mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-11 13:18:51 +00:00
v2.0.47: HTTPS Everywhere — TLS-only control plane, agents/CLI/MCP
Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
This commit is contained in:
shankar0123
+40
-2
@@ -75,6 +75,14 @@ EXAMPLES:
|
||||
--server-url https://certctl.example.com \\
|
||||
--api-key YOUR_API_KEY
|
||||
|
||||
CONTROL-PLANE TLS TRUST:
|
||||
The certctl server is HTTPS-only as of v2.2. This installer does NOT copy a CA
|
||||
bundle — the generated agent.env leaves TLS trust to the system root store by
|
||||
default. If the server uses a private/enterprise or self-signed CA, set
|
||||
CERTCTL_SERVER_CA_BUNDLE_PATH in the generated agent.env to point at the CA
|
||||
bundle, or (dev only) CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY=true. See the
|
||||
commented block in the generated agent.env for the full menu.
|
||||
|
||||
EOF
|
||||
}
|
||||
|
||||
@@ -322,7 +330,7 @@ setup_linux_config() {
|
||||
# Agent ID (unique identifier in the fleet)
|
||||
CERTCTL_AGENT_ID=$AGENT_ID
|
||||
|
||||
# Control plane server URL
|
||||
# Control plane server URL (HTTPS-only as of v2.2)
|
||||
CERTCTL_SERVER_URL=$SERVER_URL
|
||||
|
||||
# API authentication key
|
||||
@@ -334,6 +342,21 @@ CERTCTL_KEYGEN_MODE=agent
|
||||
# Key storage directory (agent-side keygen)
|
||||
CERTCTL_KEY_DIR=$key_dir
|
||||
|
||||
# ---- Control-plane TLS trust ----
|
||||
# The certctl server is HTTPS-only (v2.2+). The agent's HTTP client MUST trust the
|
||||
# server's certificate chain. Pick ONE of the approaches below:
|
||||
#
|
||||
# 1) Public CA (Let's Encrypt, DigiCert, etc.) — no config needed; system trust store works.
|
||||
# 2) Private / enterprise CA — point the agent at the CA bundle that signed the server cert:
|
||||
# CERTCTL_SERVER_CA_BUNDLE_PATH=/etc/certctl/server-ca.crt
|
||||
#
|
||||
# 3) Self-signed server cert (Helm/compose bootstrap) — same env var, just point at the
|
||||
# extracted self-signed CA bundle (e.g. from the certctl-server-tls Kubernetes secret
|
||||
# via: kubectl get secret certctl-server-tls -o jsonpath='{.data.ca\.crt}' | base64 -d).
|
||||
#
|
||||
# 4) Dev/eval only — disable verification entirely (NEVER do this in production):
|
||||
# CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY=true
|
||||
|
||||
# Logging level (debug, info, warn, error)
|
||||
# CERTCTL_LOG_LEVEL=info
|
||||
|
||||
@@ -373,7 +396,7 @@ setup_macos_config() {
|
||||
# Agent ID (unique identifier in the fleet)
|
||||
CERTCTL_AGENT_ID=$AGENT_ID
|
||||
|
||||
# Control plane server URL
|
||||
# Control plane server URL (HTTPS-only as of v2.2)
|
||||
CERTCTL_SERVER_URL=$SERVER_URL
|
||||
|
||||
# API authentication key
|
||||
@@ -385,6 +408,21 @@ CERTCTL_KEYGEN_MODE=agent
|
||||
# Key storage directory (agent-side keygen)
|
||||
CERTCTL_KEY_DIR=$key_dir
|
||||
|
||||
# ---- Control-plane TLS trust ----
|
||||
# The certctl server is HTTPS-only (v2.2+). The agent's HTTP client MUST trust the
|
||||
# server's certificate chain. Pick ONE of the approaches below:
|
||||
#
|
||||
# 1) Public CA (Let's Encrypt, DigiCert, etc.) — no config needed; system trust store works.
|
||||
# 2) Private / enterprise CA — point the agent at the CA bundle that signed the server cert:
|
||||
# CERTCTL_SERVER_CA_BUNDLE_PATH=$HOME/.certctl/server-ca.crt
|
||||
#
|
||||
# 3) Self-signed server cert (Helm/compose bootstrap) — same env var, just point at the
|
||||
# extracted self-signed CA bundle (e.g. from the certctl-server-tls Kubernetes secret
|
||||
# via: kubectl get secret certctl-server-tls -o jsonpath='{.data.ca\.crt}' | base64 -d).
|
||||
#
|
||||
# 4) Dev/eval only — disable verification entirely (NEVER do this in production):
|
||||
# CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY=true
|
||||
|
||||
# Logging level (debug, info, warn, error)
|
||||
# CERTCTL_LOG_LEVEL=info
|
||||
|
||||
|
||||
Reference in New Issue
Block a user