92c6431ccf
Adds a profile-gated `step-ca` service to `docker-compose.federated.yml` so the federated tier has its own internal CA. No gateway code consumes the CA yet — that lands in M2-04 (ca.service.ts). - docker-compose.federated.yml: new `step-ca` service using image `smallstep/step-ca:0.27.4` (pinned stable; `latest` forbidden by Mosaic image policy), named volume `step_ca_data`, port 9000, `[federated]` profile gate, healthcheck with 30s start_period - infra/step-ca/init.sh: idempotent first-boot init; runs `step ca init` with JWK provisioner `mosaic-fed` if /home/step/config/ca.json absent; otherwise starts CA directly - infra/step-ca/dev-password.example: sample dev password (real file is gitignored) - infra/step-ca/templates/federation.tpl: X.509 template skeleton for custom OID SAN extensions (grantId 1.3.6.1.4.1.99999.1, subjectUserId 1.3.6.1.4.1.99999.2); TODO comment links M2-04 as the landing point - .gitignore: ignores infra/step-ca/dev-password (real password) Refs #461 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
61 lines
2.0 KiB
Bash
Executable File
61 lines
2.0 KiB
Bash
Executable File
#!/bin/sh
|
|
# infra/step-ca/init.sh
|
|
#
|
|
# Idempotent first-boot initialiser for the Mosaic Federation CA.
|
|
#
|
|
# On the first run (no /home/step/config/ca.json present) this script:
|
|
# 1. Initialises Step-CA with a JWK provisioner named "mosaic-fed".
|
|
# 2. Writes the CA configuration to the persistent volume at /home/step.
|
|
#
|
|
# On subsequent runs (config already exists) this script skips init and
|
|
# starts the CA directly.
|
|
#
|
|
# The provisioner name "mosaic-fed" is consumed by:
|
|
# apps/gateway/src/federation/ca.service.ts (added in M2-04)
|
|
#
|
|
# Password source:
|
|
# Dev: mounted from ./infra/step-ca/dev-password via bind mount.
|
|
# Prod: mounted from a Docker secret at /run/secrets/ca_password.
|
|
#
|
|
# OID template:
|
|
# infra/step-ca/templates/federation.tpl is copied into the CA config
|
|
# directory so the JWK provisioner can reference it. The template
|
|
# skeleton is wired in M2-04 when the CA service lands the SAN-bearing
|
|
# CSR work.
|
|
|
|
set -e
|
|
|
|
CA_CONFIG="/home/step/config/ca.json"
|
|
PASSWORD_FILE="/run/secrets/ca_password"
|
|
|
|
if [ ! -f "${CA_CONFIG}" ]; then
|
|
echo "[step-ca init] First boot detected — initialising Mosaic Federation CA..."
|
|
|
|
step ca init \
|
|
--name "Mosaic Federation CA" \
|
|
--dns "localhost" \
|
|
--dns "step-ca" \
|
|
--address ":9000" \
|
|
--provisioner "mosaic-fed" \
|
|
--password-file "${PASSWORD_FILE}" \
|
|
--provisioner-password-file "${PASSWORD_FILE}" \
|
|
--no-db
|
|
|
|
echo "[step-ca init] CA initialised."
|
|
|
|
# Copy the X.509 template into the Step-CA config directory so the
|
|
# provisioner can reference it in M2-04.
|
|
if [ -f "/etc/step-ca-templates/federation.tpl" ]; then
|
|
mkdir -p /home/step/templates
|
|
cp /etc/step-ca-templates/federation.tpl /home/step/templates/federation.tpl
|
|
echo "[step-ca init] Federation X.509 template copied to /home/step/templates/."
|
|
fi
|
|
|
|
echo "[step-ca init] Startup complete."
|
|
else
|
|
echo "[step-ca init] Config already exists — skipping init."
|
|
fi
|
|
|
|
echo "[step-ca init] Starting Step-CA on :9000..."
|
|
exec step-ca /home/step/config/ca.json --password-file "${PASSWORD_FILE}"
|