From 3c936db55b49328a7cf343e16fda966f55292006 Mon Sep 17 00:00:00 2001 From: Mary Dickson Date: Fri, 5 Jun 2026 12:46:32 -0700 Subject: [PATCH 1/5] fix(docs): use opentdf-dev.yaml for quickstart config The quickstart docker-compose downloads opentdf-example.yaml from platform/main, which now includes hybrid PQC keyring entries (xwing, ML-KEM) that require key files the quickstart doesn't generate. Switch to opentdf-dev.yaml which only requires RSA and EC keys that the existing generate-keys service creates. Fixes #336 Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/getting-started/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/docker-compose.yaml b/docs/getting-started/docker-compose.yaml index 39f505dc..c835eaa6 100644 --- a/docs/getting-started/docker-compose.yaml +++ b/docs/getting-started/docker-compose.yaml @@ -336,7 +336,7 @@ services: depends_on: init-volumes: condition: service_completed_successfully - command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/main/opentdf-example.yaml'] + command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/main/opentdf-dev.yaml'] restart: "no" # Patch platform configuration to use keycloak.opentdf.local:9443 From 665f32bef540bcf468b99c65fa2673c7cb57c7fc Mon Sep 17 00:00:00 2001 From: Mary Dickson Date: Fri, 5 Jun 2026 12:49:00 -0700 Subject: [PATCH 2/5] fix(docs): pin quickstart config to service/v0.15.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous commit incorrectly switched to opentdf-dev.yaml, which uses localhost hostnames instead of Docker service names and would break the containerized quickstart. Pin to opentdf-example.yaml at the service/v0.15.0 tag instead — this has the correct Docker hostnames and no PQC keyring entries that the quickstart's key generation can't satisfy. Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/getting-started/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/docker-compose.yaml b/docs/getting-started/docker-compose.yaml index c835eaa6..099607fe 100644 --- a/docs/getting-started/docker-compose.yaml +++ b/docs/getting-started/docker-compose.yaml @@ -336,7 +336,7 @@ services: depends_on: init-volumes: condition: service_completed_successfully - command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/main/opentdf-dev.yaml'] + command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/service/v0.15.0/opentdf-example.yaml'] restart: "no" # Patch platform configuration to use keycloak.opentdf.local:9443 From e3f1ea7dfc35a25b49a0f68479e23f10c6d19c1b Mon Sep 17 00:00:00 2001 From: Mary Dickson Date: Fri, 5 Jun 2026 12:54:52 -0700 Subject: [PATCH 3/5] fix(docs): pin platform image and config to pre-PQC commit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin both the platform container image (nightly-a29f108) and the config download (opentdf-example.yaml at the same commit) to the last main commit before hybrid PQC key support was added. The previous attempt to use opentdf-dev.yaml would have broken because it uses localhost hostnames instead of Docker service names. The image and config must stay in sync — a nightly image built from main expects the config shape from the same commit. Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/getting-started/docker-compose.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/getting-started/docker-compose.yaml b/docs/getting-started/docker-compose.yaml index 099607fe..2a927f8c 100644 --- a/docs/getting-started/docker-compose.yaml +++ b/docs/getting-started/docker-compose.yaml @@ -187,7 +187,7 @@ services: # Provision Keycloak with initial configuration platform-provision-keycloak: - image: registry.opentdf.io/platform:nightly + image: registry.opentdf.io/platform:nightly-a29f108 command: ["provision", "keycloak", "-e", "https://keycloak.opentdf.local:9443/auth", "-f", "/configs/keycloak_data.yaml"] depends_on: keycloak: @@ -227,7 +227,7 @@ services: # Add sample attributes and metadata platform-provision-fixtures: - image: registry.opentdf.io/platform:nightly + image: registry.opentdf.io/platform:nightly-a29f108 command: ["provision", "fixtures", "--config-file", "/configs/opentdf.yaml"] working_dir: /configs depends_on: @@ -274,7 +274,7 @@ services: # Main OpenTDF Platform server platform: - image: registry.opentdf.io/platform:nightly + image: registry.opentdf.io/platform:nightly-a29f108 command: ["start", "--config-file", "/configs/opentdf.yaml"] depends_on: platform-provision-fixtures: @@ -336,7 +336,7 @@ services: depends_on: init-volumes: condition: service_completed_successfully - command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/service/v0.15.0/opentdf-example.yaml'] + command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/a29f1087/opentdf-example.yaml'] restart: "no" # Patch platform configuration to use keycloak.opentdf.local:9443 From 39569c385f7ce8602004f2698245982336d92ac7 Mon Sep 17 00:00:00 2001 From: Mary Dickson Date: Fri, 5 Jun 2026 13:23:47 -0700 Subject: [PATCH 4/5] fix(docs): add PQC key generation and unpin to nightly/main Add a generate-pqc-keys service that builds the platform's keygen utility via sparse checkout and generates the hybrid post-quantum key files (X-Wing, P256+ML-KEM-768, P384+ML-KEM-1024) that opentdf-example.yaml now requires. Unpins the platform image and config download back to nightly/main so the quickstart tracks the latest platform automatically. Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/getting-started/docker-compose.yaml | 49 ++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 4 deletions(-) diff --git a/docs/getting-started/docker-compose.yaml b/docs/getting-started/docker-compose.yaml index 2a927f8c..12b42b5b 100644 --- a/docs/getting-started/docker-compose.yaml +++ b/docs/getting-started/docker-compose.yaml @@ -187,7 +187,7 @@ services: # Provision Keycloak with initial configuration platform-provision-keycloak: - image: registry.opentdf.io/platform:nightly-a29f108 + image: registry.opentdf.io/platform:nightly command: ["provision", "keycloak", "-e", "https://keycloak.opentdf.local:9443/auth", "-f", "/configs/keycloak_data.yaml"] depends_on: keycloak: @@ -200,6 +200,8 @@ services: condition: service_completed_successfully generate-keys: condition: service_completed_successfully + generate-pqc-keys: + condition: service_completed_successfully volumes: - configs:/configs:ro - keys:/keys:ro @@ -227,7 +229,7 @@ services: # Add sample attributes and metadata platform-provision-fixtures: - image: registry.opentdf.io/platform:nightly-a29f108 + image: registry.opentdf.io/platform:nightly command: ["provision", "fixtures", "--config-file", "/configs/opentdf.yaml"] working_dir: /configs depends_on: @@ -239,6 +241,8 @@ services: condition: service_completed_successfully generate-keys: condition: service_completed_successfully + generate-pqc-keys: + condition: service_completed_successfully volumes: - configs:/configs:ro - keys:/keys:ro @@ -274,7 +278,7 @@ services: # Main OpenTDF Platform server platform: - image: registry.opentdf.io/platform:nightly-a29f108 + image: registry.opentdf.io/platform:nightly command: ["start", "--config-file", "/configs/opentdf.yaml"] depends_on: platform-provision-fixtures: @@ -285,6 +289,8 @@ services: condition: service_healthy generate-keys: condition: service_completed_successfully + generate-pqc-keys: + condition: service_completed_successfully prepare-ca-certs: condition: service_completed_successfully ports: @@ -320,6 +326,8 @@ services: depends_on: generate-keys: condition: service_completed_successfully + generate-pqc-keys: + condition: service_completed_successfully command: - sh - -c @@ -336,7 +344,7 @@ services: depends_on: init-volumes: condition: service_completed_successfully - command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/a29f1087/opentdf-example.yaml'] + command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/main/opentdf-example.yaml'] restart: "no" # Patch platform configuration to use keycloak.opentdf.local:9443 @@ -520,6 +528,39 @@ services: JAVA_OPTS_APPEND: "${JAVA_OPTS_APPEND:-}" restart: "no" + # Generate hybrid post-quantum KAS keys (X-Wing, P256+ML-KEM-768, P384+ML-KEM-1024). + # Uses a Go image to build and run the keygen from the platform source. + generate-pqc-keys: + image: golang:1.24-alpine + volumes: + - keys:/keys + depends_on: + generate-keys: + condition: service_completed_successfully + entrypoint: /bin/sh + command: + - -c + - | + apk add --no-cache git + WORKDIR=$(mktemp -d) + cd "$$WORKDIR" + git init + git remote add origin https://github.com/opentdf/platform.git + git config core.sparseCheckout true + echo "go.work" >> .git/info/sparse-checkout + echo "lib/" >> .git/info/sparse-checkout + echo "service/cmd/keygen/" >> .git/info/sparse-checkout + echo "service/go.mod" >> .git/info/sparse-checkout + echo "service/go.sum" >> .git/info/sparse-checkout + echo "protocol/" >> .git/info/sparse-checkout + echo "sdk/" >> .git/info/sparse-checkout + git pull --depth 1 origin main + cd service + go run ./cmd/keygen -output /keys + echo "PQC keys generated successfully" + rm -rf "$$WORKDIR" + restart: "no" + volumes: keys: name: opentdf_keys From 88a357391505d2e92bb5b687326579e79989e25e Mon Sep 17 00:00:00 2001 From: Mary Dickson Date: Fri, 5 Jun 2026 13:24:37 -0700 Subject: [PATCH 5/5] Revert "fix(docs): add PQC key generation and unpin to nightly/main" This reverts commit 39569c385f7ce8602004f2698245982336d92ac7. --- docs/getting-started/docker-compose.yaml | 49 ++---------------------- 1 file changed, 4 insertions(+), 45 deletions(-) diff --git a/docs/getting-started/docker-compose.yaml b/docs/getting-started/docker-compose.yaml index 12b42b5b..2a927f8c 100644 --- a/docs/getting-started/docker-compose.yaml +++ b/docs/getting-started/docker-compose.yaml @@ -187,7 +187,7 @@ services: # Provision Keycloak with initial configuration platform-provision-keycloak: - image: registry.opentdf.io/platform:nightly + image: registry.opentdf.io/platform:nightly-a29f108 command: ["provision", "keycloak", "-e", "https://keycloak.opentdf.local:9443/auth", "-f", "/configs/keycloak_data.yaml"] depends_on: keycloak: @@ -200,8 +200,6 @@ services: condition: service_completed_successfully generate-keys: condition: service_completed_successfully - generate-pqc-keys: - condition: service_completed_successfully volumes: - configs:/configs:ro - keys:/keys:ro @@ -229,7 +227,7 @@ services: # Add sample attributes and metadata platform-provision-fixtures: - image: registry.opentdf.io/platform:nightly + image: registry.opentdf.io/platform:nightly-a29f108 command: ["provision", "fixtures", "--config-file", "/configs/opentdf.yaml"] working_dir: /configs depends_on: @@ -241,8 +239,6 @@ services: condition: service_completed_successfully generate-keys: condition: service_completed_successfully - generate-pqc-keys: - condition: service_completed_successfully volumes: - configs:/configs:ro - keys:/keys:ro @@ -278,7 +274,7 @@ services: # Main OpenTDF Platform server platform: - image: registry.opentdf.io/platform:nightly + image: registry.opentdf.io/platform:nightly-a29f108 command: ["start", "--config-file", "/configs/opentdf.yaml"] depends_on: platform-provision-fixtures: @@ -289,8 +285,6 @@ services: condition: service_healthy generate-keys: condition: service_completed_successfully - generate-pqc-keys: - condition: service_completed_successfully prepare-ca-certs: condition: service_completed_successfully ports: @@ -326,8 +320,6 @@ services: depends_on: generate-keys: condition: service_completed_successfully - generate-pqc-keys: - condition: service_completed_successfully command: - sh - -c @@ -344,7 +336,7 @@ services: depends_on: init-volumes: condition: service_completed_successfully - command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/main/opentdf-example.yaml'] + command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/a29f1087/opentdf-example.yaml'] restart: "no" # Patch platform configuration to use keycloak.opentdf.local:9443 @@ -528,39 +520,6 @@ services: JAVA_OPTS_APPEND: "${JAVA_OPTS_APPEND:-}" restart: "no" - # Generate hybrid post-quantum KAS keys (X-Wing, P256+ML-KEM-768, P384+ML-KEM-1024). - # Uses a Go image to build and run the keygen from the platform source. - generate-pqc-keys: - image: golang:1.24-alpine - volumes: - - keys:/keys - depends_on: - generate-keys: - condition: service_completed_successfully - entrypoint: /bin/sh - command: - - -c - - | - apk add --no-cache git - WORKDIR=$(mktemp -d) - cd "$$WORKDIR" - git init - git remote add origin https://github.com/opentdf/platform.git - git config core.sparseCheckout true - echo "go.work" >> .git/info/sparse-checkout - echo "lib/" >> .git/info/sparse-checkout - echo "service/cmd/keygen/" >> .git/info/sparse-checkout - echo "service/go.mod" >> .git/info/sparse-checkout - echo "service/go.sum" >> .git/info/sparse-checkout - echo "protocol/" >> .git/info/sparse-checkout - echo "sdk/" >> .git/info/sparse-checkout - git pull --depth 1 origin main - cd service - go run ./cmd/keygen -output /keys - echo "PQC keys generated successfully" - rm -rf "$$WORKDIR" - restart: "no" - volumes: keys: name: opentdf_keys