Kyle Isom
8f77050a84
Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).
Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry
CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen
Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
for unauthenticated TLS trust bootstrapping
Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
25 lines
659 B
YAML
25 lines
659 B
YAML
services:
|
|
metacrypt:
|
|
build:
|
|
context: ../..
|
|
dockerfile: Dockerfile
|
|
container_name: metacrypt
|
|
restart: unless-stopped
|
|
ports:
|
|
- "8443:8443"
|
|
volumes:
|
|
- metacrypt-data:/srv/metacrypt
|
|
# To populate /srv/metacrypt before first run, use an init container or
|
|
# bind-mount a host directory instead of a named volume:
|
|
# volumes:
|
|
# - ./data:/srv/metacrypt
|
|
healthcheck:
|
|
test: ["CMD", "metacrypt", "status", "--addr", "https://localhost:8443", "--ca-cert", "/srv/metacrypt/certs/ca.crt"]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
start_period: 10s
|
|
|
|
volumes:
|
|
metacrypt-data:
|