mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-13 03:39:17 +00:00
v2.0.47: HTTPS Everywhere — TLS-only control plane, agents/CLI/MCP
Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
This commit is contained in:
shankar0123
+10
-10
@@ -88,7 +88,7 @@ func TestRegisterTools_ToolCount(t *testing.T) {
|
||||
api := mockCertctlAPI(log)
|
||||
defer api.Close()
|
||||
|
||||
client := NewClient(api.URL, "test-key")
|
||||
client, _ := NewClient(api.URL, "test-key", "", false)
|
||||
RegisterTools(server, client)
|
||||
|
||||
// The server should have tools registered — we can verify by listing them
|
||||
@@ -166,7 +166,7 @@ func TestToolEndToEnd_ListCertificates(t *testing.T) {
|
||||
api := mockCertctlAPI(log)
|
||||
defer api.Close()
|
||||
|
||||
client := NewClient(api.URL, "test-key")
|
||||
client, _ := NewClient(api.URL, "test-key", "", false)
|
||||
|
||||
// Manually call the handler logic that would be registered as a tool
|
||||
q := paginationQuery(1, 50)
|
||||
@@ -204,7 +204,7 @@ func TestToolEndToEnd_CreateCertificate(t *testing.T) {
|
||||
api := mockCertctlAPI(log)
|
||||
defer api.Close()
|
||||
|
||||
client := NewClient(api.URL, "test-key")
|
||||
client, _ := NewClient(api.URL, "test-key", "", false)
|
||||
|
||||
input := CreateCertificateInput{
|
||||
Name: "API Production",
|
||||
@@ -244,7 +244,7 @@ func TestToolEndToEnd_TriggerRenewal(t *testing.T) {
|
||||
api := mockCertctlAPI(log)
|
||||
defer api.Close()
|
||||
|
||||
client := NewClient(api.URL, "test-key")
|
||||
client, _ := NewClient(api.URL, "test-key", "", false)
|
||||
data, err := client.Post("/api/v1/certificates/mc-api-prod/renew", nil)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
@@ -272,7 +272,7 @@ func TestToolEndToEnd_DeleteTarget(t *testing.T) {
|
||||
api := mockCertctlAPI(log)
|
||||
defer api.Close()
|
||||
|
||||
client := NewClient(api.URL, "test-key")
|
||||
client, _ := NewClient(api.URL, "test-key", "", false)
|
||||
data, err := client.Delete("/api/v1/targets/t-platform")
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
@@ -300,7 +300,7 @@ func TestToolEndToEnd_RevokeCertificate(t *testing.T) {
|
||||
api := mockCertctlAPI(log)
|
||||
defer api.Close()
|
||||
|
||||
client := NewClient(api.URL, "test-key")
|
||||
client, _ := NewClient(api.URL, "test-key", "", false)
|
||||
input := RevokeCertificateInput{
|
||||
ID: "mc-api-prod",
|
||||
Reason: "keyCompromise",
|
||||
@@ -327,7 +327,7 @@ func TestToolEndToEnd_AgentHeartbeat(t *testing.T) {
|
||||
api := mockCertctlAPI(log)
|
||||
defer api.Close()
|
||||
|
||||
client := NewClient(api.URL, "test-key")
|
||||
client, _ := NewClient(api.URL, "test-key", "", false)
|
||||
_, err := client.Post("/api/v1/agents/agent-001/heartbeat", map[string]string{
|
||||
"os": "linux",
|
||||
"architecture": "amd64",
|
||||
@@ -347,7 +347,7 @@ func TestToolEndToEnd_ListWithFilters(t *testing.T) {
|
||||
api := mockCertctlAPI(log)
|
||||
defer api.Close()
|
||||
|
||||
client := NewClient(api.URL, "test-key")
|
||||
client, _ := NewClient(api.URL, "test-key", "", false)
|
||||
q := paginationQuery(1, 25)
|
||||
q.Set("status", "Pending")
|
||||
q.Set("type", "Renewal")
|
||||
@@ -377,7 +377,7 @@ func TestToolEndToEnd_GetRawBinary(t *testing.T) {
|
||||
}))
|
||||
defer server.Close()
|
||||
|
||||
client := NewClient(server.URL, "test-key")
|
||||
client, _ := NewClient(server.URL, "test-key", "", false)
|
||||
data, ct, err := client.GetRaw("/.well-known/pki/crl/iss-local")
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
@@ -397,7 +397,7 @@ func TestToolEndToEnd_ErrorPropagation(t *testing.T) {
|
||||
}))
|
||||
defer server.Close()
|
||||
|
||||
client := NewClient(server.URL, "test-key")
|
||||
client, _ := NewClient(server.URL, "test-key", "", false)
|
||||
_, err := client.Get("/api/v1/certificates", nil)
|
||||
if err == nil {
|
||||
t.Fatal("expected error for 403 response")
|
||||
|
||||
Reference in New Issue
Block a user