gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: complete V2 audit remediation — OpenAPI spec, demos, and features

Browse Source 
- Add 15 missing operations to openapi.yaml (M18b discovery, M20 deployments,
  M21 network scan, M22 Prometheus) — spec now has 93 operations matching all
  93 router routes
- Add 6 new component schemas (DiscoveredCertificate, DiscoveryScan,
  DiscoveryReport, NetworkScanTarget, NetworkScanTargetCreate,
  StatusMessageResponse)
- Add Discovery and Network Scan tags to OpenAPI spec
- Fix stale "Prometheus format deferred to V3" claim in metrics description
- Add Part 4.5 (Target CRUD) to demo-advanced.md with create/update/delete
  curl examples
- Expand Certificate Profiles section in features.md with list/get/update
  curl examples
- Add Deployment Trigger section to features.md with curl examples
- Add discovery-summary and discovery-scans curl examples to features.md
- Remove 3 empty directories (internal/agent/, internal/audit/, internal/policy/)
- Update features.md OpenAPI scope from "78 documented" to "93 operations"

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
shankar0123
2026-03-25 00:42:58 -04:00
parent a4622d5e9a
commit 6c10c33572
3 changed files with 670 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/demo-advanced.md
+33
View File
@@ -372,6 +372,39 @@ curl -s "$API/api/v1/jobs" | jq '.data[] | select(.certificate_id == "mc-demo-ap
---
## Part 4.5: Manage Deployment Targets
Before deploying, you need targets. The demo seeds 5 targets, but you can also create, update, and delete them via API:
```bash
# List all targets
curl -s "$API/api/v1/targets" | jq '.data[] | {id, name, type, agent_id}'
# Create a new NGINX target
curl -s -X POST "$API/api/v1/targets" \
-H "Content-Type: application/json" \
-d '{
"id": "tgt-nginx-api",
"name": "API NGINX",
"type": "nginx",
"agent_id": "ag-web-prod",
"config": {"cert_path": "/etc/nginx/certs/api.crt", "key_path": "/etc/nginx/certs/api.key", "reload_command": "systemctl reload nginx"},
"enabled": true
}' | jq .
# Update a target
curl -s -X PUT "$API/api/v1/targets/tgt-nginx-api" \
-H "Content-Type: application/json" \
-d '{"name": "API NGINX (updated)", "type": "nginx", "agent_id": "ag-web-prod", "config": {"cert_path": "/etc/nginx/certs/api.crt"}, "enabled": true}' | jq .
# Delete a target
curl -s -X DELETE "$API/api/v1/targets/tgt-nginx-api"
```
Each target type (NGINX, Apache, HAProxy, F5, IIS) accepts different configuration fields. The `config` JSON is validated at deployment time by the target connector.
---
## Part 5: Deploy the Certificate
Trigger deployment to see the deployment workflow:
docs/features.md
+36 -1
View File
@@ -128,6 +128,21 @@ curl -H "$AUTH" "$SERVER/api/v1/certificates?expires_before=2026-04-24T00:00:00Z
- Server signs and stores certificate version
- Work endpoint enriched with `common_name` and `sans` for agent CSR generation
### Deployment Trigger
Push certificates to targets on demand, outside of the normal scheduler-driven flow:
```bash
# Deploy to all mapped targets
curl -X POST -H "$AUTH" $SERVER/api/v1/certificates/mc-api-prod/deploy
# Deploy to a specific target
curl -X POST -H "$AUTH" -H "$CT" $SERVER/api/v1/certificates/mc-api-prod/deploy \
-d '{"target_id": "tgt-nginx-prod"}'
# Check deployment job status
curl -H "$AUTH" "$SERVER/api/v1/certificates/mc-api-prod/deployments" | jq '.data[] | {id, name, type}'
```
---
## Revocation Infrastructure
@@ -192,6 +207,17 @@ curl -X POST -H "$AUTH" -H "$CT" $SERVER/api/v1/profiles -d '{
curl -X PUT -H "$AUTH" -H "$CT" $SERVER/api/v1/certificates/mc-api-prod -d '{
"profile_id": "prof-short-lived"
}'
# List all profiles
curl -H "$AUTH" "$SERVER/api/v1/profiles" | jq '.data[] | {id, name, max_ttl_hours, allowed_key_algorithms}'
# Get profile details
curl -H "$AUTH" "$SERVER/api/v1/profiles/prof-standard-tls" | jq .
# Update profile constraints
curl -X PUT -H "$AUTH" -H "$CT" $SERVER/api/v1/profiles/prof-standard-tls -d '{
"name": "Standard TLS", "max_ttl_hours": 2160, "allowed_key_algorithms": ["RSA", "ECDSA"]
}'
```
| Field | Details |
@@ -519,6 +545,15 @@ Each discovered certificate is parsed and its metadata extracted:
| `/api/v1/discovery-scans` | GET | List scan history with timestamps |
| `/api/v1/discovery-summary` | GET | Aggregate status counts (Unmanaged, Managed, Dismissed) |
```bash
# Check triage status at a glance
curl -H "$AUTH" "$SERVER/api/v1/discovery-summary" | jq .
# → {"Unmanaged": 12, "Managed": 45, "Dismissed": 3}
# Review scan execution history
curl -H "$AUTH" "$SERVER/api/v1/discovery-scans" | jq '.data[] | {agent_id, certificates_found, certificates_new, started_at}'
```
### Use Cases
- **Inventory Baseline** — Scan production servers at deployment time to establish baseline of existing certificates
- **Compliance Discovery** — Find all TLS certs before renewing certificate policies
@@ -889,7 +924,7 @@ The web dashboard is the primary operational interface for certctl. Built with *
### OpenAPI 3.1 Specification
- **File** — `api/openapi.yaml`
- **Scope** — 78 documented operations (spec covers core API; discovery and network scan endpoints pending addition)
- **Scope** — 93 operations (91 API + /health + /ready), all request/response schemas, enums, pagination
- **Schemas** — Complete domain models with examples
- **Enums** — Job types, states, policy rule types, notification types
- **Pagination** — Standard envelope (data, total, page, per_page)