feat(target): ValidateOnly dry-run method on Connector interface (default returns ErrValidateOnlyNotSupported)

Phase 3 of the deploy-hardening I master bundle. Extends the target.Connector interface with the dry-run method that operators will use to preview a deploy before committing — but ships only the default-stub for all 13 connectors. Phases 4-9 replace each stub with the real validate-with-the-target implementation. interface.go: - Add ErrValidateOnlyNotSupported sentinel (frozen decision 0.6 — connectors that cannot dry-run, like K8s, return this rather than nil so operator triage can errors.Is for "not supported" vs "validated successfully"). - Add ValidateOnly(ctx, request DeploymentRequest) error to Connector interface. 13 new validate_only.go files (one per connector at internal/connector/target/<name>/validate_only.go): - apache, caddy, envoy, f5, haproxy, iis, javakeystore, k8ssecret, nginx, postfix, ssh, traefik, wincertstore. - Each file is identical except for the package declaration: a one-method default stub returning target.ErrValidateOnlyNotSupported. - Per-connector files (rather than a single embed-method approach) let Phases 4-9 replace each connector's stub independently without churning a shared base. Tests: - internal/connector/target/validate_only_test.go pins the sentinel contract (errors.Is identity, Error() string, %w wrap propagation). - internal/connector/target/validate_only_smoke_test.go (external test package) constructs a zero-value &<pkg>.Connector{} for each of the 13 connectors and asserts ValidateOnly returns ErrValidateOnlyNotSupported. The test's connectorsAtPhase3 list is the load-bearing CI guard: - A 14th connector added without wiring ValidateOnly fails the `len(connectorsAtPhase3) != 13` invariant. - A connector whose real ValidateOnly lands (Phase 4 NGINX, Phase 5 Apache, etc.) MUST be removed from this list or the smoke test fails (real impl no longer returns the sentinel). That removal IS the bookkeeping that the operator-visible bit + behavior change are wired together end-to-end. Compile + go vet + golangci-lint v2.11.4 + go test all 0 issues. Phase 4 next: NGINX canonical real-impl — replace the stub with nginx -t -c <temp>; same time replace the existing os.WriteFile flow in DeployCertificate with deploy.Apply(...).
2026-06-13 14:28:53 +00:00 · 2026-04-30 14:40:51 +00:00
parent 30b251ea13
commit 49f1a60762
16 changed files with 421 additions and 0 deletions
@@ -0,0 +1,63 @@
+package target
+
+import (
+	"errors"
+	"testing"
+)
+
+// Phase 3 of the deploy-hardening I master bundle: pin the
+// ErrValidateOnlyNotSupported sentinel contract. Connectors
+// returning this from ValidateOnly indicate they cannot dry-run
+// (e.g. K8s — no API for "would this Secret update succeed?").
+//
+// Every connector compile-time-implements ValidateOnly via the
+// per-package validate_only.go stub; Phases 4-9 replace the stub
+// with a real validate-with-the-target implementation per
+// connector. Until then the sentinel is the contract.
+
+// TestErrValidateOnlyNotSupported_Sentinel pins the sentinel's
+// identity and message so downstream connectors can rely on
+// errors.Is checks.
+func TestErrValidateOnlyNotSupported_Sentinel(t *testing.T) {
+	if ErrValidateOnlyNotSupported == nil {
+		t.Fatal("sentinel is nil")
+	}
+	if !errors.Is(ErrValidateOnlyNotSupported, ErrValidateOnlyNotSupported) {
+		t.Fatal("errors.Is fails on the sentinel against itself")
+	}
+	want := "target connector does not support ValidateOnly dry-run"
+	if got := ErrValidateOnlyNotSupported.Error(); got != want {
+		t.Errorf("Error() = %q, want %q", got, want)
+	}
+}
+
+// TestErrValidateOnlyNotSupported_WrappableForCallerContext
+// confirms callers can wrap the sentinel with extra context (e.g.
+// "k8s: ValidateOnly: ErrValidateOnlyNotSupported") and the
+// wrapped error still satisfies errors.Is for the operator's
+// triage logic.
+func TestErrValidateOnlyNotSupported_WrappableForCallerContext(t *testing.T) {
+	wrapped := errors.New("connector wraps with extra info: " + ErrValidateOnlyNotSupported.Error())
+	// errors.Is should NOT match a wrapped-by-string copy (no %w).
+	if errors.Is(wrapped, ErrValidateOnlyNotSupported) {
+		t.Error("errors.Is matched a string-wrapped copy; should require %w wrap")
+	}
+	// %w wrap MUST match.
+	properly := wrapErr(ErrValidateOnlyNotSupported, "k8s")
+	if !errors.Is(properly, ErrValidateOnlyNotSupported) {
+		t.Error("errors.Is failed to match %w-wrapped sentinel")
+	}
+}
+
+// wrapErr is a small test-only helper proving the %w pattern.
+func wrapErr(err error, ctx string) error {
+	return &wrappedErr{ctx: ctx, err: err}
+}
+
+type wrappedErr struct {
+	ctx string
+	err error
+}
+
+func (w *wrappedErr) Error() string { return w.ctx + ": " + w.err.Error() }
+func (w *wrappedErr) Unwrap() error { return w.err }