Phase C: Automated TLS cert provisioning for L7 routes
Add CertProvisioner that requests TLS certificates from Metacrypt's CA API during deploy. When a service has L7 routes, the agent checks for an existing cert, re-issues if missing or within 30 days of expiry, and writes chain+key to mc-proxy's cert directory before registering routes. - Add MetacryptConfig to agent config (server_url, ca_cert, mount, issuer, token_path) with defaults and env overrides - Add CertProvisioner (internal/agent/certs.go): REST client for Metacrypt IssueCert, atomic file writes, cert expiry checking - Wire into Agent struct and deploy flow (before route registration) - Add hasL7Routes/l7Hostnames helpers in deploy.go - Fix pre-existing lint issues: unreachable code in portalloc.go, gofmt in servicedef.go, gosec suppressions, golangci v2 config - Update vendored mc-proxy to fix protobuf init panic - 10 new tests, make all passes with 0 issues Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
3
vendor/modules.txt
vendored
3
vendor/modules.txt
vendored
@@ -1,4 +1,4 @@
|
||||
# git.wntrmute.dev/mc/mc-proxy v1.1.0
|
||||
# git.wntrmute.dev/mc/mc-proxy v1.1.0 => /home/kyle/src/metacircular/mc-proxy
|
||||
## explicit; go 1.25.7
|
||||
git.wntrmute.dev/mc/mc-proxy/client/mcproxy
|
||||
git.wntrmute.dev/mc/mc-proxy/gen/mc_proxy/v1
|
||||
@@ -192,3 +192,4 @@ modernc.org/memory
|
||||
modernc.org/sqlite
|
||||
modernc.org/sqlite/lib
|
||||
modernc.org/sqlite/vtab
|
||||
# git.wntrmute.dev/mc/mc-proxy => /home/kyle/src/metacircular/mc-proxy
|
||||
|
||||
Reference in New Issue
Block a user