docs(infra): document team mkcert CA on vm-gitlab (cross-VM trust) #264
Reference in New Issue
Block a user
Delete Branch "docs/team-mkcert-ca"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Doc-only follow-up to the just-shipped ADR-0030 dockerised dev mode + dev-server TLS (PR #263). Adds a "Team mkcert CA on
vm-gitlab" subsection toinfra/README.mdso a teammate joining the project can browse any dev VM with a green padlock (cross-VM access) without each pair of devs having to swap their private CAs.Hits a real need: a third developer is about to onboard, and the current single-dev mkcert procedure doesn't scale beyond one — each dev's solo CA is only trusted by their own workstation, so colleagues hitting another VM see a
NET::ERR_CERT_AUTHORITY_INVALIDwarning every time.What lands
infra/README.md— one new subsection added immediately after the existing "HTTPS dev-server setup" block, under the same Local-dev-stack section. No other file touched.The subsection documents:
vm-gitlab— install mkcert, create a root-onlyCAROOTat/srv/apf-portal/mkcert-ca/, generate the team CA there. Run once by the R&D Lead.mkcert -key-file … -cert-file … apf-portal.<host>.localinvocation pointed at the sharedCAROOT, plus a sanityopenssl x509 -subject -issuerstep and thescpto the target VM's~/Works/apf_portal/.secrets/dev-tls.{key,pem}.rootCA.pem(public cert, secure channel — 1Password / Bitwarden / direct scp, never plain e-mail) + the per-VM cert pair already on their VM.rootCA.peminto the localmkcert -CAROOT, runmkcert -installto push the team CA into the Windows trust store.hosts/.env/NX_SERVE_CONFIGURATION=https/dev.sh up appsfollow.Why
vm-gitlabas the CA hostThe CA itself is just two files (
rootCA.pem+rootCA-key.pem); it does not need a service running.vm-gitlabis the natural home for a few reasons:rootkeeps the private key out of every developer's blast radius — only the R&D Lead withsudoonvm-gitlabcan mint.The R&D Lead becomes the steward; developers never need SSH access to
vm-gitlab. That trade — slight bottleneck at onboarding for much smaller key-exposure surface — is the right balance at small team scale.Why not just distribute the CA key
Considered the alternative — every dev gets both
rootCA.pemandrootCA-key.pemin their local mkcertCAROOTso they can mint their own certs. Pros: no bottleneck. Cons: the CA private key would live on N workstations, and anyone with it can forge a trusted cert for any hostname on any teammate's machine. Acceptable at 2 devs of complete trust; risky at 3+. The steward pattern scales without that trade.Test plan
infra/README.mdflow (subsection lands between "HTTPS dev-server setup" and "Service endpoints (defaults)").vm-gitlab" steps and confirms the CA files end up at/srv/apf-portal/mkcert-ca/with the documented permissions.https://apf-portal.dev-<their>.local:4200/with a green padlock.https://apf-portal.dev-jg.local:4200/andhttps://apf-portal.dev-vc.local:4200/without a cert warning.Related
vm-gitlabas shared infra; this PR uses it as the natural CA host.feat(spa): opt-in 'https' nx serve config for dev-server TLS) — provides the dev-server TLS plumbing this section instructs how to feed.