v2.0.47: HTTPS Everywhere — TLS-only control plane, agents/CLI/MCP

Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
2026-06-07 16:21:30 +00:00 · 2026-04-20 03:31:05 +00:00
parent 04c7eca615
commit 52248be717
66 changed files with 3518 additions and 375 deletions
@@ -3,6 +3,7 @@ package cli
 import (
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
@@ -39,7 +40,7 @@ func TestClient_ListCertificates(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.ListCertificates([]string{})
 	if err != nil {
 		t.Fatalf("ListCertificates failed: %v", err)
@@ -64,7 +65,7 @@ func TestClient_GetCertificate(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "json")
+	client, _ := NewClient(server.URL, "", "json", "", false)
 	err := client.GetCertificate("mc-1")
 	if err != nil {
 		t.Fatalf("GetCertificate failed: %v", err)
@@ -86,7 +87,7 @@ func TestClient_RenewCertificate(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.RenewCertificate("mc-1")
 	if err != nil {
 		t.Fatalf("RenewCertificate failed: %v", err)
@@ -107,7 +108,7 @@ func TestClient_RevokeCertificate(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.RevokeCertificate("mc-1", "cessationOfOperation")
 	if err != nil {
 		t.Fatalf("RevokeCertificate failed: %v", err)
@@ -141,7 +142,7 @@ func TestClient_BulkRevokeCertificates(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.BulkRevokeCertificates([]string{
 		"--reason", "keyCompromise",
 		"--profile-id", "prof-tls",
@@ -175,7 +176,7 @@ func TestClient_ListAgents(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.ListAgents([]string{})
 	if err != nil {
 		t.Fatalf("ListAgents failed: %v", err)
@@ -201,7 +202,7 @@ func TestClient_GetAgent(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "json")
+	client, _ := NewClient(server.URL, "", "json", "", false)
 	err := client.GetAgent("ag-1")
 	if err != nil {
 		t.Fatalf("GetAgent failed: %v", err)
@@ -232,7 +233,7 @@ func TestClient_ListJobs(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.ListJobs([]string{})
 	if err != nil {
 		t.Fatalf("ListJobs failed: %v", err)
@@ -258,7 +259,7 @@ func TestClient_GetJob(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "json")
+	client, _ := NewClient(server.URL, "", "json", "", false)
 	err := client.GetJob("job-1")
 	if err != nil {
 		t.Fatalf("GetJob failed: %v", err)
@@ -276,7 +277,7 @@ func TestClient_CancelJob(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.CancelJob("job-1")
 	if err != nil {
 		t.Fatalf("CancelJob failed: %v", err)
@@ -308,7 +309,7 @@ func TestClient_GetStatus(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.GetStatus()
 	if err != nil {
 		t.Fatalf("GetStatus failed: %v", err)
@@ -381,7 +382,7 @@ func TestClient_AuthHeader(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "testkey123", "json")
+	client, _ := NewClient(server.URL, "testkey123", "json", "", false)
 	client.do("GET", "/api/v1/certificates", nil, nil)

 	if authHeader != "Bearer testkey123" {
@@ -439,7 +440,7 @@ func TestClient_ImportCertificates_MissingRequiredFlags(t *testing.T) {

 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			client := NewClient(server.URL, "", "table")
+			client, _ := NewClient(server.URL, "", "table", "", false)
 			err := client.ImportCertificates(tc.args)
 			if err == nil {
 				t.Fatalf("expected error for %s, got nil", tc.name)
@@ -468,7 +469,7 @@ func TestClient_ImportCertificates_MissingPositionalArgs(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.ImportCertificates([]string{
 		"--owner-id", "o-alice",
 		"--team-id", "t-platform",
@@ -513,7 +514,7 @@ func TestClient_ImportCertificates_SixFieldPayload(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "", "table")
+	client, _ := NewClient(server.URL, "", "table", "", false)
 	err := client.ImportCertificates([]string{
 		"--owner-id", "o-alice",
 		"--team-id", "t-platform",
@@ -583,3 +584,194 @@ func generateTestCert() *x509.Certificate {

 	return cert
 }
+
+// -----------------------------------------------------------------------------
+// HTTPS-Everywhere milestone (v2.2, §3.2 + §7 Phase 5):
+// The CLI binary now talks HTTPS-only to the control plane. These tests pin the
+// three contracts the milestone requires every client binary (agent, CLI, MCP)
+// to satisfy in lock-step:
+//   (a) CA bundle load success — PEM loads, RootCAs + MinVersion=TLS1.3 wired
+//       through the injected *http.Transport so the httpClient actually uses them.
+//   (b) CA bundle load failure — missing file and malformed/empty PEM each fail
+//       loud with a pinned substring so operators get a useful diagnostic instead
+//       of a later TLS-handshake-error mystery.
+//   (c) End-to-end TLS round-trip — an httptest.NewTLSServer whose own cert is
+//       written out as the CA bundle validates that every TLS-config knob is
+//       actually reaching the wire, not just surviving into the struct.
+// Each of the three client binaries pins the same three contracts against its
+// own NewClient signature; drifting any of them in isolation is exactly what
+// this suite is here to catch. The error-string substrings below must stay in
+// sync with the fmt.Errorf messages in internal/cli/client.go:NewClient.
+// -----------------------------------------------------------------------------
+
+// writeCABundle PEM-encodes a DER cert and writes it to a temp file under the
+// test's own TempDir. Returns the absolute path of the written bundle so test
+// callers can pass it straight into NewClient(..., caBundlePath, ...).
+func writeCABundle(t *testing.T, dir string, certDER []byte, filename string) string {
+	t.Helper()
+	path := filepath.Join(dir, filename)
+	pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+	if err := os.WriteFile(path, pemBytes, 0o600); err != nil {
+		t.Fatalf("writing CA bundle to %q: %v", path, err)
+	}
+	return path
+}
+
+// TestNewClient_CABundle_Success pins the happy path: a valid PEM CA bundle
+// loads, populates RootCAs on the client's TLS config, and leaves
+// MinVersion=TLS1.3 intact. Regression guard: if a future edit accidentally
+// swaps the transport after TLS config setup (or forgets to re-attach the
+// *tls.Config to *http.Transport), this test catches it before ops does.
+func TestNewClient_CABundle_Success(t *testing.T) {
+	cert := generateTestCert()
+	tmp := t.TempDir()
+	bundlePath := writeCABundle(t, tmp, cert.Raw, "ca.pem")
+
+	client, err := NewClient("https://certctl-server:8443", "test-key", "table", bundlePath, false)
+	if err != nil {
+		t.Fatalf("NewClient with valid CA bundle err=%v want nil", err)
+	}
+	if client == nil {
+		t.Fatal("NewClient returned nil client on happy path")
+	}
+
+	transport, ok := client.httpClient.Transport.(*http.Transport)
+	if !ok {
+		t.Fatalf("httpClient.Transport type=%T want *http.Transport (TLS config injection broke)", client.httpClient.Transport)
+	}
+	if transport.TLSClientConfig == nil {
+		t.Fatal("transport.TLSClientConfig is nil; TLS config must be set on every client")
+	}
+	if transport.TLSClientConfig.RootCAs == nil {
+		t.Fatal("transport.TLSClientConfig.RootCAs is nil; CA bundle path was ignored")
+	}
+	if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
+		t.Errorf("MinVersion=%d want tls.VersionTLS13 (%d); HTTPS-Everywhere requires TLS1.3 floor",
+			transport.TLSClientConfig.MinVersion, tls.VersionTLS13)
+	}
+	if transport.TLSClientConfig.InsecureSkipVerify {
+		t.Error("InsecureSkipVerify=true with insecure=false arg; flag wiring crossed")
+	}
+}
+
+// TestNewClient_CABundle_MissingFile pins the fail-loud path for a nonexistent
+// bundle path. The error surface must include "reading CA bundle" so operators
+// see the right diagnostic instead of a downstream TLS-handshake-error.
+func TestNewClient_CABundle_MissingFile(t *testing.T) {
+	_, err := NewClient("https://certctl-server:8443", "test-key", "table", "/nonexistent/path/ca.pem", false)
+	if err == nil {
+		t.Fatal("NewClient with missing CA bundle err=nil; must fail loud so operators see the right diagnostic")
+	}
+	if !containsStr(err.Error(), "reading CA bundle") {
+		t.Errorf("err=%q must contain %q so operators can locate the misconfigured path", err.Error(), "reading CA bundle")
+	}
+}
+
+// TestNewClient_CABundle_EmptyPEM pins the fail-loud path for a file whose
+// contents are not valid PEM certificate data. AppendCertsFromPEM returning
+// false is the signal we need to surface — otherwise the client would silently
+// ship with an empty cert pool and every TLS handshake would fail downstream.
+func TestNewClient_CABundle_EmptyPEM(t *testing.T) {
+	tmp := t.TempDir()
+	garbagePath := filepath.Join(tmp, "garbage.pem")
+	if err := os.WriteFile(garbagePath, []byte("not a pem certificate, just bytes"), 0o600); err != nil {
+		t.Fatalf("writing garbage file: %v", err)
+	}
+
+	_, err := NewClient("https://certctl-server:8443", "test-key", "table", garbagePath, false)
+	if err == nil {
+		t.Fatal("NewClient with malformed PEM err=nil; must fail loud, not silently skip")
+	}
+	if !containsStr(err.Error(), "no valid PEM-encoded certificates") {
+		t.Errorf("err=%q must contain %q so operators know the file parsed but held no certs",
+			err.Error(), "no valid PEM-encoded certificates")
+	}
+}
+
+// TestNewClient_TLSRoundTrip validates that the TLS config knobs we set on
+// NewClient actually reach the wire. An httptest.NewTLSServer signs its own
+// self-signed leaf; we PEM-encode that server cert, write it as the CA bundle,
+// and issue a real HTTPS call through ListCertificates. A successful round-trip
+// proves RootCAs + MinVersion are flowing through *http.Transport into the
+// dialer, not just surviving into the client struct.
+func TestNewClient_TLSRoundTrip(t *testing.T) {
+	var handlerHit int
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == "GET" && r.URL.Path == "/api/v1/certificates" {
+			handlerHit++
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(map[string]interface{}{
+				"data":  []map[string]interface{}{},
+				"total": 0,
+			})
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	serverCert := server.Certificate()
+	if serverCert == nil {
+		t.Fatal("httptest.NewTLSServer.Certificate() returned nil; cannot build CA bundle")
+	}
+
+	tmp := t.TempDir()
+	bundlePath := writeCABundle(t, tmp, serverCert.Raw, "server-ca.pem")
+
+	client, err := NewClient(server.URL, "test-key", "table", bundlePath, false)
+	if err != nil {
+		t.Fatalf("NewClient(TLS server) err=%v want nil", err)
+	}
+	if err := client.ListCertificates([]string{}); err != nil {
+		t.Fatalf("ListCertificates over HTTPS err=%v; TLS config must reach the wire", err)
+	}
+	if handlerHit != 1 {
+		t.Errorf("handlerHit=%d want 1; request did not reach the TLS server", handlerHit)
+	}
+}
+
+// TestNewClient_InsecureSkipVerify pins the dev-only escape hatch: an untrusted
+// TLS server (cert NOT in the client's root pool) must be reachable when
+// insecure=true. This is the only path in the control plane that disables
+// certificate verification; it's documented in docs/tls.md and gated by the
+// CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY env var so it never slips into
+// production silently.
+func TestNewClient_InsecureSkipVerify(t *testing.T) {
+	var handlerHit int
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		handlerHit++
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(map[string]interface{}{
+			"data":  []map[string]interface{}{},
+			"total": 0,
+		})
+	}))
+	defer server.Close()
+
+	// No CA bundle → system roots, which will NOT trust the self-signed
+	// httptest cert. insecure=true is the only thing keeping this call from
+	// failing with an x509-unknown-authority error.
+	client, err := NewClient(server.URL, "test-key", "table", "", true)
+	if err != nil {
+		t.Fatalf("NewClient(insecure=true) err=%v want nil", err)
+	}
+
+	transport, ok := client.httpClient.Transport.(*http.Transport)
+	if !ok {
+		t.Fatalf("httpClient.Transport type=%T want *http.Transport", client.httpClient.Transport)
+	}
+	if !transport.TLSClientConfig.InsecureSkipVerify {
+		t.Fatal("insecure=true arg did not set TLSClientConfig.InsecureSkipVerify; flag wiring broken")
+	}
+	if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
+		t.Errorf("MinVersion=%d want tls.VersionTLS13 even with insecure=true (TLS1.3 floor is not optional)",
+			transport.TLSClientConfig.MinVersion)
+	}
+
+	if err := client.ListCertificates([]string{}); err != nil {
+		t.Fatalf("ListCertificates(insecure=true) err=%v; escape hatch must still complete the round-trip", err)
+	}
+	if handlerHit != 1 {
+		t.Errorf("handlerHit=%d want 1; insecure round-trip did not reach the server", handlerHit)
+	}
+}