certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:41:30 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	0729ee46e0	chore: sweep github.com/shankar0123/certctl URL refs to certctl-io/certctl Post-transfer cosmetic + release-critical URL refresh after moving the repo from github.com/shankar0123/certctl to github.com/certctl-io/certctl (2026-05-03). GitHub HTTP redirects continue to forward old URLs forever, so existing operators are not broken — but aligns the canonical references with the new owner so: - procurement engineers / contributors browsing the docs see the right URL on first read - operators copying the agent install one-liner hit the new path directly without going through a redirect - the Helm chart's default image repository points at the canonical org registry path - the OnboardingWizard rendered to first-run UI users shows the new URL in the install snippets and doc anchor links - the GitHub Actions release workflow pushes container images to ghcr.io/certctl-io/certctl-{server,agent} (was: shankar0123) - the release-notes Markdown body in release.yml — which gets stamped into every future release page — references the post-transfer cert-identity (cosign keyless signing now uses the certctl-io workflow URL) and the post-transfer SLSA provenance source-uri. Without this, every cosign verify / slsa-verifier command on a v2.1.0+ release would fail because the cert-identity-regexp would not match the signing identity GitHub Actions OIDC issues post- transfer. Old releases (v2.0.67 and earlier) keep their immutable release-notes pointing at the shankar0123 path and remain verifiable via their own published instructions. Customer impact: - Operators on ghcr.io/shankar0123/certctl-{server,agent}:latest silently freeze on whatever tag was current at transfer time. They get no errors; they just stop receiving updates. The next release notes need a one-line callout (Phase 3.1 of cowork/transfer- certctl-to-org.md) telling them to update their image path to ghcr.io/certctl-io/certctl-{server,agent}. - All other URLs (git clone, install one-liner, raw.githubusercontent URLs, browser links, GitHub API) continue to resolve via permanent HTTP redirects. The sweep is cosmetic for those. Files swept (30 total): .github/workflows/release.yml — IMAGE_NAMESPACE, source-uri, cosign cert-identity-regexp, IMAGE= snippet (5 refs total). CHANGELOG.md, README.md — anchor links, badges, install one-liner, cosign verify snippets in operator-facing sections. api/openapi.yaml — info / externalDocs URLs. install-agent.sh — GITHUB_REPO const + systemd unit Documentation= field. deploy/ENVIRONMENTS.md, deploy/helm/{CHART_SUMMARY,INDEX, INSTALLATION,README}.md, deploy/helm/certctl/{Chart.yaml, README.md,values.yaml}, deploy/helm/examples/values-.yaml — chart docs + image repository defaults across dev / prod-ha overrides. docs/{certctl-for-cert-manager-users,connector-iis,connectors, migrate-from-acmesh,migrate-from-certbot,quickstart,test-env, why-certctl}.md — operator-facing doc URLs. examples/{acme-nginx,acme-wildcard-dns01,multi-issuer, private-ca-traefik,step-ca-haproxy}/docker-compose.yml + examples/step-ca-haproxy/step-ca-haproxy.md — example image: paths and accompanying narrative. web/src/pages/OnboardingWizard.tsx — first-run-UI URL refs (curl install one-liners, agent docker image path, doc anchor links). Files intentionally NOT swept (Choice A from cowork/transfer-certctl- to-org.md): go.mod, go.sum — module declaration stays github.com/shankar0123/ certctl. Existing imports compile because Go uses the path declared in go.mod, not the URL it was fetched from. Internal- only project; no external Go consumers; rename will land as a mechanical sed when one materializes. ~250 .go files — every import remains github.com/shankar0123/ certctl/internal/... deploy/test/f5-mock-icontrol/go.mod — separate test sub-module; same Choice A logic; module path stays. Files intentionally NOT swept (other reasons): README.md lines 244-245 — Scarf-pixel docker-pull commands. shankar0123.docker.scarf.sh/... is a Scarf-account hostname (per-user, not per-repo) and the pixel keeps tracking pulls against the operator's personal Scarf account. Migrating to a certctl-io Scarf account is a separate decision (create org Scarf account → re-create package → update README). deploy/test/f5-mock-icontrol/f5-mock-icontrol — checked-in compiled binary with shankar0123/certctl baked into Go build info via the sub-module path. Out of scope for a URL sweep; will refresh on the next `make test-integration` rebuild. Verification: gofmt: clean (no .go files touched). go vet ./...: clean (verified at this SHA in 1.3 of the transfer checklist; no .go changes since). go build ./...: clean (same). go test -short on representative packages: green (same). Diff shape: 30 files, 74 insertions / 74 deletions, net-zero size, pure URL substitution.	2026-05-03 23:39:50 +00:00
shankar0123	b9a63a2521	ci-pipeline-cleanup Phase 6 follow-up: IIS operator playbook + matrix doc Bundle: ci-pipeline-cleanup, Phase 6 follow-up. Phase 5+6 commit removed the deploy-vendor-e2e-windows matrix from ci.yml; this commit closes the Phase 6 deliverables that aren't ci.yml-side: 1. NEW docs/connector-iis.md::Operator validation playbook (Windows host) — the procedure operators run pre-release to flip the IIS / WinCertStore vendor-matrix cells from 'operator-playbook' → '✓'. Mirrors the Bundle II frozen decision 0.14 third-criterion (operator manual smoke required). 2. docs/deployment-vendor-matrix.md — IIS + WinCertStore rows status updated from 'pending' → 'operator-playbook' with link to the new playbook section. 3. deploy/docker-compose.test.yml — windows-iis-test sidecar comment updated to reflect that CI no longer activates this profile; sidecar definition preserved for operator local use via 'docker compose --profile deploy-e2e-windows up -d windows-iis-test'. Operator workflow going forward: - Pre-release: run the playbook on a Windows host - Record validation date + Windows Server version in cowork/<bundle>/iis-validation-receipts.md - Update docs/deployment-vendor-matrix.md cells if applicable	2026-04-30 20:47:49 +00:00
shankar0123	0834bc1ad5	docs: deployment vendor matrix + per-connector deep-dive docs (NGINX + K8s + IIS + Apache + F5) Phase 14 of the deploy-hardening II master bundle. The procurement- team headline doc + per-connector operator guides for the top 5 most-deployed connectors. NEW docs/deployment-vendor-matrix.md (~30 rows): - Per (connector × vendor-version) status: ✓ / CI / mock / pending / n/a - Known issues + workarounds + e2e test name reference - LTS + current-stable scope per frozen decision 0.1 - Quarterly re-pin cadence guidance for sidecar digests - "How to add a new vendor version" recipe Per frozen decision 0.14: a (connector × vendor-version) cell is "verified" only when ALL apply: ≥1 happy-path e2e green; ≥1 specific-quirk test green for that version; operator manual smoke completed at least once. Cells lacking the third criterion show "CI" status (auto-tests green but pending operator validation). Status snapshot at bundle close: - NGINX 1.25 + 1.27: CI - Apache 2.4: CI - HAProxy 2.6 + 2.8 + 3.0: CI - Traefik 2.x + 3.x: CI - Caddy 2.x: CI - Envoy 1.30 + 1.32: CI (file-mode SDS only; gRPC SDS V3-Pro) - Postfix 3.6 + 3.8: CI - Dovecot 2.3: CI - IIS 10 (2019, 2022): pending (Windows-host-only CI) - F5 v15.1 + v17.0 + v17.5: mock (real-F5 vagrant box documented) - SSH OpenSSH 8.x + 9.x: CI - WinCertStore (2019, 2022): pending (Windows-host-only) - JavaKeystore JDK 11 + 17 + 21: pending - K8s 1.28 + 1.30 + 1.31: CI NEW per-connector deep-dive docs: - docs/connector-nginx.md (~150 lines, 10 quirks documented) - docs/connector-k8s.md (~110 lines, 10 quirks) - docs/connector-iis.md (~120 lines, 10 quirks; Windows-host-only CI constraint loud) - docs/connector-apache.md (~80 lines, 10 quirks) - docs/connector-f5.md (~190 lines, 10 quirks; two-tier validation recipe for operator-supplied real-F5 vagrant box) Each doc follows the same structure: - Overview - Vendor versions tested - Per-quirk operator guidance (one section per TestVendorEdge_<vendor>_<edge>_E2E) - Troubleshooting matrix - V3-Pro deferrals - Related docs cross-refs Other connector docs (HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, SSH, WinCertStore, JavaKeystore) live in docs/connectors.md + are referenced from the matrix. Phase 15 next: per-vendor CI matrix job in .github/workflows/ci.yml.	2026-04-30 16:16:48 +00:00

Author

SHA1

Message

Date

shankar0123

0729ee46e0

chore: sweep github.com/shankar0123/certctl URL refs to certctl-io/certctl

Post-transfer cosmetic + release-critical URL refresh after moving the
repo from github.com/shankar0123/certctl to github.com/certctl-io/certctl
(2026-05-03). GitHub HTTP redirects continue to forward old URLs forever,
so existing operators are not broken — but aligns the canonical
references with the new owner so:

- procurement engineers / contributors browsing the docs see the right
  URL on first read
- operators copying the agent install one-liner hit the new path
  directly without going through a redirect
- the Helm chart's default image repository points at the canonical org
  registry path
- the OnboardingWizard rendered to first-run UI users shows the new
  URL in the install snippets and doc anchor links
- the GitHub Actions release workflow pushes container images to
  ghcr.io/certctl-io/certctl-{server,agent} (was: shankar0123)
- the release-notes Markdown body in release.yml — which gets stamped
  into every future release page — references the post-transfer
  cert-identity (cosign keyless signing now uses the certctl-io
  workflow URL) and the post-transfer SLSA provenance source-uri.
  Without this, every cosign verify / slsa-verifier command on a
  v2.1.0+ release would fail because the cert-identity-regexp would
  not match the signing identity GitHub Actions OIDC issues post-
  transfer. Old releases (v2.0.67 and earlier) keep their immutable
  release-notes pointing at the shankar0123 path and remain
  verifiable via their own published instructions.

Customer impact:
- Operators on ghcr.io/shankar0123/certctl-{server,agent}:latest
  silently freeze on whatever tag was current at transfer time. They
  get no errors; they just stop receiving updates. The next release
  notes need a one-line callout (Phase 3.1 of cowork/transfer-
  certctl-to-org.md) telling them to update their image path to
  ghcr.io/certctl-io/certctl-{server,agent}.
- All other URLs (git clone, install one-liner, raw.githubusercontent
  URLs, browser links, GitHub API) continue to resolve via permanent
  HTTP redirects. The sweep is cosmetic for those.

Files swept (30 total):
  .github/workflows/release.yml — IMAGE_NAMESPACE, source-uri,
    cosign cert-identity-regexp, IMAGE= snippet (5 refs total).
  CHANGELOG.md, README.md — anchor links, badges, install one-liner,
    cosign verify snippets in operator-facing sections.
  api/openapi.yaml — info / externalDocs URLs.
  install-agent.sh — GITHUB_REPO const + systemd unit Documentation=
    field.
  deploy/ENVIRONMENTS.md, deploy/helm/{CHART_SUMMARY,INDEX,
    INSTALLATION,README}.md, deploy/helm/certctl/{Chart.yaml,
    README.md,values.yaml}, deploy/helm/examples/values-*.yaml —
    chart docs + image repository defaults across dev / prod-ha
    overrides.
  docs/{certctl-for-cert-manager-users,connector-iis,connectors,
    migrate-from-acmesh,migrate-from-certbot,quickstart,test-env,
    why-certctl}.md — operator-facing doc URLs.
  examples/{acme-nginx,acme-wildcard-dns01,multi-issuer,
    private-ca-traefik,step-ca-haproxy}/docker-compose.yml +
    examples/step-ca-haproxy/step-ca-haproxy.md — example image:
    paths and accompanying narrative.
  web/src/pages/OnboardingWizard.tsx — first-run-UI URL refs (curl
    install one-liners, agent docker image path, doc anchor links).

Files intentionally NOT swept (Choice A from cowork/transfer-certctl-
to-org.md):
  go.mod, go.sum — module declaration stays github.com/shankar0123/
    certctl. Existing imports compile because Go uses the path
    declared in go.mod, not the URL it was fetched from. Internal-
    only project; no external Go consumers; rename will land as a
    mechanical sed when one materializes.
  ~250 *.go files — every import remains github.com/shankar0123/
    certctl/internal/...
  deploy/test/f5-mock-icontrol/go.mod — separate test sub-module;
    same Choice A logic; module path stays.

Files intentionally NOT swept (other reasons):
  README.md lines 244-245 — Scarf-pixel docker-pull commands.
    shankar0123.docker.scarf.sh/... is a Scarf-account hostname
    (per-user, not per-repo) and the pixel keeps tracking pulls
    against the operator's personal Scarf account. Migrating to a
    certctl-io Scarf account is a separate decision (create org
    Scarf account → re-create package → update README).
  deploy/test/f5-mock-icontrol/f5-mock-icontrol — checked-in
    compiled binary with shankar0123/certctl baked into Go build
    info via the sub-module path. Out of scope for a URL sweep;
    will refresh on the next `make test-integration` rebuild.

Verification:
  gofmt: clean (no .go files touched).
  go vet ./...: clean (verified at this SHA in 1.3 of the transfer
    checklist; no .go changes since).
  go build ./...: clean (same).
  go test -short on representative packages: green (same).
  Diff shape: 30 files, 74 insertions / 74 deletions, net-zero size,
    pure URL substitution.

2026-05-03 23:39:50 +00:00

shankar0123

b9a63a2521

ci-pipeline-cleanup Phase 6 follow-up: IIS operator playbook + matrix doc

Bundle: ci-pipeline-cleanup, Phase 6 follow-up.

Phase 5+6 commit removed the deploy-vendor-e2e-windows matrix from
ci.yml; this commit closes the Phase 6 deliverables that aren't
ci.yml-side:

1. NEW docs/connector-iis.md::Operator validation playbook
   (Windows host) — the procedure operators run pre-release to flip
   the IIS / WinCertStore vendor-matrix cells from
   'operator-playbook' → '✓'. Mirrors the Bundle II frozen decision
   0.14 third-criterion (operator manual smoke required).

2. docs/deployment-vendor-matrix.md — IIS + WinCertStore rows status
   updated from 'pending' → 'operator-playbook' with link to the
   new playbook section.

3. deploy/docker-compose.test.yml — windows-iis-test sidecar comment
   updated to reflect that CI no longer activates this profile;
   sidecar definition preserved for operator local use via
   'docker compose --profile deploy-e2e-windows up -d windows-iis-test'.

Operator workflow going forward:
- Pre-release: run the playbook on a Windows host
- Record validation date + Windows Server version in
  cowork/<bundle>/iis-validation-receipts.md
- Update docs/deployment-vendor-matrix.md cells if applicable

2026-04-30 20:47:49 +00:00

shankar0123

0834bc1ad5

docs: deployment vendor matrix + per-connector deep-dive docs (NGINX + K8s + IIS + Apache + F5)

Phase 14 of the deploy-hardening II master bundle. The procurement-
team headline doc + per-connector operator guides for the top 5
most-deployed connectors.

NEW docs/deployment-vendor-matrix.md (~30 rows):
- Per (connector × vendor-version) status: ✓ / CI / mock / pending / n/a
- Known issues + workarounds + e2e test name reference
- LTS + current-stable scope per frozen decision 0.1
- Quarterly re-pin cadence guidance for sidecar digests
- "How to add a new vendor version" recipe

Per frozen decision 0.14: a (connector × vendor-version) cell is
"verified" only when ALL apply: ≥1 happy-path e2e green; ≥1
specific-quirk test green for that version; operator manual smoke
completed at least once. Cells lacking the third criterion show
"CI" status (auto-tests green but pending operator validation).

Status snapshot at bundle close:
- NGINX 1.25 + 1.27: CI
- Apache 2.4: CI
- HAProxy 2.6 + 2.8 + 3.0: CI
- Traefik 2.x + 3.x: CI
- Caddy 2.x: CI
- Envoy 1.30 + 1.32: CI (file-mode SDS only; gRPC SDS V3-Pro)
- Postfix 3.6 + 3.8: CI
- Dovecot 2.3: CI
- IIS 10 (2019, 2022): pending (Windows-host-only CI)
- F5 v15.1 + v17.0 + v17.5: mock (real-F5 vagrant box documented)
- SSH OpenSSH 8.x + 9.x: CI
- WinCertStore (2019, 2022): pending (Windows-host-only)
- JavaKeystore JDK 11 + 17 + 21: pending
- K8s 1.28 + 1.30 + 1.31: CI

NEW per-connector deep-dive docs:
- docs/connector-nginx.md (~150 lines, 10 quirks documented)
- docs/connector-k8s.md (~110 lines, 10 quirks)
- docs/connector-iis.md (~120 lines, 10 quirks; Windows-host-only
  CI constraint loud)
- docs/connector-apache.md (~80 lines, 10 quirks)
- docs/connector-f5.md (~190 lines, 10 quirks; two-tier validation
  recipe for operator-supplied real-F5 vagrant box)

Each doc follows the same structure:
- Overview
- Vendor versions tested
- Per-quirk operator guidance (one section per
  TestVendorEdge_<vendor>_<edge>_E2E)
- Troubleshooting matrix
- V3-Pro deferrals
- Related docs cross-refs

Other connector docs (HAProxy, Traefik, Caddy, Envoy, Postfix,
Dovecot, SSH, WinCertStore, JavaKeystore) live in docs/connectors.md
+ are referenced from the matrix.

Phase 15 next: per-vendor CI matrix job in
.github/workflows/ci.yml.

2026-04-30 16:16:48 +00:00

3 Commits