certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:21:31 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
shankar0123	9155ec9174	fix(helm): DEPL-004 follow-up — default tlsConfig to real verify; fix ill-formed required-nil Sprint 6 ACQ DEPL-004 closure follow-up. CI run on commit `58a15e0` caught two issues: 1. The fail-closed guard in templates/servicemonitor.yaml used `{{ required "msg" nil }}`, which is wrong Helm syntax — the bareword `nil` isn't valid in Go templates and Helm interprets it as no value, hitting "wrong number of args for required: want 2 got 0". The B3-helm-chart-coherence ci-guard's production-hardening render (`--set monitoring.serviceMonitor.enabled=true` without explicit tlsConfig) failed with this error AND with the downstream "missing kind: ServiceMonitor / PodDisruptionBudget / NetworkPolicy" cascades (the entire render aborted before producing the matrix). 2. The original DEPL-004 framing — "operators MUST explicitly choose tlsConfig or you get a chart-render error" — was the right intent but the wrong default. The chart's existingSecret integration mounts the CA bundle at a canonical path (/etc/prometheus/secrets/certctl-ca/ca.crt); defaulting to that path closes the implicit-skipVerify gap without forcing every operator to repeat the same boilerplate. Fixes ===== deploy/helm/certctl/values.yaml — flips monitoring.serviceMonitor.tlsConfig from commented-out (which fell through to implicit insecureSkipVerify: true) to a real verify default: tlsConfig: caFile: /etc/prometheus/secrets/certctl-ca/ca.crt serverName: certctl-server Operators with a different CA mount path override caFile; operators who genuinely want skipVerify back must set `{ insecureSkipVerify: true }` explicitly. Operators who blank tlsConfig entirely (`tlsConfig: null` or `tlsConfig: {}`) still trip the fail-closed guard. deploy/helm/certctl/templates/servicemonitor.yaml — replaces `required "msg" nil` with `fail "msg"`. The `fail` builtin is the correct Helm pattern for an unconditional render-time error; `required` is for "this value MUST be non-empty" which is the wrong semantic here (we want to fail when the operator went OUT OF THEIR WAY to blank the default). Failure message updated to reflect the new default + the operator-action recipes. docs/operator/helm-deployment.md — rewrites the "2026-05-16 — ServiceMonitor TLS default flipped" subsection to match the new default-on-real-verify semantics. The three operator recipes (default install / different CA mount / explicit skipVerify) are documented; the explicit "there is no way to inherit pre-2026-05-16 implicit-skipVerify behavior silently" guarantee is preserved. Verified locally: python3 YAML parse on values.yaml clean; the helm-templates-lint and B3-helm-chart-coherence ci-guards require helm itself which isn't in the sandbox — both should pass on the CI re-run.	2026-05-16 22:09:42 +00:00
shankar0123	d7546aedca	fix(helm): DEPL-004 — ServiceMonitor TLS default flipped to fail-closed Acquisition-audit DEPL-004 closure (Sprint 6 ACQ, 2026-05-16). Pre-2026-05-16, monitoring.serviceMonitor.tlsConfig in values.yaml was empty by default, and the ServiceMonitor template fell through to an implicit `insecureSkipVerify: true` else-branch. Operators opting into the ServiceMonitor (monitoring.serviceMonitor.enabled=true) got no Prometheus TLS verification by default — in-cluster scrapes tolerate this, out-of-cluster scrapes silently skip the chain check. The template now emits a fail-closed `{{ required ... }}` message at `helm template` / `helm upgrade` time if neither a real verify nor an explicit opt-back is supplied. The error string lists both escape hatches and the docs cross-link, so the operator sees the fix in the same line they hit the error. Operators with monitoring.serviceMonitor.enabled=false (the chart default): no action required — the template short-circuits before the tlsConfig block. Operators who had ServiceMonitor on with no tlsConfig set: helm upgrade will fail until they supply either { caFile: ..., serverName: ... } (production-shaped) or { insecureSkipVerify: true } (operator-acknowledged opt-back). Files ===== - deploy/helm/certctl/templates/servicemonitor.yaml: replace the else-branch insecureSkipVerify default with a {{ required ... }} Helm builtin that fails the render with a clear remediation message pointing at both escape hatches and docs/operator/ helm-deployment.md - deploy/helm/certctl/values.yaml: rewrite the tlsConfig comment block to document the new fail-closed posture + both upgrade paths (production verify vs operator-acknowledged opt-back) - docs/operator/helm-deployment.md: new "2026-05-16 — ServiceMonitor TLS default flipped (DEPL-004)" subsection in the existing Upgrade section with the two operator-action recipes	2026-05-16 19:44:48 +00:00
shankar0123	b452013dd9	docs: Phase 5 — testing-guide.md prune (8268 → 0 lines, content dispersed) Per Phase 1 audit at cowork/docs-overhaul-phase-1-audit-2026-05-04/ and the section-by-section plan in testing-guide-tumor.md. testing-guide.md was 30% of all docs/ content (8268 lines) but was integration test code written in markdown, not operator documentation. The audit's tumor analysis disposed of every Part: - ~65% DELETE (test cases that already exist in code) - ~22% MOVE to inline test code - ~8% KEEP-COMPRESSED into focused operator-runbook docs - Title + contents + release sign-off ~5% KEEP This commit ships the KEEP-COMPRESSED dispersal: docs/contributor/qa-prerequisites.md (NEW, ~120 lines): From testing-guide.md "Prerequisites" section. Stack boot procedure, demo data baseline, reference IDs operators reuse across QA docs. docs/contributor/gui-qa-checklist.md (NEW, ~105 lines): From testing-guide.md "Part 35: GUI Testing". Manual GUI verification pass for release sign-off. 25-row table covering every dashboard page. docs/contributor/release-sign-off.md (NEW, ~130 lines): From testing-guide.md "Release Sign-Off" section (originally 1009 lines of per-test detail tables). Compressed to a release-day checklist organized by gate category: code state, automated gates, manual QA passes, release artefact verification, branch protection, post-release. docs/operator/performance-baselines.md (NEW, ~100 lines): From testing-guide.md "Part 39: Performance Spot Checks". Four operator-runnable benchmarks (API request handling, inventory list pagination, scheduler tick, bulk revoke) with baseline numbers and when-to-re-baseline guidance. docs/operator/helm-deployment.md (NEW, ~120 lines): From testing-guide.md "Part 52: Helm Chart Deployment". Operator runbook for the bundled deploy/helm/certctl/ chart: prereqs, install, four cert-source patterns, verify, upgrade, troubleshooting. docs/reference/cli.md (NEW, ~120 lines): From testing-guide.md "Part 28: CLI Tool". certctl-cli command reference with command-group breakdown, common workflows (list/filter, renew, revoke, bulk import, EST enrollment, status), output formats, CI/CD integration patterns. docs/README.md navigation index updated to include the 6 new docs: Reference section gains: cli.md, release-verification.md (was added in Phase 13) Operator section gains: helm-deployment.md, performance-baselines.md Contributor section gains: qa-prerequisites.md, gui-qa-checklist.md, release-sign-off.md docs/testing-guide.md deleted. Git history preserves the 8268 lines — if any specific test case is found missing from inline test code or the destination docs during future work, lift from `git show HEAD~1:docs/testing-guide.md`. Net: docs/ total line count drops by ~7700 lines (28%), from 26,369 to 18,742. testing-guide.md was the single largest doc; pruning it is the single biggest content-edit win of the entire restructure. Phase 5 is the last major content phase. Remaining: Phase 4 follow-on (per-connector page extractions from reference/connectors/index.md), Phase 15 (WHAT/HOW/WHY remediation), Phase 16 (final acceptance gate).	2026-05-05 03:38:54 +00:00

shankar0123

9155ec9174

fix(helm): DEPL-004 follow-up — default tlsConfig to real verify; fix ill-formed required-nil

Sprint 6 ACQ DEPL-004 closure follow-up. CI run on commit 58a15e0
caught two issues:

1. The fail-closed guard in templates/servicemonitor.yaml used
   `{{ required "msg" nil }}`, which is wrong Helm syntax — the
   bareword `nil` isn't valid in Go templates and Helm interprets
   it as no value, hitting "wrong number of args for required:
   want 2 got 0". The B3-helm-chart-coherence ci-guard's
   production-hardening render
   (`--set monitoring.serviceMonitor.enabled=true` without
   explicit tlsConfig) failed with this error AND with the
   downstream "missing kind: ServiceMonitor / PodDisruptionBudget /
   NetworkPolicy" cascades (the entire render aborted before
   producing the matrix).

2. The original DEPL-004 framing — "operators MUST explicitly
   choose tlsConfig or you get a chart-render error" — was the
   right intent but the wrong default. The chart's existingSecret
   integration mounts the CA bundle at a canonical path
   (/etc/prometheus/secrets/certctl-ca/ca.crt); defaulting to that
   path closes the implicit-skipVerify gap without forcing every
   operator to repeat the same boilerplate.

Fixes
=====

deploy/helm/certctl/values.yaml — flips
monitoring.serviceMonitor.tlsConfig from commented-out (which fell
through to implicit insecureSkipVerify: true) to a real verify
default:

  tlsConfig:
    caFile: /etc/prometheus/secrets/certctl-ca/ca.crt
    serverName: certctl-server

Operators with a different CA mount path override caFile;
operators who genuinely want skipVerify back must set
`{ insecureSkipVerify: true }` explicitly. Operators who blank
tlsConfig entirely (`tlsConfig: null` or `tlsConfig: {}`) still
trip the fail-closed guard.

deploy/helm/certctl/templates/servicemonitor.yaml — replaces
`required "msg" nil` with `fail "msg"`. The `fail` builtin is
the correct Helm pattern for an unconditional render-time error;
`required` is for "this value MUST be non-empty" which is the
wrong semantic here (we want to fail when the operator went OUT OF
THEIR WAY to blank the default). Failure message updated to
reflect the new default + the operator-action recipes.

docs/operator/helm-deployment.md — rewrites the
"2026-05-16 — ServiceMonitor TLS default flipped" subsection to
match the new default-on-real-verify semantics. The three operator
recipes (default install / different CA mount / explicit
skipVerify) are documented; the explicit "there is no way to
inherit pre-2026-05-16 implicit-skipVerify behavior silently"
guarantee is preserved.

Verified locally: python3 YAML parse on values.yaml clean; the
helm-templates-lint and B3-helm-chart-coherence ci-guards require
helm itself which isn't in the sandbox — both should pass on the
CI re-run.

2026-05-16 22:09:42 +00:00

shankar0123

d7546aedca

fix(helm): DEPL-004 — ServiceMonitor TLS default flipped to fail-closed

Acquisition-audit DEPL-004 closure (Sprint 6 ACQ, 2026-05-16).

Pre-2026-05-16, monitoring.serviceMonitor.tlsConfig in values.yaml
was empty by default, and the ServiceMonitor template fell through
to an implicit `insecureSkipVerify: true` else-branch. Operators
opting into the ServiceMonitor (monitoring.serviceMonitor.enabled=true)
got no Prometheus TLS verification by default — in-cluster scrapes
tolerate this, out-of-cluster scrapes silently skip the chain check.

The template now emits a fail-closed `{{ required ... }}` message
at `helm template` / `helm upgrade` time if neither a real verify
nor an explicit opt-back is supplied. The error string lists both
escape hatches and the docs cross-link, so the operator sees the
fix in the same line they hit the error.

Operators with monitoring.serviceMonitor.enabled=false (the chart
default): no action required — the template short-circuits before
the tlsConfig block. Operators who had ServiceMonitor on with no
tlsConfig set: helm upgrade will fail until they supply either
{ caFile: ..., serverName: ... } (production-shaped) or
{ insecureSkipVerify: true } (operator-acknowledged opt-back).

Files
=====
- deploy/helm/certctl/templates/servicemonitor.yaml: replace the
  else-branch insecureSkipVerify default with a {{ required ... }}
  Helm builtin that fails the render with a clear remediation
  message pointing at both escape hatches and docs/operator/
  helm-deployment.md
- deploy/helm/certctl/values.yaml: rewrite the tlsConfig comment
  block to document the new fail-closed posture + both upgrade
  paths (production verify vs operator-acknowledged opt-back)
- docs/operator/helm-deployment.md: new "2026-05-16 — ServiceMonitor
  TLS default flipped (DEPL-004)" subsection in the existing
  Upgrade section with the two operator-action recipes

2026-05-16 19:44:48 +00:00

shankar0123

b452013dd9

docs: Phase 5 — testing-guide.md prune (8268 → 0 lines, content dispersed)

Per Phase 1 audit at cowork/docs-overhaul-phase-1-audit-2026-05-04/
and the section-by-section plan in testing-guide-tumor.md.

testing-guide.md was 30% of all docs/ content (8268 lines) but was
integration test code written in markdown, not operator documentation.
The audit's tumor analysis disposed of every Part:
  - ~65% DELETE (test cases that already exist in code)
  - ~22% MOVE to inline test code
  - ~8% KEEP-COMPRESSED into focused operator-runbook docs
  - Title + contents + release sign-off ~5% KEEP

This commit ships the KEEP-COMPRESSED dispersal:

  docs/contributor/qa-prerequisites.md (NEW, ~120 lines):
    From testing-guide.md "Prerequisites" section. Stack boot procedure,
    demo data baseline, reference IDs operators reuse across QA docs.

  docs/contributor/gui-qa-checklist.md (NEW, ~105 lines):
    From testing-guide.md "Part 35: GUI Testing". Manual GUI verification
    pass for release sign-off. 25-row table covering every dashboard page.

  docs/contributor/release-sign-off.md (NEW, ~130 lines):
    From testing-guide.md "Release Sign-Off" section (originally 1009
    lines of per-test detail tables). Compressed to a release-day
    checklist organized by gate category: code state, automated gates,
    manual QA passes, release artefact verification, branch protection,
    post-release.

  docs/operator/performance-baselines.md (NEW, ~100 lines):
    From testing-guide.md "Part 39: Performance Spot Checks". Four
    operator-runnable benchmarks (API request handling, inventory list
    pagination, scheduler tick, bulk revoke) with baseline numbers and
    when-to-re-baseline guidance.

  docs/operator/helm-deployment.md (NEW, ~120 lines):
    From testing-guide.md "Part 52: Helm Chart Deployment". Operator
    runbook for the bundled deploy/helm/certctl/ chart: prereqs,
    install, four cert-source patterns, verify, upgrade, troubleshooting.

  docs/reference/cli.md (NEW, ~120 lines):
    From testing-guide.md "Part 28: CLI Tool". certctl-cli command
    reference with command-group breakdown, common workflows
    (list/filter, renew, revoke, bulk import, EST enrollment, status),
    output formats, CI/CD integration patterns.

docs/README.md navigation index updated to include the 6 new docs:
  Reference section gains: cli.md, release-verification.md (was added
    in Phase 13)
  Operator section gains: helm-deployment.md, performance-baselines.md
  Contributor section gains: qa-prerequisites.md, gui-qa-checklist.md,
    release-sign-off.md

docs/testing-guide.md deleted. Git history preserves the 8268 lines —
if any specific test case is found missing from inline test code or
the destination docs during future work, lift from `git show
HEAD~1:docs/testing-guide.md`.

Net: docs/ total line count drops by ~7700 lines (28%), from 26,369
to 18,742. testing-guide.md was the single largest doc; pruning it is
the single biggest content-edit win of the entire restructure.

Phase 5 is the last major content phase. Remaining: Phase 4 follow-on
(per-connector page extractions from reference/connectors/index.md),
Phase 15 (WHAT/HOW/WHY remediation), Phase 16 (final acceptance gate).

2026-05-05 03:38:54 +00:00

3 Commits