feat(federation): add Step-CA sidecar to federated compose stack [FED-M2-02]
Adds a profile-gated `step-ca` service to `docker-compose.federated.yml` so the federated tier has its own internal CA. No gateway code consumes the CA yet — that lands in M2-04 (ca.service.ts). - docker-compose.federated.yml: new `step-ca` service using image `smallstep/step-ca:0.27.4` (pinned stable; `latest` forbidden by Mosaic image policy), named volume `step_ca_data`, port 9000, `[federated]` profile gate, healthcheck with 30s start_period - infra/step-ca/init.sh: idempotent first-boot init; runs `step ca init` with JWK provisioner `mosaic-fed` if /home/step/config/ca.json absent; otherwise starts CA directly - infra/step-ca/dev-password.example: sample dev password (real file is gitignored) - infra/step-ca/templates/federation.tpl: X.509 template skeleton for custom OID SAN extensions (grantId 1.3.6.1.4.1.99999.1, subjectUserId 1.3.6.1.4.1.99999.2); TODO comment links M2-04 as the landing point - .gitignore: ignores infra/step-ca/dev-password (real password) Refs #461 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jarvis
48
infra/step-ca/templates/federation.tpl
Normal file
48
infra/step-ca/templates/federation.tpl
Normal file
@@ -0,0 +1,48 @@
|
||||
{
|
||||
"subject": {{ toJson .Subject }},
|
||||
"sans": {{ toJson .SANs }},
|
||||
|
||||
{{- /*
|
||||
Mosaic Federation X.509 Certificate Template
|
||||
============================================
|
||||
This template is used by the "mosaic-fed" JWK provisioner to sign
|
||||
federation client certificates.
|
||||
|
||||
Custom OID extensions (per PRD §6):
|
||||
1.3.6.1.4.1.99999.1 — mosaic.federation.grantId (UUID string)
|
||||
1.3.6.1.4.1.99999.2 — mosaic.federation.subjectUserId (UUID string)
|
||||
|
||||
TODO (M2-04): Wire actual OID extensions below once the CA service
|
||||
(apps/gateway/src/federation/ca.service.ts) lands the SAN-bearing CSR
|
||||
work and the template can be exercised end-to-end.
|
||||
|
||||
Step-CA template reference:
|
||||
https://smallstep.com/docs/step-ca/templates
|
||||
|
||||
Expected final shape of the extensions block (placeholder — not yet
|
||||
activated):
|
||||
|
||||
"extensions": [
|
||||
{
|
||||
"id": "1.3.6.1.4.1.99999.1",
|
||||
"critical": false,
|
||||
"value": {{ toJson (first .Token.mosaic_grant_id) }}
|
||||
},
|
||||
{
|
||||
"id": "1.3.6.1.4.1.99999.2",
|
||||
"critical": false,
|
||||
"value": {{ toJson (first .Token.mosaic_subject_user_id) }}
|
||||
}
|
||||
],
|
||||
|
||||
The provisioner must pass these values in the ACME/JWK token payload
|
||||
(token claims `mosaic_grant_id` and `mosaic_subject_user_id`) when
|
||||
submitting the CSR. M2-04 owns that work.
|
||||
*/ -}}
|
||||
|
||||
"keyUsage": ["digitalSignature"],
|
||||
"extKeyUsage": ["clientAuth"],
|
||||
"basicConstraints": {
|
||||
"isCA": false
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user