Add JWT bootstrap command and key initialization flow for API startup#352
Add JWT bootstrap command and key initialization flow for API startup#352gusfcarvalho merged 6 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a first-class JWT key bootstrap flow so the API binary can generate/reconcile RSA key files (and run can self-initialize configured key paths), replacing the prior openssl-based workflow and clarifying file-vs-in-memory key behavior.
Changes:
- Introduce
internal/configJWT key bootstrapping logic (generate/no-op/derive-public/regenerate) with unit tests. - Add a new
bootstrapCobra command and invoke bootstrap duringrunwhen JWT key file env vars are configured. - Route
make generate-keysthrough the new CLI and update README /.env.exampleguidance.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/config/jwt_bootstrap.go | Adds key bootstrap implementation and filesystem write helpers. |
| internal/config/jwt_bootstrap_test.go | Adds unit tests for bootstrap action paths. |
| cmd/jwt_bootstrap.go | Adds shared command-side bootstrap helpers and viper-based configuration detection. |
| cmd/bootstrap.go | Introduces bootstrap CLI command (flags for key paths/bit size/force). |
| cmd/run.go | Runs bootstrap during server startup when key file paths are configured. |
| cmd/root.go | Registers the new bootstrap command. |
| Makefile | Replaces openssl key generation with go run main.go bootstrap .... |
| README.md | Documents bootstrap usage and JWT key env var behavior. |
| .env.example | Adds note explaining how to enable in-memory key generation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Adds a first-class JWT key bootstrap flow so the API binary can generate/reconcile RSA JWT key files (including deriving a public key from an existing private key), removing the need for an external init container.
Changes:
- Introduces
internal/configJWT key bootstrap logic with atomic writes and multiple bootstrap actions (generate/no-op/derive public/regenerate). - Adds a new
bootstrapCLI command and wiresrunto automatically bootstrap key files when JWT key path env vars are configured. - Updates developer tooling/docs (
make generate-keys,.env.example, README) to reflect file-based vs in-memory JWT key behavior.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
internal/config/jwt_bootstrap.go |
Implements JWT keypair bootstrap logic and atomic PEM writes. |
internal/config/jwt_bootstrap_test.go |
Adds unit tests covering key bootstrap scenarios and validation. |
cmd/run.go |
Bootstraps JWT key files during server startup when configured. |
cmd/root.go |
Registers the new bootstrap command on the root CLI. |
cmd/jwt_bootstrap.go |
Adds shared CLI-side helpers for resolving/configuring key bootstrap paths. |
cmd/bootstrap.go |
Implements the bootstrap cobra command and flags. |
README.md |
Documents the bootstrap command and JWT key configuration behavior. |
Makefile |
Routes generate-keys through the new bootstrap command. |
.env.example |
Clarifies how to opt into file-based keys vs in-memory keys. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
This PR adds a first-class JWT key “bootstrap” flow so the API can generate/reconcile RSA key files (including deriving the public key) at startup and via a new CLI command, simplifying deployments that previously needed an init container.
Changes:
- Introduces
bootstrapCobra command to generate/derive/regenerate JWT RSA key files. - Adds shared key bootstrap logic under
internal/config(with unit tests) and invokes it duringrunwhen key path env vars are configured. - Updates developer tooling/docs (
make generate-keys, README,.env.example) to reflect the new file-based vs in-memory JWT behavior.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
internal/config/jwt_bootstrap.go |
Implements key bootstrap logic (generate/no-op/derive/regenerate) with atomic writes. |
internal/config/jwt_bootstrap_test.go |
Adds unit tests covering bootstrap scenarios and error cases. |
cmd/jwt_bootstrap.go |
Adds cmd-layer helpers to resolve paths from flags/env and run bootstrap. |
cmd/bootstrap.go |
Adds new bootstrap CLI command and flags. |
cmd/root.go |
Registers the new bootstrap command with the root CLI. |
cmd/run.go |
Runs key bootstrap during API startup when JWT key env vars are configured. |
Makefile |
Routes make generate-keys through go run main.go bootstrap .... |
README.md |
Documents the new bootstrap command and JWT key behavior. |
.env.example |
Clarifies how to opt into in-memory key generation vs file-based keys. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Adds a first-class JWT key bootstrap flow so the API can initialize/reconcile RSA key files itself (and exposes the same behavior via a new CLI command), reducing reliance on external tooling/containers for key setup.
Changes:
- Introduces
internal/configJWT key bootstrapping logic (generate/no-op/derive-public/regenerate) plus unit tests. - Runs key bootstrap automatically during
runwhen both JWT key file env vars are configured, and adds abootstrapCLI command. - Updates developer/docs tooling (
make generate-keys, README,.env.example) to align with the file-based vs in-memory key behavior.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/config/jwt_bootstrap.go | Implements file-based RSA keypair bootstrapping with locking and atomic writes. |
| internal/config/jwt_bootstrap_test.go | Adds coverage for key bootstrap behavior, edge cases, and concurrency. |
| cmd/run.go | Invokes JWT bootstrap during API startup when key paths are configured. |
| cmd/root.go | Registers the new bootstrap command with the root CLI. |
| cmd/jwt_bootstrap.go | Adds shared CLI/startup helpers for determining paths and running bootstrap. |
| cmd/bootstrap.go | Implements the bootstrap Cobra command and flags (--force, --bit-size, paths). |
| README.md | Documents the new command and clarifies JWT key behavior. |
| Makefile | Routes generate-keys through go run main.go bootstrap ... --force. |
| .env.example | Clarifies how to opt into in-memory key generation vs file-based keys. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
bootstrapCLI command to create or reconcile JWT key files from the API binaryinternal/configto support generate, no-op, derive-public, and regenerate pathsrunwhen key file env vars are configuredmake generate-keysthroughgo run main.go bootstrap.env.exampleand README docs to clarify file-based vs in-memory JWT key behaviorWhy ?
Well, today we have an
initcontaineras part our bootstrap just to derive the public key from the private key... That feels... awkward and makes our installation process harder. This adds a cli cmd and auto-configuration on API bootstrap itself (to get that public key)Testing