feat(autotls): add support for custom DNS resolver and include Pebble…

[akrem-chabchoub]

Summary

This PR adds support for running the autotls check from outside the cluster (e.g. on the host or in CI) when forge DNS and Pebble are exposed. Without it, DNS resolution for forge hostnames often fails on the host (e.g. macOS ignores a custom resolver), and the Pebble CA used for TLS verification can differ from the live CA Pebble generates on startup, causing x509: certificate signed by unknown authority.

Changes

New check options (autotls)

• forge-dns-address – When set, DNS lookups for forge hostnames are sent directly to this server (UDP) instead of the system resolver. Required when running the check from the host against a cluster whose forge domain (e.g. local.test) is only served by an in-cluster DNS (e.g. p2p-forge). Config: forge-dns-address: "127.0.0.1:30053".
• forge-tls-host-address – Optional host:port used for TLS verification of the first autotls node (by name order). When set, that node is checked by dialing this address instead of the pod IP, so TLS can be verified from outside the cluster when one WSS endpoint is exposed (e.g. NodePort). Other nodes remain unreachable from the host and are skipped with a warning.
• pebble-mgmt-url – Optional URL for Pebble’s management API root CA endpoint (e.g. https://127.0.0.1:31500/roots/0). When set, the check fetches the live Pebble CA from this URL instead of using the embedded static cert. Pebble generates a new CA on each start, so using the live CA avoids TLS verification failures when the embedded cert is outdated.

Options are wired in pkg/config/check.go and can be set per check in config/local.yaml (e.g. for the ci-autotls scenario).

DNS resolution (forge.go)

• verifyDNSResolution now accepts an optional forgeDNSAddress. If set, it uses a new lookupViaDNS helper that queries the given DNS server via github.com/miekg/dns (UDP). This bypasses the system resolver so that when the check runs on the host, it can still resolve forge hostnames served by the cluster’s forge DNS. Lookup failures when using the custom DNS are treated as hard errors. If forgeDNSAddress is not set, behavior is unchanged: the system resolver is used and unresolvable hostnames are skipped with a warning.

TLS verification (forge.go)

• verifyTLSCertificate now accepts an optional forgeTLSHostAddress. When set, the first autotls node (by sorted name) is verified by dialing this host:port with the node’s forge hostname as ServerName; other nodes are still tried via their forge endpoints (pod IP or multiaddr). verifyNodeTLSCert now takes a dialAddr argument so the first node can be dialed at the override address while others use the usual IP:port.

Pebble CA (autotls.go, cert, k8s)

• When the node’s ACME CA endpoint indicates Pebble, the check no longer uses a single embedded cert. It now tries to fetch the live root CA from Pebble’s management API (/roots/0). The management URL is derived from the ACME directory URL (port 14000 → 15000) or overridden by pebble-mgmt-url when running from the host (e.g. https://127.0.0.1:31500/roots/0). Fetch uses InsecureSkipVerify because Pebble’s management endpoint is self-signed. If the fetch fails, the check falls back to the existing embedded Pebble/minica cert.
• PebbleCertificate is moved from pkg/orchestration/k8s to pkg/cert (pkg/cert/pebble.go). The k8s helpers that need it now reference cert.PebbleCertificate.

Dependencies

• github.com/miekg/dns is now a direct dependency (used by lookupViaDNS in forge.go); go.mod updated accordingly.

Local / beelocal usage

With P2P WSS enabled, beelocal exposes forge DNS (e.g. NodePort 30053), one bee-autotls WSS (e.g. NodePort 31635), and Pebble management (e.g. NodePort 31500). The ci-autotls check in config/local.yaml sets:

• forge-dns-address: "127.0.0.1:30053"
• forge-tls-host-address: "127.0.0.1:31635"
• pebble-mgmt-url: "https://127.0.0.1:31500/roots/0"

so that beekeeper check --cluster-name local-dns-autotls --checks ci-autotls can run on the host and pass DNS, TLS (at least for the first node), and Pebble CA verification.