feat(M47): add Kubernetes Secrets target + AWS ACM PCA issuer connectors

Implement both M47 connectors with full cross-layer wiring: Kubernetes Secrets target: DNS-1123 validation, kubernetes.io/tls Secret create-or-update, chain concatenation, serial number validation, Helm RBAC gating. 18 tests. AWS ACM Private CA issuer: synchronous issuance (like Vault), ARN regex validation, RFC 5280 revocation reason mapping, CA cert retrieval, factory + env var seeding. 23 tests. Cross-cutting: domain types, service validation, config, factory, agent dispatch, frontend (TargetsPage, issuerTypes), OpenAPI, seed data, Helm chart, connectors docs, README. Testing docs (testing-guide, qa-test-guide, qa_test.go) with Parts thematically integrated near related connectors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-07 13:51:36 +00:00 · 2026-04-07 20:21:09 -04:00
parent e5516d7286
commit 5567d4b411
22 changed files with 2620 additions and 18 deletions
@@ -18,7 +18,14 @@ metadata:
  name: {{ include "certctl.fullname" . }}
  labels:
    {{- include "certctl.labels" . | nindent 4 }}
-rules: []
+rules:
+{{- if .Values.kubernetesSecrets.enabled }}
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch"]
+{{- else }}
+  []
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -381,6 +381,13 @@ serviceAccount:
 rbac:
  create: true

+# ==============================================================================
+# Kubernetes Secrets Target Connector
+# ==============================================================================
+kubernetesSecrets:
+  # Enable RBAC rules for managing TLS Secrets
+  enabled: false
+
 # ==============================================================================
 # Pod Disruption Budget (for HA deployments)
 # ==============================================================================
@@ -1712,6 +1712,84 @@ func TestQA(t *testing.T) {
 			fileContains(t, "deploy/helm/certctl/templates/server-deployment.yaml", "readinessProbe")
 		})
 	})
+
+	// ===================================================================
+	t.Run("Part53_KubernetesSecrets", func(t *testing.T) {
+		t.Run("ConnectorPackageExists", func(t *testing.T) {
+			fileExists(t, "internal/connector/target/k8ssecret/k8ssecret.go")
+		})
+
+		t.Run("TestFileExists", func(t *testing.T) {
+			fileExists(t, "internal/connector/target/k8ssecret/k8ssecret_test.go")
+		})
+
+		t.Run("DomainTypeRegistered", func(t *testing.T) {
+			fileContains(t, "internal/domain/connector.go", `TargetTypeKubernetesSecrets`)
+		})
+
+		t.Run("ServiceValidationEntry", func(t *testing.T) {
+			fileContains(t, "internal/service/target.go", `TargetTypeKubernetesSecrets`)
+		})
+
+		t.Run("AgentDispatchCase", func(t *testing.T) {
+			fileContains(t, "cmd/agent/main.go", `"KubernetesSecrets"`)
+		})
+
+		t.Run("FrontendTypeLabel", func(t *testing.T) {
+			fileContains(t, "web/src/pages/TargetsPage.tsx", `KubernetesSecrets`)
+		})
+
+		t.Run("OpenAPIEnum", func(t *testing.T) {
+			fileContains(t, "api/openapi.yaml", `KubernetesSecrets`)
+		})
+
+		t.Run("HelmRBAC", func(t *testing.T) {
+			fileContains(t, "deploy/helm/certctl/templates/serviceaccount.yaml", `secrets`)
+		})
+	})
+
+	// ===================================================================
+	t.Run("Part54_AWSACMPCA", func(t *testing.T) {
+		t.Run("ConnectorPackageExists", func(t *testing.T) {
+			fileExists(t, "internal/connector/issuer/awsacmpca/awsacmpca.go")
+		})
+
+		t.Run("TestFileExists", func(t *testing.T) {
+			fileExists(t, "internal/connector/issuer/awsacmpca/awsacmpca_test.go")
+		})
+
+		t.Run("DomainTypeRegistered", func(t *testing.T) {
+			fileContains(t, "internal/domain/connector.go", `IssuerTypeAWSACMPCA`)
+		})
+
+		t.Run("ServiceValidationEntry", func(t *testing.T) {
+			fileContains(t, "internal/service/issuer.go", `IssuerTypeAWSACMPCA`)
+		})
+
+		t.Run("FactoryCase", func(t *testing.T) {
+			fileContains(t, "internal/connector/issuerfactory/factory.go", `"AWSACMPCA"`)
+		})
+
+		t.Run("ConfigStruct", func(t *testing.T) {
+			fileContains(t, "internal/config/config.go", `AWSACMPCAConfig`)
+		})
+
+		t.Run("EnvVarSeed", func(t *testing.T) {
+			fileContains(t, "internal/service/issuer.go", `iss-awsacmpca`)
+		})
+
+		t.Run("FrontendIssuerType", func(t *testing.T) {
+			fileContains(t, "web/src/config/issuerTypes.ts", `AWSACMPCA`)
+		})
+
+		t.Run("OpenAPIEnum", func(t *testing.T) {
+			fileContains(t, "api/openapi.yaml", `AWSACMPCA`)
+		})
+
+		t.Run("SeedDemoData", func(t *testing.T) {
+			fileContains(t, "migrations/seed_demo.sql", `iss-awsacmpca`)
+		})
+	})
 }

 // Note: uses Go 1.21+ built-in min() — no custom definition needed.