gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 19:41:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

release: deploy-hardening I complete (v2.X.0)

Browse Source 
Phase 14 of the deploy-hardening I master bundle. All 14 phases
shipped on master ahead of v2.0.66:

Phase 0: setup + recon + 12 frozen decisions confirmed
Phase 1: internal/deploy/ shared atomic-write primitive (87% coverage, 37 tests)
Phase 2: cmd/agent per-target deploy mutex (sync.Map serialization)
Phase 3: target.Connector ValidateOnly interface extension
Phase 4: NGINX canonical implementation (17→59 tests, 91% coverage)
Phase 5: Apache atomic + uplift (3→34 tests, 86% coverage)
Phase 6: HAProxy atomic + uplift (3→36 tests, 88% coverage)
Phase 7: Traefik + Caddy + Envoy + Postfix atomic
Phase 8: F5 + IIS explicit ValidateOnly real-impl
Phase 9: SSH + WinCertStore + JavaKeystore + K8s ValidateOnly
Phase 10: DeployCounters + Prometheus exposer (6 metric blocks)
Phase 11: 4 cross-cutting e2e tests at deploy/test/deploy_e2e_test.go
Phase 12: docs/deployment-atomicity.md + README + features.md
Phase 13: full-matrix verification — gofmt + vet + golangci-lint + race + integration

Closes 3 procurement-checklist gaps with Venafi/DigiCert/Sectigo:
1. Atomic deploy with rollback (every cert deploy is all-or-nothing)
2. Post-deploy TLS verification (handshake + SHA-256 compare)
3. Per-target-type Prometheus metrics (alertable failure rate)

(Vendor-specific deployment recipes — the third procurement-checklist
item — ship in deploy-hardening II per cowork/deploy-hardening-ii-prompt.md.)

Backwards compat preserved per frozen decision 0.11: every existing
operator deploy keeps working; the target.Connector interface gained
ValidateOnly which connectors that can't dry-run return
ErrValidateOnlyNotSupported for; existing per-connector
DeployCertificate signatures unchanged; existing config blobs
add only optional fields with documented defaults.

Verification matrix all green:
- gofmt -l: empty across all bundle-touched files
- go vet: clean
- golangci-lint v2.11.4: 0 issues
- go test -race -count=1: green across deploy + 13 connectors + agent + service + handler
- INTEGRATION=1 go test -tags integration -run Deploy: 4/4 e2e tests green

Cowork artifacts:
- cowork/deploy-hardening-i/baseline.md (Phase 0 recon)
- cowork/deploy-hardening-i/v2.X.0-release-notes.md
- cowork/deploy-hardening-i/reddit-beat.md (don't auto-post)

Spec preserved at cowork/deploy-hardening-i-prompt.md.

Operator picks the exact v2.X.0 tag value from the
increment-from-the-last-tag rule.
This commit is contained in:
claude
2026-04-30 15:37:08 +00:00
parent 188a41774a
commit ba5f7fc33c
Download Patch File Download Diff File Expand all files Collapse all files

Diff Content Not Available