Documentation
¶
Overview ¶
Package ctrl provides the main control plane service for the unkey platform.
This package implements the central control plane that orchestrates deployments, manages TLS certificates through ACME, handles build operations, and provides API services for the unkey ecosystem. It integrates with multiple backend services including Restate for workflow orchestration, vault for secrets management, and container registries for build operations.
Architecture ¶
The control plane consists of several integrated components:
- HTTP/2 gRPC server for API endpoints
- Restate workflow engine for asynchronous operations
- Vault services for secrets and certificate encryption
- Database layer for persistent storage
- ACME providers for automatic TLS certificate management
- Build backends (Depot or Docker) for container image building
Key Services ¶
[Deployment Service]: Manages application deployment workflows through Restate [Certificate Service]: Handles ACME challenges and TLS certificate lifecycle [Build Service]: Orchestrates container image builds via Depot or Docker [Routing Service]: Manages domain assignment and traffic routing [Cluster Object Service]: Handles cluster metadata and bootstrapping [OpenAPI Service]: Provides OpenAPI specification and schema documentation [Ctrl Service]: Control plane health and management operations
ACME Integration ¶
The system supports multiple ACME challenge providers:
- HTTP-01 challenges for regular domains
- DNS-01 challenges through Cloudflare for wildcard certificates
- DNS-01 challenges through AWS Route53 for wildcard certificates
Configuration ¶
The control plane is highly configurable through Config which includes:
- Database and vault configuration for persistence
- Registry and build backend settings for container operations
- ACME provider configuration for certificate management
- Restate integration for workflow orchestration
- TLS and authentication settings for secure operation
Usage ¶
Basic control plane setup:
cfg := ctrl.Config{
InstanceID: "ctrl-prod-001",
Platform: "aws",
Region: "us-west-2",
HttpPort: 8080,
DatabasePrimary: "user:pass@tcp(db:3306)/unkey",
RegistryURL: "registry.depot.dev",
RegistryUsername: "x-token",
RegistryPassword: "depot-token",
VaultMasterKeys: []string{"master-key-1"},
VaultS3: ctrl.S3Config{
URL: "https://s3.amazonaws.com",
Bucket: "unkey-vault",
AccessKeyID: "access-key",
AccessKeySecret: "secret-key",
},
BuildBackend: ctrl.BuildBackendDepot,
BuildPlatform: "linux/amd64",
Acme: ctrl.AcmeConfig{
Enabled: true,
EmailDomain: "unkey.com",
Cloudflare: ctrl.CloudflareConfig{
Enabled: true,
ApiToken: "cf-token",
},
},
}
err := ctrl.Run(context.Background(), cfg)
The control plane will:
- Initialize all services (database, vault, build backend, etc.)
- Start Restate workflow engine with all service bindings
- Register with Restate admin API for service discovery
- Start HTTP/2 gRPC server on configured port
- Handle graceful shutdown on context cancellation
Observability ¶
The control plane integrates with OpenTelemetry for metrics, traces, and structured logging. It exposes health endpoints and provides comprehensive monitoring of all operations including deployment status, certificate renewal, and build progress.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Run ¶
Run starts the control plane server with the provided configuration.
This function initializes all required services and starts the HTTP/2 gRPC server. It performs these major initialization steps: 1. Validates configuration and initializes structured logging 2. Sets up OpenTelemetry if enabled 3. Creates vault services for secrets and ACME certificates 4. Initializes database and build storage 5. Starts Restate workflow engine with service bindings 6. Configures ACME challenge providers (HTTP-01, DNS-01) 7. Registers with Restate admin API for service discovery 8. Starts HTTP/2 server with all gRPC handlers 9. Boots up cluster management and starts certificate renewal
The server handles graceful shutdown when context is cancelled, properly closing all services and database connections.
Returns an error if configuration validation fails, service initialization fails, or during server startup. Context cancellation results in clean shutdown with nil error.
Types ¶
type AcmeConfig ¶
type AcmeConfig struct {
// Enabled determines whether ACME certificate management is active.
// When true, certificates are automatically obtained and renewed.
Enabled bool
// EmailDomain is the domain used for ACME account emails.
// Used for Let's Encrypt account registration and recovery.
// Example: "unkey.com" creates "admin@unkey.com" for ACME account.
EmailDomain string
// Cloudflare configures DNS-01 challenges through Cloudflare API.
// Enables wildcard certificates for domains hosted on Cloudflare.
Cloudflare CloudflareConfig
// Route53 configures DNS-01 challenges through AWS Route53 API.
// Enables wildcard certificates for domains hosted on Route53.
Route53 Route53Config
}
AcmeConfig holds configuration for ACME TLS certificate management.
This configuration enables automatic certificate issuance and renewal through ACME protocol with support for multiple DNS providers.
type BuildBackend ¶
type BuildBackend string
BuildBackend specifies the container image build backend system.
Determines which service will be used for building container images from application source code. Each backend has different capabilities and integration requirements.
const ( // BuildBackendDepot uses Depot.dev for container builds. // Provides optimized cloud-native builds with caching and // integrated registry management. BuildBackendDepot BuildBackend = "depot" // BuildBackendDocker uses local Docker daemon for builds. // Provides on-premises builds with direct Docker integration. BuildBackendDocker BuildBackend = "docker" )
type BuildPlatform ¶
type BuildPlatform struct {
// Platform is the original build platform string.
// Example: "linux/amd64".
Platform string
// Architecture is the CPU architecture component.
// Example: "amd64", "arm64".
Architecture string
}
BuildPlatform represents parsed container build platform specification.
Contains the validated platform string separated into OS and architecture components for build backend integration.
type CloudflareConfig ¶
type CloudflareConfig struct {
// Enabled determines whether Cloudflare DNS-01 challenges are used.
// When true, wildcard certificates can be automatically obtained.
Enabled bool
// ApiToken is the Cloudflare API token for DNS management.
// Requires Zone:Read and DNS:Edit permissions for the target zones.
ApiToken string
}
CloudflareConfig holds Cloudflare API configuration for ACME DNS-01 challenges.
This configuration enables automatic DNS record creation for wildcard TLS certificates through Cloudflare's DNS API.
type Config ¶
type Config struct {
// InstanceID is the unique identifier for this control plane instance.
// Used for logging, tracing, and cluster coordination.
InstanceID string
// Platform identifies the cloud platform where the node is running.
// Affects integration with cloud-specific services and monitoring.
// Examples: "aws", "gcp", "hetzner".
Platform string
// Image specifies the container image identifier including repository and tag.
// Used for control plane deployment and sentinel image configuration.
Image string
// HttpPort defines the HTTP port for the control plane server.
// Default: 8080. Cannot be 0.
HttpPort int
// Region identifies the geographic region where this node is deployed.
// Used for observability, compliance, and service routing.
Region string
// RegistryURL is the container registry URL for pulling images.
// Example: "registry.depot.dev" or "https://registry.example.com".
RegistryURL string
// RegistryUsername is the username for container registry authentication.
// Common values: "x-token" for token-based auth or actual username.
RegistryUsername string
// RegistryPassword is the password/token for container registry authentication.
// Should be stored securely (environment variable or secret management).
RegistryPassword string
// DatabasePrimary is the primary database connection string.
// Used for both read and write operations to persistent storage.
DatabasePrimary string
// OtelEnabled enables sending telemetry data to collector endpoint.
// When true, enables metrics, traces, and structured logs.
OtelEnabled bool
// OtelTraceSamplingRate controls the percentage of traces sampled.
// Range: 0.0 (no traces) to 1.0 (all traces). Recommended: 0.1.
OtelTraceSamplingRate float64
// TLSConfig contains TLS configuration for HTTPS server.
// When nil, server runs in HTTP mode for development.
TLSConfig *tls.Config
// AuthToken is the authentication token for control plane API access.
// Used by clients and services to authenticate with this control plane.
AuthToken string
// SPIFFESocketPath is the path to the SPIFFE agent socket.
// Enables mTLS authentication with SPIFFE-based identity system.
SPIFFESocketPath string
// Clock provides time operations for testing and scheduling.
// Use clock.RealClock{} for production deployments.
Clock clock.Clock
// VaultMasterKeys are encryption keys for the general vault service.
// Used for encrypting/decrypting environment variables, API keys, etc.
VaultMasterKeys []string
// VaultS3 configures S3 storage for the general vault.
// Stores encrypted secrets data with the provided master keys.
VaultS3 S3Config
// AcmeVaultMasterKeys are encryption keys for the ACME vault service.
// Separate vault for TLS certificate storage and ACME account data.
AcmeVaultMasterKeys []string
// AcmeVaultS3 configures S3 storage for the ACME vault.
// Stores encrypted TLS certificates and ACME challenge data.
AcmeVaultS3 S3Config
// Acme configures automatic TLS certificate management.
// Enables Let's Encrypt integration for domain certificates.
Acme AcmeConfig
// DefaultDomain is the fallback domain for system operations.
// Used for sentinel deployment and automatic certificate bootstrapping.
DefaultDomain string
// Restate configures workflow engine integration.
// Enables asynchronous deployment and certificate renewal workflows.
Restate RestateConfig
// BuildBackend selects the container build system.
// Options: BuildBackendDepot or BuildBackendDocker.
BuildBackend BuildBackend
// BuildS3 configures storage for build artifacts and outputs.
// Used by both Depot and Docker build backends.
BuildS3 S3Config
// BuildPlatform defines the target architecture for container builds.
// Format: "linux/amd64", "linux/arm64". Only "linux" OS supported.
BuildPlatform string
// Depot configures Depot.dev build service integration.
// Required when using BuildBackendDepot.
Depot DepotConfig
// ClickhouseURL is the ClickHouse database connection string.
// Used for analytics and operational metrics storage.
ClickhouseURL string
// SentinelImage is the container image used for new sentinel deployments.
// Overrides default sentinel image with custom build or registry.
SentinelImage string
// AvailableRegions is a list of available regions for deployments.
// typically in the format "provider:region", ie "aws:us-east-1", "dev:local"
AvailableRegions []string
}
Config holds configuration for the control plane server.
This comprehensive configuration structure defines all aspects of control plane operation including database connections, vault integration, build backends, ACME certificate management, and service discovery.
func (Config) GetBuildPlatform ¶
func (c Config) GetBuildPlatform() BuildPlatform
GetBuildPlatform returns the parsed build platform.
This method returns the parsed BuildPlatform from the configured BuildPlatform string. Should only be called after Validate() succeeds to ensure the platform string is valid.
Returns BuildPlatform with parsed platform and architecture components.
func (Config) GetDepotConfig ¶
func (c Config) GetDepotConfig() DepotConfig
GetDepotConfig returns the depot configuration.
This method returns the DepotConfig from the main Config struct. Should only be called after Validate() succeeds to ensure depot configuration is complete and valid.
Returns the DepotConfig containing API URL and project region.
func (Config) GetRegistryConfig ¶
func (c Config) GetRegistryConfig() RegistryConfig
GetRegistryConfig returns the registry configuration.
This method builds a RegistryConfig from the individual registry settings in the main Config struct. Should only be called after Validate() succeeds to ensure all required fields are present.
Returns RegistryConfig with URL, username, and password for container registry access.
func (Config) Validate ¶
Validate checks the configuration for required fields and logical consistency.
This method performs comprehensive validation of all configuration sections including build backend, ACME providers, database connections, and required credentials. It ensures that conditional configuration (like ACME providers) has all necessary dependencies.
Returns an error if required fields are missing, invalid, or inconsistent. Provides detailed error messages to help identify configuration issues.
type DepotConfig ¶
type DepotConfig struct {
// APIUrl is the Depot API endpoint URL for build operations.
// Example: "https://api.depot.dev".
APIUrl string
// ProjectRegion is the geographic region for build storage.
// Affects build performance and data residency.
// Options: "us-east-1", "eu-central-1". Default: "us-east-1".
ProjectRegion string
}
DepotConfig holds configuration for Depot.dev build service integration.
This configuration enables cloud-native container builds through Depot's managed build infrastructure with optimized caching.
type RegistryConfig ¶
type RegistryConfig struct {
// URL is the container registry endpoint URL.
// Example: "registry.depot.dev" or "https://registry.example.com".
URL string
// Username is the registry authentication username.
// Common values: "x-token" for token-based auth, or actual username.
Username string
// Password is the registry password or authentication token.
// Should be stored securely and rotated regularly.
Password string
}
RegistryConfig holds container registry authentication configuration.
This configuration provides credentials for accessing container registries used by build backends for pushing and pulling images.
type RestateConfig ¶
type RestateConfig struct {
// FrontlineURL is the Restate frontline endpoint URL for workflow invocation.
// Used by clients to start and interact with workflow executions.
// Example: "http://restate:8080".
FrontlineURL string
// AdminURL is the Restate admin endpoint URL for service registration.
// Used by the control plane to register its workflow services.
// Example: "http://restate:9070".
AdminURL string
// HttpPort is the port where the control plane listens for Restate requests.
// This is the internal Restate server port, not the main API port.
HttpPort int
// RegisterAs is the service URL used for self-registration with Restate.
// Allows other Restate services to discover and invoke this control plane.
// Example: "http://ctrl:9080".
RegisterAs string
}
RestateConfig holds configuration for Restate workflow engine integration.
This configuration enables asynchronous workflow execution through the Restate distributed system for deployment and certificate operations.
type Route53Config ¶
type Route53Config struct {
// Enabled determines whether Route53 DNS-01 challenges are used.
// When true, wildcard certificates can be automatically obtained.
Enabled bool
// AccessKeyID is the AWS access key ID for Route53 API access.
AccessKeyID string
// SecretAccessKey is the AWS secret access key for Route53 API access.
SecretAccessKey string
// Region is the AWS region where Route53 hosted zones are located.
// Example: "us-east-1", "us-west-2".
Region string
// HostedZoneID overrides automatic zone discovery.
// Required when domains have complex CNAME setups that confuse
// automatic zone lookup (e.g., wildcard CNAMEs to load balancers).
HostedZoneID string
}
Route53Config holds AWS Route53 configuration for ACME DNS-01 challenges.
This configuration enables automatic DNS record creation for wildcard TLS certificates through AWS Route53 DNS API.
type S3Config ¶
type S3Config struct {
// URL is the S3 endpoint URL including protocol and region.
// Examples: "https://s3.amazonaws.com" or "https://s3.us-west-2.amazonaws.com".
URL string
// Bucket is the S3 bucket name for storing objects.
// Must exist and be accessible with the provided credentials.
Bucket string
// AccessKeyID is the AWS access key ID for S3 authentication.
// Must have appropriate permissions for bucket operations.
AccessKeyID string
// AccessKeySecret is the AWS secret access key for S3 authentication.
// Should be stored securely and rotated regularly.
AccessKeySecret string
// ExternalURL is the public-facing URL for accessing S3 objects.
// Used when objects need to be accessed from outside the AWS network.
// Optional - can be empty for internal-only access.
ExternalURL string
}
S3Config holds S3 configuration for storage backends.
This configuration is used by vault, build storage, and other services that need to store data in S3-compatible object storage.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
caches
Package caches provides shared cache instances for control plane operations.
|
Package caches provides shared cache instances for control plane operations. |
|
Package middleware provides authentication and authorization for control plane APIs.
|
Package middleware provides authentication and authorization for control plane APIs. |
|
pkg
|
|
|
hash
Package hash provides deterministic hashing for control plane resources.
|
Package hash provides deterministic hashing for control plane resources. |
|
Package services provides gRPC service implementations for the control plane.
|
Package services provides gRPC service implementations for the control plane. |
|
acme
Package acme provides ACME certificate challenge management.
|
Package acme provides ACME certificate challenge management. |
|
build
Package build provides container image building services.
|
Package build provides container image building services. |
|
build/backend/depot
Package depot provides Depot.dev build backend integration.
|
Package depot provides Depot.dev build backend integration. |
|
build/backend/docker
Package docker provides local Docker build backend integration.
|
Package docker provides local Docker build backend integration. |
|
build/storage
Package storage provides S3-compatible storage for build artifacts.
|
Package storage provides S3-compatible storage for build artifacts. |
|
ctrl
Package ctrl provides administrative and health check services.
|
Package ctrl provides administrative and health check services. |
|
deployment
Package deployment provides complete deployment lifecycle orchestration.
|
Package deployment provides complete deployment lifecycle orchestration. |
|
openapi
Package openapi provides OpenAPI specification and schema documentation.
|
Package openapi provides OpenAPI specification and schema documentation. |
|
workflows
|
|
|
certificate
Package certificate implements ACME certificate challenge workflows for SSL/TLS provisioning.
|
Package certificate implements ACME certificate challenge workflows for SSL/TLS provisioning. |
|
deploy
Package deploy implements deployment lifecycle orchestration workflows.
|
Package deploy implements deployment lifecycle orchestration workflows. |
|
routing
Package routing manages domain assignment and traffic routing workflows.
|
Package routing manages domain assignment and traffic routing workflows. |