opentdf · marythought · Jun 5, 2026
@@ -187,7 +187,7 @@ services:
 
   # Provision Keycloak with initial configuration
   platform-provision-keycloak:
-    image: registry.opentdf.io/platform:nightly-a29f108
+    image: registry.opentdf.io/platform:nightly
     command: ["provision", "keycloak", "-e", "https://keycloak.opentdf.local:9443/auth", "-f", "/configs/keycloak_data.yaml"]
     depends_on:
       keycloak:
@@ -200,6 +200,8 @@ services:
         condition: service_completed_successfully
       generate-keys:
         condition: service_completed_successfully
+      generate-pqc-keys:
+        condition: service_completed_successfully
     volumes:
       - configs:/configs:ro
       - keys:/keys:ro
@@ -227,7 +229,7 @@ services:
 
   # Add sample attributes and metadata  
   platform-provision-fixtures:
-    image: registry.opentdf.io/platform:nightly-a29f108
+    image: registry.opentdf.io/platform:nightly
     command: ["provision", "fixtures", "--config-file", "/configs/opentdf.yaml"]
     working_dir: /configs
     depends_on:
@@ -239,6 +241,8 @@ services:
         condition: service_completed_successfully
       generate-keys:
         condition: service_completed_successfully
+      generate-pqc-keys:
+        condition: service_completed_successfully
     volumes:
       - configs:/configs:ro
       - keys:/keys:ro
@@ -274,7 +278,7 @@ services:
 
   # Main OpenTDF Platform server
   platform:
-    image: registry.opentdf.io/platform:nightly-a29f108
+    image: registry.opentdf.io/platform:nightly
     command: ["start", "--config-file", "/configs/opentdf.yaml"]
     depends_on:
       platform-provision-fixtures:
@@ -285,6 +289,8 @@ services:
         condition: service_healthy
       generate-keys:
         condition: service_completed_successfully
+      generate-pqc-keys:
+        condition: service_completed_successfully
       prepare-ca-certs:
         condition: service_completed_successfully
     ports:
@@ -320,6 +326,8 @@ services:
     depends_on:
       generate-keys:
         condition: service_completed_successfully
+      generate-pqc-keys:
+        condition: service_completed_successfully
     command:
       - sh
       - -c
@@ -336,7 +344,7 @@ services:
     depends_on:
       init-volumes:
         condition: service_completed_successfully
-    command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/a29f1087/opentdf-example.yaml']
+    command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/service/v0.16.0/opentdf-example.yaml']
     restart: "no"
 
   # Patch platform configuration to use keycloak.opentdf.local:9443
@@ -520,6 +528,39 @@ services:
       JAVA_OPTS_APPEND: "${JAVA_OPTS_APPEND:-}"
     restart: "no"
 
+  # Generate hybrid post-quantum KAS keys (X-Wing, P256+ML-KEM-768, P384+ML-KEM-1024).
+  # Uses a Go image to build and run the keygen from the platform source.
+  generate-pqc-keys:
+    image: golang:1.25-alpine
+    volumes:
+      - keys:/keys
+    depends_on:
+      generate-keys:
+        condition: service_completed_successfully
+    entrypoint: /bin/sh
+    command:
+      - -c
+      - |
+        set -e
+        apk add --no-cache git
+        WORKDIR=$$(mktemp -d)
+        cd "$$WORKDIR"
+        git init -q
+        git remote add origin https://github.com/opentdf/platform.git
+        git config core.sparseCheckout true
+        echo "lib/" >> .git/info/sparse-checkout
+        echo "service/cmd/keygen/" >> .git/info/sparse-checkout
+        echo "service/go.mod" >> .git/info/sparse-checkout
+        echo "service/go.sum" >> .git/info/sparse-checkout
+        echo "protocol/" >> .git/info/sparse-checkout
+        echo "sdk/" >> .git/info/sparse-checkout
+        git pull --depth 1 -q origin service/v0.16.0
+        cd service
+        GOWORK=off go run ./cmd/keygen -output /keys
+        echo "PQC keys generated successfully"
+        rm -rf "$$WORKDIR"
+    restart: "no"
+
 volumes:
   keys:
     name: opentdf_keys