feat(M44): Google CAS issuer connector

Google Cloud Certificate Authority Service integration via REST API with OAuth2 service account auth (JWT→access token). Synchronous issuance model, CA pool selection, mutex-guarded token caching, revocation with RFC 5280 reason mapping. No Google SDK dependency — all stdlib. 19 tests with httptest mock OAuth2 + CAS API. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-11 19:28:51 +00:00 · 2026-04-03 21:25:34 -04:00
parent cb72292b83
commit 5a53b648b1
12 changed files with 1608 additions and 7 deletions
@@ -28,6 +28,7 @@ type Config struct {
 	Vault        VaultConfig
 	DigiCert     DigiCertConfig
 	Sectigo      SectigoConfig
+	GoogleCAS    GoogleCASConfig
 	Digest       DigestConfig
 }

@@ -232,6 +233,34 @@ type SectigoConfig struct {
 	BaseURL string
 }

+// GoogleCASConfig contains Google Cloud Certificate Authority Service configuration.
+type GoogleCASConfig struct {
+	// Project is the GCP project ID.
+	// Required for Google CAS integration.
+	// Setting: CERTCTL_GOOGLE_CAS_PROJECT environment variable.
+	Project string
+
+	// Location is the GCP region (e.g., "us-central1").
+	// Required for Google CAS integration.
+	// Setting: CERTCTL_GOOGLE_CAS_LOCATION environment variable.
+	Location string
+
+	// CAPool is the Certificate Authority pool name.
+	// Required for Google CAS integration.
+	// Setting: CERTCTL_GOOGLE_CAS_CA_POOL environment variable.
+	CAPool string
+
+	// Credentials is the path to the service account JSON credentials file.
+	// Required for Google CAS integration.
+	// Setting: CERTCTL_GOOGLE_CAS_CREDENTIALS environment variable.
+	Credentials string
+
+	// TTL is the default certificate time-to-live.
+	// Default: "8760h" (1 year).
+	// Setting: CERTCTL_GOOGLE_CAS_TTL environment variable.
+	TTL string
+}
+
 // DigestConfig controls the scheduled certificate digest email feature.
 type DigestConfig struct {
 	// Enabled controls whether periodic digest emails are generated and sent.
@@ -547,6 +576,13 @@ func Load() (*Config, error) {
 			Term:        getEnvInt("CERTCTL_SECTIGO_TERM", 365),
 			BaseURL:     getEnv("CERTCTL_SECTIGO_BASE_URL", "https://cert-manager.com/api"),
 		},
+		GoogleCAS: GoogleCASConfig{
+			Project:     getEnv("CERTCTL_GOOGLE_CAS_PROJECT", ""),
+			Location:    getEnv("CERTCTL_GOOGLE_CAS_LOCATION", ""),
+			CAPool:      getEnv("CERTCTL_GOOGLE_CAS_CA_POOL", ""),
+			Credentials: getEnv("CERTCTL_GOOGLE_CAS_CREDENTIALS", ""),
+			TTL:         getEnv("CERTCTL_GOOGLE_CAS_TTL", "8760h"),
+		},
 		ACME: ACMEConfig{
 			DirectoryURL:           getEnv("CERTCTL_ACME_DIRECTORY_URL", ""),
 			Email:                  getEnv("CERTCTL_ACME_EMAIL", ""),