInflight(backend backendKey) (release func(), ok bo
 	}
 }

+// ClientConfig holds configuration for the embedded NetBird client.
+type ClientConfig struct {
+	MgmtAddr     string
+	WGPort       int
+	PreSharedKey string
+}
+
 type statusNotifier interface {
 	NotifyStatus(ctx context.Context, accountID, serviceID, domain string, connected bool) error
 }
@@ -98,10 +105,9 @@ type managementClient interface {
 // backed by underlying NetBird connections.
 // Clients are keyed by AccountID, allowing multiple domains to share the same connection.
 type NetBird struct {
-	mgmtAddr     string
 	proxyID      string
 	proxyAddr    string
-	wgPort       int
+	clientCfg    ClientConfig
 	logger       *log.Logger
 	mgmtClient   managementClient
 	transportCfg transportConfig
@@ -229,11 +235,12 @@ func (n *NetBird) createClientEntry(ctx context.Context, accountID types.Account
 	// The peer has already been created via CreateProxyPeer RPC with the public key.
 	client, err := embed.New(embed.Options{
 		DeviceName:    deviceNamePrefix + n.proxyID,
-		ManagementURL: n.mgmtAddr,
+		ManagementURL: n.clientCfg.MgmtAddr,
 		PrivateKey:    privateKey.String(),
 		LogLevel:      log.WarnLevel.String(),
 		BlockInbound:  true,
-		WireguardPort: &n.wgPort,
+		WireguardPort: &n.clientCfg.WGPort,
+		PreSharedKey:  n.clientCfg.PreSharedKey,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("create netbird client: %w", err)
@@ -536,18 +543,17 @@ func (n *NetBird) ListClientsForStartup() map[types.AccountID]*embed.Client {
 	return result
 }

-// NewNetBird creates a new NetBird transport. Set wgPort to 0 for a random
+// NewNetBird creates a new NetBird transport. Set clientCfg.WGPort to 0 for a random
 // OS-assigned port. A fixed port only works with single-account deployments;
 // multiple accounts will fail to bind the same port.
-func NewNetBird(mgmtAddr, proxyID, proxyAddr string, wgPort int, logger *log.Logger, notifier statusNotifier, mgmtClient managementClient) *NetBird {
+func NewNetBird(proxyID, proxyAddr string, clientCfg ClientConfig, logger *log.Logger, notifier statusNotifier, mgmtClient managementClient) *NetBird {
 	if logger == nil {
 		logger = log.StandardLogger()
 	}
 	return &NetBird{
-		mgmtAddr:       mgmtAddr,
 		proxyID:        proxyID,
 		proxyAddr:      proxyAddr,
-		wgPort:         wgPort,
+		clientCfg:      clientCfg,
 		logger:         logger,
 		clients:        make(map[types.AccountID]*clientEntry),
 		statusNotifier: notifier,
--- a/proxy/internal/roundtrip/netbird_test.go
+++ b/proxy/internal/roundtrip/netbird_test.go
@@ -49,7 +49,11 @@ func (m *mockStatusNotifier) calls() []statusCall {
 // mockNetBird creates a NetBird instance for testing without actually connecting.
 // It uses an invalid management URL to prevent real connections.
 func mockNetBird() *NetBird {
-	return NewNetBird("http://invalid.test:9999", "test-proxy", "invalid.test", 0, nil, nil, &mockMgmtClient{})
+	return NewNetBird("test-proxy", "invalid.test", ClientConfig{
+		MgmtAddr:     "http://invalid.test:9999",
+		WGPort:       0,
+		PreSharedKey: "",
+	}, nil, nil, &mockMgmtClient{})
 }

 func TestNetBird_AddPeer_CreatesClientForNewAccount(t *testing.T) {
@@ -282,7 +286,11 @@ func TestNetBird_RoundTrip_RequiresExistingClient(t *testing.T) {

 func TestNetBird_AddPeer_ExistingStartedClient_NotifiesStatus(t *testing.T) {
 	notifier := &mockStatusNotifier{}
-	nb := NewNetBird("http://invalid.test:9999", "test-proxy", "invalid.test", 0, nil, notifier, &mockMgmtClient{})
+	nb := NewNetBird("test-proxy", "invalid.test", ClientConfig{
+		MgmtAddr:     "http://invalid.test:9999",
+		WGPort:       0,
+		PreSharedKey: "",
+	}, nil, notifier, &mockMgmtClient{})
 	accountID := types.AccountID("account-1")

 	// Add first domain — creates a new client entry.
@@ -308,7 +316,11 @@ func TestNetBird_AddPeer_ExistingStartedClient_NotifiesStatus(t *testing.T) {

 func TestNetBird_RemovePeer_NotifiesDisconnection(t *testing.T) {
 	notifier := &mockStatusNotifier{}
-	nb := NewNetBird("http://invalid.test:9999", "test-proxy", "invalid.test", 0, nil, notifier, &mockMgmtClient{})
+	nb := NewNetBird("test-proxy", "invalid.test", ClientConfig{
+		MgmtAddr:     "http://invalid.test:9999",
+		WGPort:       0,
+		PreSharedKey: "",
+	}, nil, notifier, &mockMgmtClient{})
 	accountID := types.AccountID("account-1")

 	err := nb.AddPeer(context.Background(), accountID, domain.Domain("domain1.test"), "key-1", "svc-1")