Kyle Isom
cc1ac2e255
The vault server holds in-memory unsealed state (KEK, engine keys) that is lost on restart, requiring a full unseal ceremony. Previously the web UI ran inside the vault process, so any UI change forced a restart and re-unseal. This change extracts the web UI into a separate metacrypt-web binary that communicates with the vault over an authenticated gRPC connection. The web server carries no sealed state and can be restarted freely. - gen/metacrypt/v1/: generated Go bindings from proto/metacrypt/v1/ - internal/grpcserver/: full gRPC server implementation (System, Auth, Engine, PKI, Policy, ACME services) with seal/auth/admin interceptors - internal/webserver/: web server with gRPC vault client; templates embedded via web/embed.go (no runtime web/ directory needed) - cmd/metacrypt-web/: standalone binary entry point - internal/config: added [web] section (listen_addr, vault_grpc, etc.) - internal/server/routes.go: removed all web UI routes and handlers - cmd/metacrypt/server.go: starts gRPC server alongside HTTP server - Deploy: Dockerfile builds both binaries, docker-compose adds metacrypt-web service, new metacrypt-web.service systemd unit, Makefile gains proto/metacrypt-web targets Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
82 lines
2.3 KiB
Go
82 lines
2.3 KiB
Go
package grpcserver
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
|
|
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/engine/ca"
|
|
)
|
|
|
|
type pkiServer struct {
|
|
pb.UnimplementedPKIServiceServer
|
|
s *GRPCServer
|
|
}
|
|
|
|
func (ps *pkiServer) GetRootCert(_ context.Context, req *pb.GetRootCertRequest) (*pb.GetRootCertResponse, error) {
|
|
caEng, err := ps.getCAEngine(req.Mount)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
certPEM, err := caEng.GetRootCertPEM()
|
|
if err != nil {
|
|
return nil, status.Error(codes.Unavailable, "sealed")
|
|
}
|
|
return &pb.GetRootCertResponse{CertPem: certPEM}, nil
|
|
}
|
|
|
|
func (ps *pkiServer) GetChain(_ context.Context, req *pb.GetChainRequest) (*pb.GetChainResponse, error) {
|
|
if req.Issuer == "" {
|
|
return nil, status.Error(codes.InvalidArgument, "issuer is required")
|
|
}
|
|
caEng, err := ps.getCAEngine(req.Mount)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
chainPEM, err := caEng.GetChainPEM(req.Issuer)
|
|
if err != nil {
|
|
if errors.Is(err, ca.ErrIssuerNotFound) {
|
|
return nil, status.Error(codes.NotFound, "issuer not found")
|
|
}
|
|
return nil, status.Error(codes.Unavailable, "sealed")
|
|
}
|
|
return &pb.GetChainResponse{ChainPem: chainPEM}, nil
|
|
}
|
|
|
|
func (ps *pkiServer) GetIssuerCert(_ context.Context, req *pb.GetIssuerCertRequest) (*pb.GetIssuerCertResponse, error) {
|
|
if req.Issuer == "" {
|
|
return nil, status.Error(codes.InvalidArgument, "issuer is required")
|
|
}
|
|
caEng, err := ps.getCAEngine(req.Mount)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
certPEM, err := caEng.GetIssuerCertPEM(req.Issuer)
|
|
if err != nil {
|
|
if errors.Is(err, ca.ErrIssuerNotFound) {
|
|
return nil, status.Error(codes.NotFound, "issuer not found")
|
|
}
|
|
return nil, status.Error(codes.Unavailable, "sealed")
|
|
}
|
|
return &pb.GetIssuerCertResponse{CertPem: certPEM}, nil
|
|
}
|
|
|
|
func (ps *pkiServer) getCAEngine(mountName string) (*ca.CAEngine, error) {
|
|
mount, err := ps.s.engines.GetMount(mountName)
|
|
if err != nil {
|
|
return nil, status.Error(codes.NotFound, err.Error())
|
|
}
|
|
if mount.Type != engine.EngineTypeCA {
|
|
return nil, status.Error(codes.NotFound, "mount is not a CA engine")
|
|
}
|
|
caEng, ok := mount.Engine.(*ca.CAEngine)
|
|
if !ok {
|
|
return nil, status.Error(codes.NotFound, "mount is not a CA engine")
|
|
}
|
|
return caEng, nil
|
|
}
|