mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 15:51:30 +00:00
shankar0123
4c3b7cbb16
Audit all docs and examples against current codebase state. Fix seed_demo.sql domain constant casing (IssuerType, TargetType, AgentStatus) that would cause agent dispatch failures. Fix example docker-compose health endpoints (/health not /api/v1/health) and env var names (CERTCTL_DATABASE_URL). Update connector counts, test numbers, and planned→implemented status across docs. Convert 3 ASCII flow diagrams to Mermaid. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
183 lines
5.5 KiB
YAML
183 lines
5.5 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
# PostgreSQL database for certctl
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
container_name: certctl-postgres-private-ca
|
|
environment:
|
|
POSTGRES_DB: certctl
|
|
POSTGRES_USER: certctl
|
|
POSTGRES_PASSWORD: ${DB_PASSWORD:-certctl-dev-password}
|
|
volumes:
|
|
- postgres_data:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ['CMD-SHELL', 'pg_isready -U certctl -d certctl']
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 5
|
|
networks:
|
|
- certctl-network
|
|
restart: unless-stopped
|
|
|
|
# certctl server (control plane) with Local CA in sub-CA mode
|
|
certctl-server:
|
|
image: ghcr.io/shankar0123/certctl-server:latest
|
|
container_name: certctl-server-private-ca
|
|
environment:
|
|
# Database
|
|
CERTCTL_DATABASE_URL: postgres://certctl:${DB_PASSWORD:-certctl-dev-password}@postgres:5432/certctl?sslmode=disable
|
|
|
|
# Server settings
|
|
CERTCTL_SERVER_PORT: 8443
|
|
CERTCTL_SERVER_HOST: 0.0.0.0
|
|
|
|
# Auth (disabled for demo; production should use API keys)
|
|
CERTCTL_AUTH_TYPE: none
|
|
|
|
# CORS (allow agent and Traefik communication)
|
|
CERTCTL_CORS_ORIGINS: '*'
|
|
|
|
# Key generation mode (agent-side in production, server-side for demo)
|
|
CERTCTL_KEYGEN_MODE: server
|
|
|
|
# Local CA configuration
|
|
# For self-signed CA (default, no paths set):
|
|
# - CA generates a self-signed root certificate
|
|
# - All issued certificates chain to this root
|
|
#
|
|
# For sub-CA mode (provide both paths):
|
|
# - Load pre-signed CA certificate and key from these paths
|
|
# - All issued certificates chain to your enterprise root CA
|
|
# - Requires: CA cert must have IsCA=true and KeyUsageCertSign
|
|
# - Supports: RSA, ECDSA, PKCS#8 key formats
|
|
#
|
|
# To use sub-CA mode:
|
|
# 1. Place your enterprise CA cert at ./ca-cert.pem
|
|
# 2. Place your enterprise CA key at ./ca-key.pem
|
|
# 3. Uncomment the two lines below
|
|
# 4. Restart the service
|
|
#
|
|
# CERTCTL_CA_CERT_PATH: /etc/certctl/ca-cert.pem
|
|
# CERTCTL_CA_KEY_PATH: /etc/certctl/ca-key.pem
|
|
|
|
# Logging
|
|
CERTCTL_LOG_LEVEL: info
|
|
ports:
|
|
- '${SERVER_PORT:-8443}:8443'
|
|
volumes:
|
|
# Mount directory for CA cert/key (for sub-CA mode)
|
|
# Copy your enterprise CA cert+key here:
|
|
# cp /path/to/your/ca.pem ./ca-cert.pem
|
|
# cp /path/to/your/ca-key.pem ./ca-key.pem
|
|
- ./ca-certs:/etc/certctl:ro
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
networks:
|
|
- certctl-network
|
|
healthcheck:
|
|
test: ['CMD-SHELL', 'curl -sf http://localhost:8443/health || exit 1']
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 3
|
|
restart: unless-stopped
|
|
|
|
# certctl agent (deploys certs to Traefik)
|
|
certctl-agent:
|
|
image: ghcr.io/shankar0123/certctl-agent:latest
|
|
container_name: certctl-agent-private-ca
|
|
environment:
|
|
# Control plane connection
|
|
CERTCTL_SERVER_URL: http://certctl-server:8443
|
|
CERTCTL_API_KEY: ${AGENT_API_KEY:-agent-demo-key}
|
|
|
|
# Key generation (agent-side keys, never sent to server)
|
|
CERTCTL_KEYGEN_MODE: server
|
|
CERTCTL_KEY_DIR: /var/lib/certctl/keys
|
|
|
|
# Discovery (scan for existing certs in Traefik's directory)
|
|
CERTCTL_DISCOVERY_DIRS: /etc/traefik/certs
|
|
|
|
# Heartbeat interval
|
|
CERTCTL_HEARTBEAT_INTERVAL: 30s
|
|
|
|
# Agent metadata (self-reported)
|
|
CERTCTL_AGENT_NAME: traefik-agent-01
|
|
|
|
# Logging
|
|
CERTCTL_LOG_LEVEL: info
|
|
volumes:
|
|
# Mount Traefik cert directory for deployment
|
|
- traefik_certs:/etc/traefik/certs
|
|
# Agent key storage (persisted across restarts)
|
|
- agent_keys:/var/lib/certctl/keys
|
|
depends_on:
|
|
certctl-server:
|
|
condition: service_healthy
|
|
networks:
|
|
- certctl-network
|
|
restart: unless-stopped
|
|
|
|
# Traefik reverse proxy / edge router
|
|
# Certificates deployed by certctl-agent are automatically loaded from the certs directory
|
|
traefik:
|
|
image: traefik:v3.0
|
|
container_name: certctl-traefik-private-ca
|
|
command:
|
|
# Enable dashboard and API
|
|
- '--api.insecure=true'
|
|
- '--api.dashboard=true'
|
|
|
|
# File provider: watch the certs directory for dynamic config updates
|
|
- '--providers.file.directory=/etc/traefik/dynamic'
|
|
- '--providers.file.watch=true'
|
|
|
|
# Entry points (HTTP and HTTPS)
|
|
- '--entrypoints.web.address=:80'
|
|
- '--entrypoints.websecure.address=:443'
|
|
- '--entrypoints.websecure.http.tls=true'
|
|
|
|
# Global TLS settings
|
|
- '--entryPoints.websecure.http.tls.certResolver=internal'
|
|
|
|
# Logging
|
|
- '--log.level=info'
|
|
- '--accesslog=true'
|
|
ports:
|
|
# HTTP
|
|
- '80:80'
|
|
# HTTPS
|
|
- '443:443'
|
|
# Dashboard (http://localhost:8080)
|
|
- '8080:8080'
|
|
volumes:
|
|
# Mount Traefik config directory
|
|
- ./traefik-config:/etc/traefik/dynamic:ro
|
|
# Mount cert directory (where certctl deploys certs)
|
|
- traefik_certs:/etc/traefik/certs:ro
|
|
# Allow Traefik to read Docker socket (optional, for container labeling)
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
networks:
|
|
- certctl-network
|
|
depends_on:
|
|
- certctl-agent
|
|
healthcheck:
|
|
test: ['CMD-SHELL', 'curl -sf http://localhost:8080/ping || exit 1']
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 3
|
|
restart: unless-stopped
|
|
|
|
networks:
|
|
certctl-network:
|
|
driver: bridge
|
|
|
|
volumes:
|
|
postgres_data:
|
|
driver: local
|
|
traefik_certs:
|
|
driver: local
|
|
agent_keys:
|
|
driver: local
|