[proxy] add pre-shared key support

[pascal-fischer]

Describe your changes

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• New Features
  • Added pre-shared key configuration for proxy tunnels; users can now specify a pre-shared key via a new CLI flag to enable tunnel authentication.
  • Proxy now centrally passes client connection settings (management address, WireGuard port, and pre-shared key) when establishing peer tunnels.

[coderabbitai]

Caution

Review failed

An error occurred during the review process. Please try again later.

📝 Walkthrough

Walkthrough

Adds a PreSharedKey configuration option and threads it from the CLI into the Server and NetBird client configuration via a new ClientConfig struct and updated NewNetBird signature; tests and call sites adjusted to the new parameter shape.

Changes

Cohort / File(s)	Summary
CLI & Server wiring proxy/cmd/proxy/cmd/root.go, proxy/server.go	Adds CLI flag --pre-shared-key and new PreSharedKey field on Server; wires flag value into server initialization.
NetBird roundtrip API & impl proxy/internal/roundtrip/netbird.go	Introduces ClientConfig (MgmtAddr, WGPort, PreSharedKey); replaces mgmtAddr/wgPort fields with clientCfg ClientConfig on NetBird; updates NewNetBird signature to accept ClientConfig and uses clientCfg.PreSharedKey when creating the embedded client.
Tests proxy/internal/roundtrip/netbird_test.go	Updates NewNetBird call sites and helper(s) to pass ClientConfig{...} instead of separate mgmt/wg params; reorders arguments to match new constructor.

Sequence Diagram(s)

sequenceDiagram
  participant CLI as CLI (root.go)
  participant Server as Server (proxy/server.go)
  participant RT as roundtrip.NewNetBird
  participant NB as NetBird (client)
  participant MGMT as Management API

  CLI->>Server: start with --pre-shared-key
  Server->>RT: NewNetBird(proxyID, proxyAddr, ClientConfig{MgmtAddr, WGPort, PreSharedKey}, ...)
  RT->>NB: init NetBird with clientCfg (includes PreSharedKey)
  NB->>MGMT: use MgmtAddr / WGPort / PreSharedKey when creating embedded client

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A key snug in flags and fields we bring,
From root to server, then to NetBird's wing,
Packaged in client config tight and neat,
Tests hopped along to keep the path complete.
A tiny change, secured and sweet. 🥕

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete. While the checklist is filled out, the 'Describe your changes' section is empty, and no explanation is provided for why documentation is not needed.	Add a detailed description of the changes in the 'Describe your changes' section and briefly explain why documentation is not needed for this feature enhancement.
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[proxy] add pre-shared key support' accurately and concisely describes the main feature being added across all changed files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/pre-shared-key-for-proxy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@proxy/cmd/proxy/cmd/root.go`:
- Line 88: Remove the CLI flag registration that exposes the PSK
(rootCmd.Flags().StringVar(&preSharedKey, "pre-shared-key", ...)) and stop using
the package-level preSharedKey variable; instead read the pre-shared key
exclusively from the environment using
envStringOrDefault("NB_PROXY_PRE_SHARED_KEY", "") at runtime (same pattern used
for ProxyToken) and use that value inside runServer and any other consumers;
also delete the package-level preSharedKey declaration so there is no flag or
global var exposing the secret.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

PSK exposed in process listing via CLI flag.

WireGuard's own tooling (wg(8)) explicitly states that "command line arguments are not considered private on most systems" for pre-shared keys — they are visible to other processes via ps aux and /proc/<pid>/cmdline.

The existing ProxyToken deliberately has no CLI flag (lines 109–112) and is env-var-only precisely to avoid this leak. The WireGuard PSK is a cryptographic secret and warrants the same treatment. NB_PROXY_PRE_SHARED_KEY is already available as a safe alternative.

Consider removing the --pre-shared-key flag entirely and reading the PSK exclusively from the environment variable, mirroring the ProxyToken pattern:

🔒 Proposed fix: env-var-only PSK

-	rootCmd.Flags().StringVar(&preSharedKey, "pre-shared-key", envStringOrDefault("NB_PROXY_PRE_SHARED_KEY", ""), "Define a pre-shared key for the tunnel between proxy and peers")

In runServer:

+	preSharedKey := os.Getenv("NB_PROXY_PRE_SHARED_KEY")
 	srv := proxy.Server{

And remove the package-level preSharedKey variable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@proxy/cmd/proxy/cmd/root.go` at line 88, Remove the CLI flag registration
that exposes the PSK (rootCmd.Flags().StringVar(&preSharedKey, "pre-shared-key",
...)) and stop using the package-level preSharedKey variable; instead read the
pre-shared key exclusively from the environment using
envStringOrDefault("NB_PROXY_PRE_SHARED_KEY", "") at runtime (same pattern used
for ProxyToken) and use that value inside runServer and any other consumers;
also delete the package-level preSharedKey declaration so there is no flag or
global var exposing the secret.

[coderabbitai]

🧹 Nitpick comments (1)

proxy/server.go (1)

117-118: Consider supporting env-var or file-based sourcing for PreSharedKey.

A WireGuard PSK passed via a --pre-shared-key CLI flag will be visible in process listings (ps aux) and may persist in shell history. The standard mitigation is to accept the secret via an environment variable or a file path (e.g., --pre-shared-key-file). If the CLI flag in root.go currently uses a plain --flag binding, this is worth addressing before the feature ships.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@proxy/server.go` around lines 117 - 118, PreSharedKey is currently exposed
via a CLI flag which can leak in process listings; update the flag handling
(where --pre-shared-key is bound in root.go) and the PreSharedKey field usage to
support secure sourcing: add a new --pre-shared-key-file flag and an environment
variable (e.g., PRE_SHARED_KEY) and implement a loader function (e.g.,
loadPreSharedKey) that prioritizes file contents if --pre-shared-key-file is
set, otherwise reads PRE_SHARED_KEY from the environment, and only falls back to
the CLI --pre-shared-key value; ensure the loader reads the file securely, trims
whitespace, avoids logging the secret, and that PreSharedKey is populated from
this loader instead of directly from the plain flag.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@proxy/server.go`:
- Around line 117-118: PreSharedKey is currently exposed via a CLI flag which
can leak in process listings; update the flag handling (where --pre-shared-key
is bound in root.go) and the PreSharedKey field usage to support secure
sourcing: add a new --pre-shared-key-file flag and an environment variable
(e.g., PRE_SHARED_KEY) and implement a loader function (e.g., loadPreSharedKey)
that prioritizes file contents if --pre-shared-key-file is set, otherwise reads
PRE_SHARED_KEY from the environment, and only falls back to the CLI
--pre-shared-key value; ensure the loader reads the file securely, trims
whitespace, avoids logging the secret, and that PreSharedKey is populated from
this loader instead of directly from the plain flag.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud