refactor: krane, a lightweight k8s service and metald successor

apps/engineering/content/docs/cli/run/ctrl/index.mdx

@@ -10,7 +10,7 @@ unkey run ctrl [flags]
 ```
 
 <Banner type="warn">
-Some flags are required for this command to work properly.
+  Some flags are required for this command to work properly.
 </Banner>
 
 ## Flags
@@ -21,108 +21,108 @@ HTTP port for the control plane server to listen on. Default: 8080
 - **Type:** integer
 - **Default:** `8080`
 - **Environment:** `UNKEY_HTTP_PORT`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--color">
 Enable colored log output. Default: true
 
 - **Type:** boolean
 - **Default:** `true`
 - **Environment:** `UNKEY_LOGS_COLOR`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--platform">
 Cloud platform identifier for this node. Used for logging and metrics.
 
 - **Type:** string
 - **Environment:** `UNKEY_PLATFORM`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--image">
 Container image identifier. Used for logging and metrics.
 
 - **Type:** string
 - **Environment:** `UNKEY_IMAGE`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--region">
 Geographic region identifier. Used for logging and routing. Default: unknown
 
 - **Type:** string
 - **Default:** `"unknown"`
 - **Environment:** `AWS_REGION`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--instance-id">
 Unique identifier for this instance. Auto-generated if not provided.
 
 - **Type:** string
 - **Default:** `"ins_26qK8q"`
 - **Environment:** `UNKEY_INSTANCE_ID`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--database-primary (required)">
 MySQL connection string for primary database. Required for all deployments. Example: user:pass@host:3306/unkey?parseTime=true
 
 - **Type:** string
 - **Environment:** `UNKEY_DATABASE_PRIMARY`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--database-hydra (required)">
 MySQL connection string for hydra database. Required for all deployments. Example: user:pass@host:3306/hydra?parseTime=true
 
 - **Type:** string
 - **Environment:** `UNKEY_DATABASE_HYDRA`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--otel">
 Enable OpenTelemetry tracing and metrics
 
 - **Type:** boolean
 - **Default:** `false`
 - **Environment:** `UNKEY_OTEL`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--otel-trace-sampling-rate">
 Sampling rate for OpenTelemetry traces (0.0-1.0). Only used when --otel is provided. Default: 0.25
 
 - **Type:** float
 - **Default:** `0.25`
 - **Environment:** `UNKEY_OTEL_TRACE_SAMPLING_RATE`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--tls-cert-file">
 Path to TLS certificate file for HTTPS. Both cert and key must be provided to enable HTTPS.
 
 - **Type:** string
 - **Environment:** `UNKEY_TLS_CERT_FILE`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--tls-key-file">
 Path to TLS key file for HTTPS. Both cert and key must be provided to enable HTTPS.
 
 - **Type:** string
 - **Environment:** `UNKEY_TLS_KEY_FILE`
-</Callout>
+  </Callout>
 
 <Callout type="info" title="--auth-token">
 Authentication token for control plane API access. Required for secure deployments.
 
 - **Type:** string
 - **Environment:** `UNKEY_AUTH_TOKEN`
-</Callout>
+  </Callout>
 
-<Callout type="info" title="--metald-address (required)">
-Full URL of the metald service for VM operations. Required for deployments. Example: https://metald.example.com:8080
+<Callout type="info" title="--krane-address (required)">
+Full URL of the krane service for VM operations. Required for deployments. Example: https://krane.example.com:8080
 
 - **Type:** string
-- **Environment:** `UNKEY_METALD_ADDRESS`
-</Callout>
+- **Environment:** `UNKEY_KRANE_ADDRESS`
+  </Callout>
 
 <Callout type="info" title="--spiffe-socket-path">
 Path to SPIFFE agent socket for mTLS authentication. Default: /var/lib/spire/agent/agent.sock
 
 - **Type:** string
 - **Default:** `"/var/lib/spire/agent/agent.sock"`
 - **Environment:** `UNKEY_SPIFFE_SOCKET_PATH`
-</Callout>
+  </Callout>

deployment/04-seed-workspace.sql

@@ -63,3 +63,55 @@ INSERT INTO apis (
   'ks_local_root_keys',
   UNIX_TIMESTAMP() * 1000
 ) ON DUPLICATE KEY UPDATE created_at_m = UNIX_TIMESTAMP() * 1000;
+
+
+
+
+
+-- Insert test workspace
+INSERT INTO workspaces (
+  id,
+  org_id,
+  name,
+  slug,
+  created_at_m,
+  beta_features,
+  features
+) VALUES (
+  'ws_chronark',
+  'org_chronark',
+  'Chronark',
+  'chronark',
+  UNIX_TIMESTAMP() * 1000,
+  '{"deployments":true}',
+  '{}'
+) ON DUPLICATE KEY UPDATE created_at_m = UNIX_TIMESTAMP() * 1000;
+
+-- Insert project
+INSERT INTO projects (
+  id,
+  workspace_id,
+  name,
+  slug,
+  created_at
+) VALUES (
+  'proj_chronark',
+  'ws_chronark',
+  'API',
+  'api',
+  UNIX_TIMESTAMP() * 1000
+) ON DUPLICATE KEY UPDATE created_at = UNIX_TIMESTAMP() * 1000;
+
+INSERT INTO environments (
+  id,
+  workspace_id,
+  project_id,
+  slug,
+  created_at
+) VALUES (
+  'env_chronark',
+  'ws_chronark',
+  'proj_chronark',
+  'production',
+  UNIX_TIMESTAMP() * 1000
+) ON DUPLICATE KEY UPDATE created_at = UNIX_TIMESTAMP() * 1000;

deployment/docker-compose.yaml

@@ -264,45 +264,27 @@ services:
       UNKEY_VAULT_S3_ACCESS_KEY_SECRET: "minio_root_password"
       UNKEY_VAULT_MASTER_KEYS: "Ch9rZWtfMmdqMFBJdVhac1NSa0ZhNE5mOWlLSnBHenFPENTt7an5MRogENt9Si6wms4pQ2XIvqNSIgNpaBenJmXgcInhu6Nfv2U="
 
-  metald:
+  krane:
     build:
       context: ../go
       dockerfile: Dockerfile
       args:
         VERSION: "latest"
-    container_name: metald
-    command: ["run", "metald"]
+    container_name: krane
+    command: ["run", "krane"]
     ports:
       - "8090:8080"
-    depends_on:
-      - mysql
     volumes:
       # Mount Docker socket for Docker backend support
       - /var/run/docker.sock:/var/run/docker.sock
-      # Mount SQLite database locally for direct access
-      - ./data/metald:/var/lib/metald
     environment:
       # Server configuration
-      UNKEY_METALD_ADDRESS: "0.0.0.0"
-      UNKEY_METALD_PORT: "8080"
+      UNKEY_HTTP_PORT: "8080"
 
       # Backend configuration - use Docker backend for development
-      UNKEY_METALD_BACKEND: "docker"
-
-      # Database configuration
-      UNKEY_METALD_DATABASE_DIR: "/var/lib/metald"
-
-      # Asset manager configuration (disabled for local development)
-      UNKEY_METALD_ASSETMANAGER_ENABLED: "false"
-
-      # Billing configuration (disabled for local development)
-      UNKEY_METALD_BILLING_ENABLED: "false"
-
-      # TLS configuration (disabled for local development)
-      UNKEY_METALD_TLS_MODE: "disabled"
-
-      # OpenTelemetry configuration
-      UNKEY_METALD_OTEL_ENABLED: "false"
+      UNKEY_KRANE_BACKEND: "docker"
+      UNKEY_DOCKER_SOCKET: "/var/run/docker.sock"
+      UNKEY_DEPLOYMENT_EVICTION_TTL: "10m"
 
   ctrl:
     networks:
@@ -323,7 +305,7 @@ services:
       s3:
         condition: service_healthy
         required: true
-      metald:
+      krane:
         condition: service_started
         required: true
     volumes:
@@ -335,7 +317,7 @@ services:
 
       # Control plane configuration
       UNKEY_HTTP_PORT: "7091"
-      UNKEY_METALD_ADDRESS: "http://metald:8080"
+      UNKEY_KRANE_ADDRESS: "http://krane:8080"
       UNKEY_DEFAULT_DOMAIN: "unkey.local"
 
       UNKEY_VAULT_S3_URL: "http://s3:3902"

go/Dockerfile

@@ -1,10 +1,10 @@
 FROM golang:1.25 AS builder
 
 WORKDIR /go/src/github.com/unkeyed/unkey/go
-# Copy everything first because go.mod has replace directives pointing to ./deploy/pkg/ modules
-# This ensures all local dependencies are available before go mod download
-COPY . .
+
+COPY go.mod go.sum ./
 RUN go mod download
+COPY . .
 ARG VERSION
 ENV CGO_ENABLED=0
 RUN go build -o bin/unkey -ldflags="-X 'github.com/unkeyed/unkey/go/pkg/version.Version=${VERSION}'" ./main.go

go/Makefile

@@ -37,8 +37,6 @@ generate:
 	buf generate
 	go generate ./...
 
-generate-builder:
-	buf generate --path proto/deploy/builderd
 
 test: test-unit
 
@@ -89,6 +87,7 @@ k8s-up: k8s-check ## Deploy all services to current Kubernetes cluster
 	@kubectl wait --for=condition=ready pod -l app=api -n unkey --timeout=180s
 	@kubectl wait --for=condition=ready pod -l app=gw -n unkey --timeout=180s
 	@kubectl wait --for=condition=ready pod -l app=ctrl -n unkey --timeout=180s
+	@kubectl wait --for=condition=ready pod -l app=krane -n unkey --timeout=180s
 	@kubectl wait --for=condition=ready pod -l app=dashboard -n unkey --timeout=180s
 	@echo "Kubernetes environment is ready!"
 	@echo ""