feat(M47): add Kubernetes Secrets target + AWS ACM PCA issuer connectors

Implement both M47 connectors with full cross-layer wiring: Kubernetes Secrets target: DNS-1123 validation, kubernetes.io/tls Secret create-or-update, chain concatenation, serial number validation, Helm RBAC gating. 18 tests. AWS ACM Private CA issuer: synchronous issuance (like Vault), ARN regex validation, RFC 5280 revocation reason mapping, CA cert retrieval, factory + env var seeding. 23 tests. Cross-cutting: domain types, service validation, config, factory, agent dispatch, frontend (TargetsPage, issuerTypes), OpenAPI, seed data, Helm chart, connectors docs, README. Testing docs (testing-guide, qa-test-guide, qa_test.go) with Parts thematically integrated near related connectors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-14 10:59:02 +00:00 · 2026-04-07 20:21:09 -04:00
parent f17027c62b
commit e72f06f35b
22 changed files with 2620 additions and 18 deletions
@@ -7,6 +7,7 @@ import (

 	"github.com/shankar0123/certctl/internal/connector/issuer"
 	"github.com/shankar0123/certctl/internal/connector/issuer/acme"
+	"github.com/shankar0123/certctl/internal/connector/issuer/awsacmpca"
 	"github.com/shankar0123/certctl/internal/connector/issuer/digicert"
 	"github.com/shankar0123/certctl/internal/connector/issuer/googlecas"
 	"github.com/shankar0123/certctl/internal/connector/issuer/local"
@@ -81,6 +82,13 @@ func NewFromConfig(issuerType string, configJSON json.RawMessage, logger *slog.L
 		}
 		return googlecas.New(&cfg, logger), nil

+	case "AWSACMPCA":
+		var cfg awsacmpca.Config
+		if err := json.Unmarshal(configJSON, &cfg); err != nil {
+			return nil, fmt.Errorf("invalid AWS ACM PCA config: %w", err)
+		}
+		return awsacmpca.New(&cfg, logger), nil
+
 	default:
 		return nil, fmt.Errorf("unknown issuer type: %q", issuerType)
 	}