feat(build): Add multi-stage Dockerfile for management server

[obtFusi]

Summary

• Adds Dockerfile.multistage for building management server with correct binary format
• Solves ar archive issue (binary was library instead of executable)

Problem

Building with go build ./management/cmd/ produced an ar archive because cmd/ has package cmd, not package main.

Solution

• Use ./management/ which has main.go with package main
• Multi-stage build inside golang:1.25 container
• No cross-compilation issues

Usage

docker build -f management/Dockerfile.multistage -t netbird-fork/management:latest .

Test plan

• Binary is ELF executable (verified with file command)
• Container starts successfully
• mTLS server runs on port 33074
• Deployed and tested on lab (10.0.0.103)

Relates to: #93

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Added mTLS certificate-based authentication for machine peers with dedicated registration and management endpoints.
  • Introduced automated dependency updates via Dependabot configuration.
  • Added GitHub issue templates for structured bug reports, features, epics, stories, and tasks.

• CI/CD Improvements

  • Implemented automatic issue and pull request labeling based on title analysis.
  • Added pull request linting to enforce consistent commit message conventions.
  • Configured pre-commit hooks for code quality checks.

• Build & Infrastructure

  • Enhanced build system with multi-platform cross-compilation support.
  • Added containerized management service deployment.
  • Introduced lab automation scripts for testing environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[obtFusi]

Accidentally created on wrong repo. Intended for fork.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR introduces comprehensive mTLS support for machine peers to the management service, including certificate-based authentication, identity extraction and validation, DNS label generation, and gRPC handlers. It also adds development workflow infrastructure (pre-commit hooks, issue templates, auto-labeling, PR linting) and lab setup scripts for testing AD CS-based certificate enrollment.

Changes

Cohort / File(s)	Summary
Development Infrastructure .githooks/pre-commit, Makefile, .gitignore	Pre-commit hook for Go formatting and secret scanning; Makefile updates for cross-platform builds and hook setup; .gitignore refinements for development artifacts and expanded ignore patterns
GitHub Workflows & Templates .github/workflows/auto-label.yml, .github/workflows/pr-lint.yml, .github/ISSUE_TEMPLATE/*, .github/dependabot.yml, .github/ISSUE_TEMPLATE/config.yml	New GitHub Actions workflows for auto-labeling issues/PRs and enforcing conventional commits; issue templates (bug, epic, story, task, feature request); Dependabot config for Go modules, actions, and Docker; template configuration disabling blank issues
mTLS Core Infrastructure management/internals/shared/mtls/identity.go, management/internals/shared/mtls/dnslabel.go, management/internals/shared/mtls/dnslabel_test.go, management/internals/shared/mtls/identity.go	New mTLS shared modules: Identity struct with context management, ValidatorConfig for per-account issuer validation; DNS label generation with RFC1123 compliance, collision detection, and hash-based uniqueness
Management Server mTLS management/internals/server/mtls_auth.go, management/internals/server/mtls_auth_test.go, management/internals/server/mtls_server.go, management/internals/server/server.go, management/internals/server/boot.go, management/internals/server/config/config.go	mTLS interceptors (unary/stream), identity extraction, domain-account mapping, issuer fingerprint validation; dedicated mTLS gRPC server on port 33074; TLS configuration loading; CA certificate pool management; server lifecycle integration
Machine Tunnel gRPC management/internals/shared/grpc/machine_tunnel.go, management/internals/shared/grpc/conversion_test.go, shared/management/proto/management.proto	New machine tunnel RPC handlers (RegisterMachinePeer, SyncMachinePeer, GetMachineRoutes, ReportMachineStatus) with mTLS identity extraction; proto messages (MachineIdentity, MachineRegisterRequest/Response, MachineSync*, MachineRoutes*, MachineStatus*); peer metadata enrichment
Peer Metadata & DNS management/server/peer/peer.go, management/server/peer.go	PeerSystemMeta struct extended with mTLS fields (PeerType, AuthMethod, CertDNSName, CertDomain, CertIssuerFP, CertSerial, CertTemplate, FirstAuthTime, LastCertAuthTime); DNS label generation logic for mTLS peers
Docker & Proto management/Dockerfile.multistage	Multi-stage Dockerfile for management service; builder stage compiles netbird-mgmt, final stage runs on ubuntu:24.04
Windows Certificate Handling (Spike) spike/cng-signer/main.go, spike/cng-signer/go.mod, spike/san-parser/main.go, spike/san-parser/go.mod	Proof-of-concept implementations: CNGSigner for Windows CNG-backed crypto.Signer with non-exportable keys; SAN parser for certificate identity extraction and template information
Architecture & Design docs/ADR-001-mTLS-Port-Strategy.md, docs/ADR-002-CNG-Signer-Interface.md	ADRs documenting mTLS port strategy (single port with method-based routing), Windows CNG signer interface, implementation components, and related decisions
Lab CA Infrastructure scripts/lab/setup-lab-ca.ps1, scripts/lab/verify-lab-ca.ps1, scripts/lab/test-client-enrollment.ps1, scripts/lab/autounattend.xml	PowerShell scripts for bootstrapping AD CS environment, NetBirdMachine template creation, auto-enrollment GPO setup, lab verification with health checks, and client certificate enrollment testing; Windows unattended installation configuration
Test Certificates test/certs/* (ca.crt, ca.key, ca.srl, client.crt, client.csr, client.key, client.cnf, server.crt, server.csr, server.key, server.cnf)	Test CA and client/server certificates with private keys and CSR configurations for mTLS testing

Sequence Diagram(s)

sequenceDiagram
    participant Client as Machine Peer
    participant TLS as TLS Layer
    participant Interceptor as gRPC Interceptor
    participant Identity as Identity Extractor
    participant Validator as ValidatorConfig
    participant Handler as RPC Handler
    
    Client->>TLS: Connect with client cert
    TLS->>Interceptor: Establish connection
    Interceptor->>Identity: Extract from TLS state
    Note over Identity: Parse SAN, Issuer FP,<br/>Template OID/Name
    Identity->>Validator: Validate issuer CA
    Validator-->>Validator: Check per-account<br/>allowlist
    alt Issuer Valid
        Validator-->>Identity: Success
        Identity->>Identity: Resolve domain→account
        Identity-->>Interceptor: Return MTLSIdentity
        Interceptor->>Handler: Inject into context
        Handler-->>Client: Process RPC
    else Issuer Invalid
        Validator-->>Identity: Forbidden
        Identity-->>Interceptor: Error
        Interceptor-->>Client: Reject (unauthenticated)
    end

Loading

sequenceDiagram
    participant Mgmt as Management Server
    participant Interceptor as mTLS Interceptor
    participant PeerMeta as PeerSystemMeta
    participant Manager as AccountManager
    participant Store as Peer Store
    
    Mgmt->>Interceptor: RegisterMachinePeer RPC
    Interceptor->>Interceptor: Extract MTLSIdentity
    Interceptor->>PeerMeta: Enrich peer metadata
    Note over PeerMeta: Add CertDNSName,<br/>CertIssuerFP,<br/>AuthMethod, etc.
    PeerMeta->>Manager: LoginPeer(enriched meta)
    Manager->>Store: Register/Update peer
    Store-->>Manager: Success
    Manager-->>Mgmt: Return registration response
    Mgmt-->>Mgmt: Generate DNS label
    Note over Mgmt: Hash-based unique label<br/>from domain/hostname

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• [management] move network map logic into new design #4774: Touches management gRPC/server surface with potential overlaps in server initialization and interceptor chains
• [management] pass config to controller #4807: Related to management gRPC peer/config propagation and server configuration changes

Suggested reviewers

• mlsmaycon
• pappz
• crn4

Poem

🐰 A rabbit hops through certificates so grand,
mTLS magic across the NetBird land!
Identity flowing through gRPC streams,
Secure machine peers living the dream—
DNS labels hash with cryptographic grace,
Trust and validation seal every trace! ✨

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
11 New issues
3 Security Hotspots
9 New Code Smells (required ≤ 0)
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE