gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 13:51:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(test-compose): set CERTCTL_AGENT_BOOTSTRAP_TOKEN placeholder (deploy-vendor-e2e job)

Browse Source 
deploy-vendor-e2e was hidden behind the go-build-and-test failure; once
that cleared (b1ca046), the vendor-e2e job actually booted certctl-test-
server for the first time in a while and hit the Sprint 5 ACQ RED-003
fallout:

  Failed to load configuration: phase-2 SEC-H1 fail-closed guard:
  CERTCTL_AGENT_BOOTSTRAP_TOKEN is empty and
  CERTCTL_AGENT_BOOTSTRAP_TOKEN_DENY_EMPTY=true — refuse to start.

The Sprint 5 RED-003 closure flipped DENY_EMPTY's default from false→true
in production code, but the test compose stack never set a token. The
fail-closed guard (internal/config/config.go:1054) refuses to start
unless one of:
  - CERTCTL_AGENT_BOOTSTRAP_TOKEN is non-empty, OR
  - CERTCTL_DEMO_MODE_ACK=true (demo-mode override), OR
  - CERTCTL_AGENT_BOOTSTRAP_TOKEN_DENY_EMPTY=false (warn-mode escape
    hatch for v2.1.x→v2.2.x upgrade window)

This is the e2e TEST stack with production-like auth posture
(CERTCTL_AUTH_TYPE=api-key), not a demo stack. The right fix is the
first option — set a deterministic placeholder token. Picking the
warn-mode escape hatch would silently test the wrong posture; picking
DEMO_MODE_ACK would also flip CERTCTL_AUTH_TYPE expectations.

Also fixed deploy/ENVIRONMENTS.md: the entry still said
'default flip to true scheduled for v2.2.0', which became stale on
2026-05-16 when Sprint 5 ACQ RED-003 actually flipped it. Updated the
default column from `false` to `true` and rewrote the description
to reflect the current posture + the v2.1.x→v2.2.x warn-mode escape
hatch.

Verified locally: all 53 locally-runnable ci-guards still green
(4 skipped: H-001-bare-from + H-002-bare-compose-image + digest-validity
+ no-precompiled-binary, all need docker-registry network).

CI re-run on this commit should clear deploy-vendor-e2e's
certctl-test-server dependency-failed-to-start step.
This commit is contained in:
shankar0123
2026-05-16 23:15:22 +00:00
parent b1ca046fdf
commit 151107c969
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/docker-compose.test.yml
+12
View File
@@ -264,6 +264,18 @@ services:
CERTCTL_AUTH_TYPE: api-key
CERTCTL_AUTH_SECRET: test-key-2026
# Phase 2 SEC-H1 + Sprint 5 RED-003 closure (2026-05-16): the
# AgentBootstrapTokenDenyEmpty fail-closed guard refuses to start
# the server when CERTCTL_AGENT_BOOTSTRAP_TOKEN is empty (the
# default DENY_EMPTY=true flipped on Sprint 5). Demo stacks
# bypass the guard via CERTCTL_DEMO_MODE_ACK=true, but this is
# the e2e TEST stack (production-like auth posture), not a demo
# stack — set a deterministic placeholder token so the server
# boots and the vendor-edge integration tests can run. Clearly
# test-only; do NOT copy to production. Operators set this from
# `openssl rand -base64 32` per docs/operator/security.md.
CERTCTL_AGENT_BOOTSTRAP_TOKEN: test-agent-bootstrap-token-deterministic-fixture
# Key generation — agent-side (production-like)
CERTCTL_KEYGEN_MODE: agent