-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathplatform-bootstrap-openapi.yaml
More file actions
360 lines (351 loc) · 15.3 KB
/
Copy pathplatform-bootstrap-openapi.yaml
File metadata and controls
360 lines (351 loc) · 15.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
openapi: 3.0.4
info:
title: Platform Bootstrap API
version: 0.1.0
x-products: [edk, vdx]
description: |
Runtime bootstrap API for platform-hosted applications and internal
services.
The browser runtime endpoint exposes only deployment runtime wiring:
platform URLs, OAuth browser client metadata, audience values, service API
base URLs, license capability flags, and cache revision metadata.
By default it derives the browser-facing platform origin from the incoming
request host and forwarded headers. Tenant API roots are tenant-owned URLs
and are resolved only from tenant selectors or explicit tenant public-base
configuration.
The internal consumer endpoint exposes east-west service discovery for
satellites, workload services, and platform-side operators. It may include
Kubernetes or Docker network addresses and must not be exposed as browser
configuration.
This surface is intentionally separate from platform-admin and
platform-config. Platform-admin owns tenant and platform lifecycle
administration. Platform-config owns tenant/service runtime settings.
Business artifacts such as credential designs, issuer/verifier designs,
DCQL queries, render variants, status-list entries, credential definitions,
and any secrets remain in their dedicated APIs and stores.
Standards metadata documents such as OAuth/OIDC, OID4VCI, OID4VP, DID, and
other `.well-known` responses are separate from this bootstrap surface and
must continue to advertise their canonical public issuers and service URLs.
servers:
- url: https://platform.example.com/api/platform/bootstrap/v1
description: Production server.
- url: http://localhost:8080/api/platform/bootstrap/v1
description: Local development server.
tags:
- name: PlatformBootstrap
description: Runtime bootstrap for platform-hosted applications and internal services.
paths:
/runtime-config/{applicationId}:
get:
tags: [PlatformBootstrap]
operationId: getApplicationRuntimeConfig
security: []
summary: Get browser-safe application runtime configuration
description: |
Returns the sanitized runtime configuration response for a known
platform-hosted browser application.
Known application ids include `admin-console`, `platform-onboarding`,
and `license-portal`. Unknown application ids are rejected. The response
is safe to expose to browser JavaScript and does not include internal
Kubernetes or Docker addresses, raw secrets, business-authored credential
artifacts, DCQL query bodies, issuer or verifier designs, or service
configuration bodies.
The response may use the inbound request origin as the platform base URL.
That behavior is for browser runtime wiring only; `.well-known` protocol
metadata continues to use the canonical public endpoint binding for the
resolved tenant/service.
`tenantKms` is the tenant-KMS API service object. It is not a KMS
provider inventory. Tenant default providers, platform/internal KMS
providers, and additional tenant providers remain managed through the
platform-config `kms.providers` domain.
parameters:
- name: applicationId
in: path
required: true
description: Platform-hosted application id requesting runtime configuration.
schema:
type: string
examples:
adminConsole:
value: admin-console
platformOnboarding:
value: platform-onboarding
licensePortal:
value: license-portal
- name: tenantId
in: query
required: false
description: Optional tenant selector used to resolve tenant-specific browser wiring.
schema:
type: string
- name: tenantSlug
in: query
required: false
description: Optional tenant slug used to derive tenant subdomain API roots.
schema:
type: string
- name: knownRevision
in: query
required: false
description: Last runtime-config revision known by the caller.
schema:
type: string
responses:
'200':
description: Runtime configuration response.
headers:
ETag:
description: Runtime configuration revision.
schema:
type: string
Cache-Control:
description: Cache policy using the returned metadata TTL.
schema:
type: string
example: public, max-age=300
content:
application/json:
schema:
$ref: './platform-bootstrap-components.yml#/components/schemas/ApplicationRuntimeConfigResponse'
example:
metadata:
applicationId: admin-console
tenantId: 7b3c2d9e-1f4a-4c8b-9e2d-5a6f7c8b9d01
tenantSlug: acme
revision: v1:admin-console:7b3c2d9e:acme:8f4c
generatedAtEpochMs: 1782478560000
ttlSeconds: 300
unchanged: false
sourceId: platform-runtime-config
warnings: []
data:
platform:
publicBaseUrl: https://platform.nk.example.com
issuer: https://platform.nk.example.com
authorizationUrl: https://platform.nk.example.com/oauth2/authorize
tokenUrl: https://platform.nk.example.com/oauth2/token
jwksUri: https://platform.nk.example.com/.well-known/jwks.json
endSessionUrl: https://platform.nk.example.com/oauth2/logout
oauth:
clientId: admin-console
scope: openid profile email platform.operator
redirectPath: /admin-console/operator/callback
postLogoutRedirectPath: /admin-console
services:
platform:
serviceId: platform
baseUrl: https://platform.nk.example.com
audience: enterprise-platform
endpoints:
bootstrapApi:
path: /api/platform/bootstrap/v1
description: Browser and service bootstrap API root
authorization:
path: /authorize
description: Platform authorization endpoint
token:
path: /token
description: Platform token endpoint
jwks:
path: /.well-known/jwks.json
description: Platform JSON Web Key Set
platformAdmin:
serviceId: platform
baseUrl: https://platform.nk.example.com
audience: enterprise-platform
endpoints:
api:
path: /api/platform/admin/v1
description: Platform administration API root
tenants:
path: /api/platform/admin/v1/tenants
description: Tenant administration collection
features:
path: /api/platform/admin/v1/features
description: Platform feature catalog
platformConfig:
serviceId: platform
baseUrl: https://platform.nk.example.com
audience: enterprise-platform
endpoints:
api:
path: /api/platform/config/v1
description: Platform service configuration API root
kmsProviders:
path: /api/platform/config/v1/tenants/tenant-acme/kms/providers
description: Tenant KMS provider configuration
tenantKms:
serviceId: service-crypto
baseUrl: https://acme.nk.example.com
audience: enterprise-tenant-kms
endpoints:
api:
path: /api/kms/v1
description: Tenant KMS API root
providers:
path: /api/kms/v1/providers
description: Tenant KMS providers
keys:
path: /api/kms/v1/keys
description: Tenant KMS keys
tenantDid:
serviceId: service-data
baseUrl: https://acme.nk.example.com
audience: enterprise-tenant-did
endpoints:
api:
path: /api/did/v1
description: Tenant DID API root
identifiers:
path: /api/did/v1/identifiers
description: Tenant DID identifiers
didWeb:
path: /.well-known/did.json
description: Tenant DID Web document
issuer:
serviceId: issuer
baseUrl: https://acme.nk.example.com
audience: enterprise-issuer
endpoints:
metadata:
path: /.well-known/openid-credential-issuer
description: OID4VCI issuer metadata
api:
path: /api/oid4vci/v1
description: OID4VCI management API root
credentialDesigns:
path: /api/credential-design/v1
description: Credential design API root
verifier:
serviceId: verifier
baseUrl: https://acme.nk.example.com
audience: enterprise-verifier
endpoints:
protocol:
path: /oid4vp
description: OID4VP protocol root
dcqlApi:
path: /api/dcql/v1
description: DCQL query API root
licensePortal:
serviceId: license-portal
baseUrl: https://platform.nk.example.com
audience: enterprise-platform
endpoints:
app:
path: /license-portal
description: License portal application root
api:
path: /license-portal/api/license-portal/v1
description: License portal API root
capabilities:
licensePortalEnabled: 'true'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'404':
description: Unknown application id or runtime bootstrap surface unavailable.
'500':
$ref: './common-components.yml#/components/responses/Error'
/consumer-config/{consumerId}:
get:
tags: [PlatformBootstrap]
operationId: getPlatformBootstrapConfig
security:
- bearer: []
summary: Get internal platform bootstrap configuration
description: |
Returns the platform-authoritative bootstrap projection for an internal
consumer such as a satellite, workload service, frontend server, or
operator tool.
The response may include internal Kubernetes or Docker network
addresses. It is not browser-safe and must be protected by service or
operator authentication.
`services.tenantKms` is service discovery for the tenant-KMS API/command
receiver. KMS provider definitions are not returned in this response;
the consumer may receive the `kms.providers` config-domain name only so
it can request the authorized settings slice through platform-config.
parameters:
- name: consumerId
in: path
required: true
description: Internal consumer id, service id, or client id requesting bootstrap wiring.
schema:
type: string
examples:
tenantKms:
value: tenant-kms
issuer:
value: issuer
- name: consumerType
in: query
required: false
description: Consumer category used for policy and diagnostics.
schema:
$ref: './platform-bootstrap-components.yml#/components/schemas/PlatformBootstrapConsumerType'
default: SATELLITE
- name: tenantId
in: query
required: false
description: Optional tenant selector for tenant-specific workload cluster routing.
schema:
type: string
- name: workloadInstanceId
in: query
required: false
description: Optional workload instance selector for workload-cluster-specific routing.
schema:
type: string
- name: deploymentSiteId
in: query
required: false
description: Optional deployment site selector for site-specific routing.
schema:
type: string
- name: requestedDomains
in: query
required: false
description: Optional comma-separated config domains requested by the consumer.
style: form
explode: false
schema:
type: array
items:
type: string
example: [kms.providers, oauth2.servers]
- name: knownRevision
in: query
required: false
description: Last bootstrap revision known by the caller.
schema:
type: string
responses:
'200':
description: Internal bootstrap configuration response.
headers:
ETag:
description: Bootstrap configuration revision.
schema:
type: string
Cache-Control:
description: Private cache policy using the returned metadata TTL.
schema:
type: string
example: private, max-age=300
content:
application/json:
schema:
$ref: './platform-bootstrap-components.yml#/components/schemas/PlatformBootstrapConfigResponse'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'403':
$ref: './common-components.yml#/components/responses/Forbidden'
'404':
description: Unknown consumer id or bootstrap surface unavailable.
'500':
$ref: './common-components.yml#/components/responses/Error'
components:
securitySchemes:
bearer:
$ref: './common-components.yml#/components/securitySchemes/bearer'