feat: add production hardening — Ed25519 signing, Portainer Edge, SSH extension (Phase 4)

Image signing: - Ed25519 sign/verify package (pure Go stdlib, zero deps) - genkey and sign CLI subcommands for build system - Optional --pubkey flag for verifying updates on apply - Signature URLs in update metadata (latest.json) Portainer Edge Agent: - cloud-init portainer.go module writes K8s manifest - Auto-deploys Edge Agent when portainer.edge-agent.enabled - Full RBAC (ServiceAccount, ClusterRoleBinding, Deployment) - 5 Portainer tests in portainer_test.go Production tooling: - SSH debug extension builder (hack/build-ssh-extension.sh) - Boot performance benchmark (test/benchmark/bench-boot.sh) - Resource usage benchmark (test/benchmark/bench-resources.sh) - Deployment guide (docs/deployment-guide.md) Test results: 50 update agent tests + 22 cloud-init tests passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 11:26:23 -06:00
parent 8d25e1890e
commit 49a37e30e8
15 changed files with 1965 additions and 11 deletions
--- a/update/cmd/opts.go
+++ b/update/cmd/opts.go
@@ -5,6 +5,7 @@ type opts struct {
 	ServerURL   string
 	GrubenvPath string
 	TimeoutSecs int
+	PubKeyPath  string
 }

 // parseOpts extracts command-line flags from args.
@@ -40,6 +41,11 @@ func parseOpts(args []string) opts {
 				}
 				i++
 			}
+		case "--pubkey":
+			if i+1 < len(args) {
+				o.PubKeyPath = args[i+1]
+				i++
+			}
 		}
 	}