92c6431ccf
Adds a profile-gated `step-ca` service to `docker-compose.federated.yml` so the federated tier has its own internal CA. No gateway code consumes the CA yet — that lands in M2-04 (ca.service.ts). - docker-compose.federated.yml: new `step-ca` service using image `smallstep/step-ca:0.27.4` (pinned stable; `latest` forbidden by Mosaic image policy), named volume `step_ca_data`, port 9000, `[federated]` profile gate, healthcheck with 30s start_period - infra/step-ca/init.sh: idempotent first-boot init; runs `step ca init` with JWK provisioner `mosaic-fed` if /home/step/config/ca.json absent; otherwise starts CA directly - infra/step-ca/dev-password.example: sample dev password (real file is gitignored) - infra/step-ca/templates/federation.tpl: X.509 template skeleton for custom OID SAN extensions (grantId 1.3.6.1.4.1.99999.1, subjectUserId 1.3.6.1.4.1.99999.2); TODO comment links M2-04 as the landing point - .gitignore: ignores infra/step-ca/dev-password (real password) Refs #461 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
207 B
207 B