Skip to content

Bootroot Roadmap: Towards Production Readiness #12

New issue
New issue
Open
5 of 6 issues completed
Open
Bootroot Roadmap: Towards Production Readiness#12
5 of 6 issues completed
Assignees
sehkone
@sehkone

Description

@sehkone
sehkone
opened on Jan 3, 2026

This tracking issue outlines the roadmap for evolving bootroot from a prototype into a robust, production-ready PKI bootstrapping solution.

Quality Standards (Definition of Done)

Needs to be updated

Phase 1: Migration & Foundation (Rust Rewrite)

Focus: Transition to Rust architecture for long-term stability and team alignment.

  • Rewrite Agent in Rust
    • Port existing Go logic to Rust (Feature Parity).
    • Implement strict Quality Gates (Clippy, Audit).
  • Configuration File Support
    • Implement agent.toml support in the new Rust agent.
  • Agent Daemon Mode & Auto-Renewal
    • Implement long-running daemon logic in Rust.

Phase 2: Foundation & Service Continuity

Focus: Build a maintainable configuration structure and ensure continuous operation.

  • Configuration File Support
    • Implement agent.toml support to replace complex CLI flags.
    • Design configuration schema (server URL, domains, keys, hooks, logging).
    • Support environment variable overrides for container compliance.
  • Agent Daemon Mode & Auto-Renewal
    • Transform the agent from a one-shot CLI tool into a long-running daemon.
    • Implement a time.Ticker based renewal loop (e.g., renew when validity < 30 days).
    • Add robust error handling for network resilience.
  • Post-Renewal Hooks
    • Implement a hook system to execute commands after renewal (e.g., nginx -s reload).

Phase 3: Security, Auditing & Compliance (ISMS-P)

Focus: Establish infrastructure for data integrity, audit trails, and access control.

  • Database Migration (BadgerDB -> RDBMS)
    • Migrate CA storage to PostgreSQL/MySQL for reliable data retention, backup/recovery, and audit trail support.
  • Observability & Monitoring (Issue Integrate Prometheus and Grafana for Monitoring #10)
    • Integrate Prometheus/Grafana to monitor issuance activities and CA health.
    • Ensure comprehensive logging of all security events.
  • Strict Access Control & Hardening
    • Remove development workarounds (e.g., chmod 777).
    • Implement strict UID/GID mapping and 0700 permissions for sensitive keys.
  • Secure Secret Management
    • Support external secret injection (Env/Secrets Manager) instead of plain-text files.

Phase 4: Scalability & High Availability

Focus: Support large-scale deployments.

  • High Availability (HA) Setup
    • Architect Active-Active CA instances behind a Load Balancer with shared RDBMS.

Sub-issues

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions