gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(target): ValidateOnly dry-run method on Connector interface (default returns ErrValidateOnlyNotSupported)

Browse Source 
Phase 3 of the deploy-hardening I master bundle. Extends the
target.Connector interface with the dry-run method that operators
will use to preview a deploy before committing — but ships only the
default-stub for all 13 connectors. Phases 4-9 replace each stub
with the real validate-with-the-target implementation.

interface.go:
- Add ErrValidateOnlyNotSupported sentinel (frozen decision 0.6 —
  connectors that cannot dry-run, like K8s, return this rather than
  nil so operator triage can errors.Is for "not supported" vs
  "validated successfully").
- Add ValidateOnly(ctx, request DeploymentRequest) error to
  Connector interface.

13 new validate_only.go files (one per connector at
internal/connector/target/<name>/validate_only.go):
- apache, caddy, envoy, f5, haproxy, iis, javakeystore, k8ssecret,
  nginx, postfix, ssh, traefik, wincertstore.
- Each file is identical except for the package declaration: a
  one-method default stub returning target.ErrValidateOnlyNotSupported.
- Per-connector files (rather than a single embed-method approach)
  let Phases 4-9 replace each connector's stub independently
  without churning a shared base.

Tests:
- internal/connector/target/validate_only_test.go pins the sentinel
  contract (errors.Is identity, Error() string, %w wrap propagation).
- internal/connector/target/validate_only_smoke_test.go (external
  test package) constructs a zero-value &<pkg>.Connector{} for each
  of the 13 connectors and asserts ValidateOnly returns
  ErrValidateOnlyNotSupported. The test's
  connectorsAtPhase3 list is the load-bearing CI guard:
  - A 14th connector added without wiring ValidateOnly fails the
    `len(connectorsAtPhase3) != 13` invariant.
  - A connector whose real ValidateOnly lands (Phase 4 NGINX, Phase
    5 Apache, etc.) MUST be removed from this list or the smoke test
    fails (real impl no longer returns the sentinel). That removal
    IS the bookkeeping that the operator-visible bit + behavior
    change are wired together end-to-end.

Compile + go vet + golangci-lint v2.11.4 + go test all 0 issues.

Phase 4 next: NGINX canonical real-impl — replace the stub with
nginx -t -c <temp>; same time replace the existing os.WriteFile
flow in DeployCertificate with deploy.Apply(...).
This commit is contained in:
shankar0123
2026-04-30 14:40:51 +00:00
parent 30b251ea13
commit 49f1a60762
16 changed files with 421 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/target/interface.go
+25
View File
@@ -3,9 +3,20 @@ package target
import (
"context"
"encoding/json"
"errors"
"time"
)
// ErrValidateOnlyNotSupported is returned by ValidateOnly when the
// connector cannot dry-run a deploy (e.g., K8s — there is no API
// for "would this Secret update succeed without modifying state?").
//
// Frozen decision 0.6 of the deploy-hardening I master bundle:
// ValidateOnly returns this sentinel rather than nil so operators
// can errors.Is to distinguish "validated successfully" from
// "validation not supported on this connector type."
var ErrValidateOnlyNotSupported = errors.New("target connector does not support ValidateOnly dry-run")
// Connector defines the interface for certificate deployment operations.
type Connector interface {
// ValidateConfig validates the deployment target configuration.
@@ -15,6 +26,20 @@ type Connector interface {
// The request contains the certificate and chain in PEM format, but never a private key.
DeployCertificate(ctx context.Context, request DeploymentRequest) (*DeploymentResult, error)
// ValidateOnly runs the validate step (PreCommit) of a deploy
// WITHOUT touching the live cert. Returns nil when the deploy
// would succeed at the validate stage; returns
// ErrValidateOnlyNotSupported when the connector cannot dry-run
// (e.g., K8s — there's no API for "would this Secret update
// succeed without modifying state?"); returns any other error
// from the connector's validate step.
//
// Operators preview a deploy via this method before committing.
// Phase 3 of the deploy-hardening I master bundle adds the
// interface method; Phases 4-9 implement the meaningful path
// per connector.
ValidateOnly(ctx context.Context, request DeploymentRequest) error
// ValidateDeployment verifies that a deployed certificate is valid and accessible.
ValidateDeployment(ctx context.Context, request ValidationRequest) (*ValidationResult, error)
}