feat: gateway v2

[sheensantoscapadngan]

Description 📣

This PR adds support for the CLI commands to launch the gateway v2 components

Related PR:
Infisical/infisical#4462

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

# Here's some code block to paste some code snippets

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[greptile-apps]

Greptile Summary

This PR introduces the foundational scaffolding for Gateway v2, a new secure networking architecture that enables Infisical to manage secrets across distributed environments through proxy/gateway infrastructure. The implementation adds several key components:

New Proxy Package (packages/proxy/proxy.go): Implements a secure proxy server that acts as an intermediary between clients and gateways. It features certificate-based authentication, SSH tunneling for gateway connections, TLS for client connections, and automatic certificate renewal. The proxy validates SSH certificates with gateway authorization and handles bidirectional TCP forwarding with proper connection management.

Gateway v2 Package (packages/gateway-v2/): Creates the client-side gateway component that connects to proxies through secure SSH tunnels wrapped with mTLS. It includes specialized HTTP proxy functionality for Kubernetes environments, supporting service account token injection and certificate-based routing using custom OID extensions. The gateway handles multiple forwarding modes (HTTP, TCP, PING) and includes heartbeat monitoring.

API Extensions (packages/api/): Adds four new API endpoints to support v2 functionality: CallGatewayHeartBeatV2, CallRegisterInstanceProxy, CallRegisterProxy, and CallRegisterGateway. The corresponding model structures define PKI certificates and SSH key management for secure communication between components.

CLI Integration (packages/cmd/network.go): Introduces new network commands under infisical network proxy and infisical network gateway with systemd service integration for production deployments. The implementation includes token refresh mechanisms, graceful shutdown handling, and support for both 'instance' and 'org' authentication modes.

This architecture enables secure secret management across network boundaries, supporting air-gapped environments and Kubernetes integration where the proxy acts as a bridge between Infisical services and client applications.

Confidence score: 2/5

• This PR contains multiple critical security vulnerabilities that could lead to unauthorized access and data exposure
• Score reflects serious concerns with DNS manipulation attacks, information disclosure through logging, and inadequate input validation across multiple security-critical components
• Pay close attention to packages/gateway-v2/gateway.go, packages/proxy/proxy.go, and packages/gateway-v2/connection.go for security issues

_{8 files reviewed, 10 comments}

_{Edit Code Review Bot Settings | Greptile}