Phase C: Automated TLS cert provisioning for L7 routes

mc/mcp

Add CertProvisioner that requests TLS certificates from Metacrypt's CA
API during deploy. When a service has L7 routes, the agent checks for
an existing cert, re-issues if missing or within 30 days of expiry,
and writes chain+key to mc-proxy's cert directory before registering
routes.

- Add MetacryptConfig to agent config (server_url, ca_cert, mount,
  issuer, token_path) with defaults and env overrides
- Add CertProvisioner (internal/agent/certs.go): REST client for
  Metacrypt IssueCert, atomic file writes, cert expiry checking
- Wire into Agent struct and deploy flow (before route registration)
- Add hasL7Routes/l7Hostnames helpers in deploy.go
- Fix pre-existing lint issues: unreachable code in portalloc.go,
  gofmt in servicedef.go, gosec suppressions, golangci v2 config
- Update vendored mc-proxy to fix protobuf init panic
- 10 new tests, make all passes with 0 issues

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

This commit is contained in:

Kyle Isom

2026-03-27 13:31:11 -07:00

parent 572d2fb196

commit c7e1232f98

13 changed files with 832 additions and 26 deletions

									
										2

go.mod
									
												View File
												
				@@ -27,3 +27,5 @@ require (

					modernc.org/mathutil v1.7.1 // indirect

					modernc.org/memory v1.11.0 // indirect

				)

				replace git.wntrmute.dev/mc/mc-proxy => /home/kyle/src/metacircular/mc-proxy

Phase C: Automated TLS cert provisioning for L7 routes

2 go.mod Unescape Escape View File

2

go.mod

View File