Dashboard UI for per-service DNS-01 cert issuance

[TechHutTV]

Summary (proof of concept for testing)

Adds the dashboard surface for the new per-service ACME configuration on the management API. A user can now choose how each reverse-proxy service issues its certificate (tls-alpn-01 / http-01 / dns-01), pick a DNS provider, and either enter credentials inline or reuse a previously saved credential.

A new account-level DNS Credentials page makes those credentials manageable independently of any single service: create, rotate (with leave-blank-to-keep semantics), and delete.

Pairs with the management/proxy work on brandon/dns-lego-feature (TechHutTV/netbird).

Changes

Service modal — Certificate tab

• New "Certificate" tab on the reverse-proxy service modal (Add and Edit).
• Segmented control for challenge type: tls-alpn-01, http-01, dns-01.
• DNS provider dropdown: Cloudflare, AWS Route 53, DigitalOcean, RFC 2136 (BIND / PowerDNS / Knot / NSD).
• Per-provider field schema renders only the inputs that provider needs (1 field for Cloudflare/DigitalOcean, 5 for Route 53, 4 for RFC 2136); masked inputs use the existing password-toggle primitive.
• Once a provider is picked, a "Use saved credential / Create new credential" toggle controls whether the user picks an existing credential from a dropdown or enters fresh secrets inline.
• Save flow:
  • Saved credential picked → service POST/PUT references dns_credentials_ref directly (no extra request).
  • New credential entered inline → POST /credentials first, then service POST/PUT references the returned id.
  • Edit with no changes → existing dns_credentials_ref is preserved.

DNS Credentials page (/reverse-proxy/dns-credentials)

• New page reachable from the Reverse Proxy → DNS Credentials sidebar item.
• Table with name / provider / created / actions columns; empty state with a "Add Credential" CTA.
• Create / Edit modal:
  • Provider is read-only on edit (changing provider would invalidate the secret schema).
  • Masked secret fields show "•••••••• (leave blank to keep current; type to replace)" placeholders on edit.
  • PUT only sends secret_fields when the user actually typed something — name-only edits keep the existing secret.
  • Submit is gated so partial secret rotation isn't accepted.
• Delete uses the existing confirm-dialog flow with a warning that referencing services may stop renewing.

Types and data layer

• src/interfaces/Credential.ts — TS contract for the /credentials API surface (Credential, CredentialRequest, CredentialProviderType, ChallengeType, CHALLENGE_TYPES).
• src/interfaces/ReverseProxy.ts — three new optional fields on ReverseProxy: challenge_type, dns_provider, dns_credentials_ref.
• src/contexts/ReverseProxiesProvider.tsx — exposes credentials, createCredential, updateCredential, deleteCredential; SWR-mutates /credentials on each mutation.

Out of scope (intentional)

• Status surfacing in the services table (e.g., a "certificate issuing / failed" indicator) — separate slice.
• Dedicated credentials permission key — falls back to permission?.services?.* for now; the management API doesn't yet expose a dedicated permission module for credentials.
• "Used in N services" column on the credentials table — would require a new field from the management API.
• Orphan-credential cleanup if the credential POST succeeds but the subsequent service POST fails — credentials remain visible/deletable on the new page so they can be cleaned up by hand.

How to test

1. Add a Cloudflare credential on /reverse-proxy/dns-credentials with a real scoped API token.
2. Create a dns-01 service pointing at a domain in that zone, picking the saved credential — confirm only one request hits /services (no /credentials POST).
3. Create a second dns-01 service via the inline "Create new credential" path — confirm POST /credentials then POST /services in the network tab.
4. Edit a credential and rotate the secret — confirm a PUT /credentials/{id} with secret_fields populated.
5. Edit an existing dns-01 service, switch it to a different saved credential — confirm dns_credentials_ref updates without re-creating a credential.
6. Delete a credential currently referenced by a service — the management API should reject; the dashboard surfaces the error toast.

Verification

• npx tsc --noEmit — clean.
• npm run build — production build succeeds; new /reverse-proxy/dns-credentials route is generated.
• Manual browser smoke test against a management server with the matching backend changes deployed.

Issue ticket number and link

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 57a047ee-bec8-4cd8-a22e-1e065b2eac88

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}