Scope
Deferred but falsifiable libp2p PrivateNetwork PSK work.
Problem
DHT/coord exposure currently relies on NetworkPolicy rather than cryptographic peer gating. DHT-advertised provider addresses can also drive constrained SSRF if arbitrary pods can reach Gantry ports or join the DHT.
Evidence:
internal/gantry/discovery/discovery.go:590internal/gantry/transfer/client.go:140
Changes
- Add libp2p
PrivateNetwork(psk) in discovery.go, with the PSK sourced from a cluster Secret.
- Define key distribution and rotation workflow.
- Move this work ahead of coord authz enforcement if the deployment cannot apply an equivalent NetworkPolicy boundary, cannot deny cross-namespace coord/transfer dials, or includes arbitrary pods on the cluster network reaching Gantry ports in the threat model.
Tests
- Peers without the PSK cannot join the Gantry libp2p network.
- Gantry agents with the same PSK can bootstrap, discover providers, and exchange coord traffic.
- Rotation or missing-secret failure mode is explicit and observable.
poweruser1@poweruser1s-MacBook-Pro unbounded %
Scope
Deferred but falsifiable libp2p PrivateNetwork PSK work.
Problem
DHT/coord exposure currently relies on NetworkPolicy rather than cryptographic peer gating. DHT-advertised provider addresses can also drive constrained SSRF if arbitrary pods can reach Gantry ports or join the DHT.
Evidence:
internal/gantry/discovery/discovery.go:590internal/gantry/transfer/client.go:140Changes
PrivateNetwork(psk)indiscovery.go, with the PSK sourced from a cluster Secret.Tests
poweruser1@poweruser1s-MacBook-Pro unbounded %