feat: M25 post-deployment TLS verification + M26 Traefik/Caddy targets

M25: After deploying a certificate, the agent probes the live TLS endpoint and compares SHA-256 fingerprints to verify the correct cert is being served. Best-effort — failures don't block deployments. New endpoints: POST /jobs/{id}/verify, GET /jobs/{id}/verification. Migration 000008 adds verification columns to jobs table. M26: Traefik target connector (file provider, auto-reload) and Caddy target connector (dual-mode: admin API hot-reload or file-based). Both wired into agent dispatch. Also: restructured README to highlight supported integrations (issuers, targets, notifiers) earlier, moved API/CLI/MCP sections lower. Updated all docs (features, connectors, architecture, testing guide, why-certctl) and fixed integration tests for 18-param RegisterHandlers signature. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-12 14:48:53 +00:00 · 2026-03-27 21:07:16 -04:00
parent 369a674619
commit 492a392e52
28 changed files with 3365 additions and 177 deletions
@@ -28,10 +28,12 @@ import (

 	"github.com/shankar0123/certctl/internal/connector/target"
 	"github.com/shankar0123/certctl/internal/connector/target/apache"
+	"github.com/shankar0123/certctl/internal/connector/target/caddy"
 	"github.com/shankar0123/certctl/internal/connector/target/f5"
 	"github.com/shankar0123/certctl/internal/connector/target/haproxy"
 	"github.com/shankar0123/certctl/internal/connector/target/iis"
 	"github.com/shankar0123/certctl/internal/connector/target/nginx"
+	"github.com/shankar0123/certctl/internal/connector/target/traefik"
 )

 // AgentConfig represents the agent-side configuration.
@@ -508,6 +510,16 @@ func (a *Agent) executeDeploymentJob(ctx context.Context, job JobItem) {
 			"target_type", job.TargetType,
 			"success", result.Success,
 			"message", result.Message)
+
+		// If verification is enabled, verify the deployment by probing the live TLS endpoint
+		targetHost, targetPort, err := extractTargetHostAndPort(job.TargetConfig)
+		if err != nil {
+			a.logger.Warn("could not extract target host/port for verification",
+				"job_id", job.ID,
+				"error", err)
+		} else {
+			a.verifyAndReportDeployment(ctx, job, targetHost, targetPort, certOnly)
+		}
 	} else {
 		a.logger.Info("no target type specified, skipping connector invocation",
 			"job_id", job.ID)
@@ -570,6 +582,24 @@ func (a *Agent) createTargetConnector(targetType string, configJSON json.RawMess
 		}
 		return iis.New(&cfg, a.logger), nil

+	case "Traefik":
+		var cfg traefik.Config
+		if len(configJSON) > 0 {
+			if err := json.Unmarshal(configJSON, &cfg); err != nil {
+				return nil, fmt.Errorf("invalid Traefik config: %w", err)
+			}
+		}
+		return traefik.New(&cfg, a.logger), nil
+
+	case "Caddy":
+		var cfg caddy.Config
+		if len(configJSON) > 0 {
+			if err := json.Unmarshal(configJSON, &cfg); err != nil {
+				return nil, fmt.Errorf("invalid Caddy config: %w", err)
+			}
+		}
+		return caddy.New(&cfg, a.logger), nil
+
 	default:
 		return nil, fmt.Errorf("unsupported target type: %s", targetType)
 	}