certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:41:30 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	3e91c7a1f0	chore(security): bump Go toolchain 1.25.9 -> 1.25.10 + golang.org/x/net 0.49 -> 0.53 CI run #484's Go Build & Test job failed govulncheck (M-024 hard gate). Six standard-library CVEs land in go1.25.9 + one golang.org/x/net CVE in v0.49.0; all are fixed in go1.25.10 + x/net v0.53.0 respectively. The advisories that fired were: GO-2026-4986 Quadratic string concat in net/mail.consumeComment — called via internal/api/handler/validation.go's ValidateCommonName -> mail.ParseAddress GO-2026-4977 Quadratic string concat in net/mail.consumePhrase — same call site GO-2026-4982 Bypass of meta-content URL escaping in html/template — called via internal/service/digest.go's RenderDigestHTML -> Template.Execute GO-2026-4980 Escaper bypass in html/template — same call site GO-2026-4971 Panic in net.Dial / LookupPort on Windows NUL bytes — many call sites (email notifier, SSH connector, ACME validators, validation.ValidateSafeURL, ...) GO-2026-4918 Infinite loop in net/http2 transport on bad SETTINGS_MAX_FRAME_SIZE — called via internal/connector/target/f5.go's F5Client.Authenticate -> http.Client.Do Bumps applied: * `go.mod`: `go 1.25.9` -> `go 1.25.10`; `golang.org/x/net v0.49.0` -> `v0.53.0` (kept indirect — the upgrade is force-pulled by the module-version directive; transitive deps will pick the higher). * `.github/workflows/{ci,codeql,release}.yml`: setup-go pin and the release.yml `GO_VERSION` env var bumped to 1.25.10. The security-deep-scan.yml workflow uses the major-minor `1.25` pin which auto-resolves to the latest 1.25.x and is unaffected. * `Dockerfile` + `Dockerfile.agent`: `golang:1.25-alpine@sha256:5caa...` re-pinned to `golang:1.25.10-alpine@sha256:8d22e29d960bc50cd0...` (digest looked up against `registry-1.docker.io/v2/library/golang/ manifests/1.25.10-alpine`; verified by the digest-validity ci-guard). The explicit `1.25.10-alpine` tag form replaces the moving `1.25-alpine` pin so the image-spec is reproducible end-to-end even without the digest reference. * `deploy/test/f5-mock-icontrol/Dockerfile`: `golang:1.25.9-bookworm @sha256:1a14...` re-pinned to `golang:1.25.10-bookworm@sha256: e3a54b77385b4f8a31c1...` (looked up the same way). * `deploy/test/f5-mock-icontrol/go.mod`: `go 1.25.9` -> `go 1.25.10`. * `internal/api/handler/version.go` + `api/openapi.yaml`: the `runtime.Version()`-shape comment + OpenAPI `example: go1.25.9` bumped to keep doc/example freshness. * `docs/contributor/ci-pipeline.md` + `docs/reference/connectors/ iis.md`: doc-only `Go 1.25.9` -> `Go 1.25.10` references. Verification done in-tree: * All `scripts/ci-guards/.sh` pass locally including `digest-validity.sh` (the new digests resolve cleanly against Docker Hub). `S-1-hardcoded-source-counts.sh` clean (the false-positive on "Bundle 1 migrations" was fixed in the prior commit). Operator step required post-push (sandbox has no Go toolchain): cd certctl && go mod tidy This regenerates go.sum's `golang.org/x/net v0.49.0` h1: lines into v0.53.0 ones. CI's `go mod tidy && git diff --exit-code go.mod go.sum` step will catch the drift if missed; in that case run the command, commit, and push the go.sum-only delta.	2026-05-09 21:35:46 -04:00
shankar0123	c48a82c4c8	fix(ci): real digests + matrix→service mapping for deploy-vendor-e2e Bundle II Phases 1+15 shipped fabricated @sha256 digests across 11 sidecars (deploy/docker-compose.test.yml) plus the f5-mock-icontrol Dockerfile golang FROM line. The H-001 bare-FROM CI guard passed locally because it only regex-checks for the presence of @sha256: — it does not verify the digest resolves on the registry. Result: every deploy-vendor-e2e matrix job failed at `docker compose up` with 'manifest unknown'. Two classes of fix: 1. Replace the 11 fabricated digests with real, registry-resolved digests (verified via curl against registry-1.docker.io, ghcr.io, mcr.microsoft.com manifest endpoints): - httpd:2.4-alpine - haproxy:3.0-alpine - traefik:v3.1 - caddy:2.8-alpine - envoyproxy/envoy:v1.32-latest - boky/postfix:latest - dovecot/dovecot:latest - lscr.io/linuxserver/openssh-server:latest (via ghcr.io) - kindest/node:v1.31.0 - mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2022 (manifest.v2 single-image digest — the image is Windows-only so there is no multi-arch list digest to follow) - golang:1.25.9-bookworm (in deploy/test/f5-mock-icontrol/Dockerfile) debian:bookworm-slim was also fabricated under the comment claiming it 'matches libest sidecar'; replaced with the real amd64-linux digest. 2. Special-case the matrix.vendor → docker-compose service mapping in .github/workflows/ci.yml::deploy-vendor-e2e step 'Bring up vendor sidecar'. The original step assumed a uniform '${{ matrix.vendor }}-test' suffix, but four matrix entries don't conform: - nginx → reuses apache-test (the legacy nginx sidecar in the compose file is named 'nginx' with no profile; the nginx vendor-edge tests in deploy/test/nginx_vendor_e2e_test.go call requireSidecar(t,"apache") because the sidecar map doesn't include an 'nginx' key — comment in source explains) - ssh → openssh-test - k8s → k8s-kind-test - f5-mock → f5-mock-icontrol (must be built first; no published image) - javakeystore → no sidecar (pure-Go placeholder stubs) Wraps the bring-up in a case statement that maps every matrix entry to its real sidecar name (or '' for the no-sidecar case), and exits 0 cleanly for vendors that don't need a sidecar. Per the CLAUDE.md 'never go from memory' + 'complete path' rules, this fix: - ground-truths every digest against the actual registry (curl against the OCI v2 manifest endpoint with the right Accept header), not memory or grep - closes the 'lying field' footgun: H-001 guard now validates a contract that's actually satisfied (digests exist + pull) Verification: yaml parses on both files, H-001 guard simulation returns no bare FROMs, all 12 manifest endpoints return HTTP 200 on the new digests.	2026-04-30 18:48:13 +00:00
shankar0123	889c1a5a9e	feat(test): docker-compose deploy-e2e sidecar matrix — apache + haproxy + traefik + caddy + envoy + postfix + dovecot + openssh + f5-mock-icontrol + k8s-kind + windows-iis Phase 1 of the deploy-hardening II master bundle. Adds the 11 missing target sidecars to deploy/docker-compose.test.yml under profiles: [deploy-e2e] (windows-iis-test under [deploy-e2e-windows] because Windows containers run only on Windows hosts). Per frozen decision 0.2: pull pre-built images from official registries where they exist (NGINX, HAProxy, Traefik, Caddy, Envoy, Postfix via boky, Dovecot, OpenSSH via lscr.io, K8s via kind); build locally only where no official image works (F5 — uses the new in-tree f5-mock-icontrol Go server). Every FROM digest-pinned per H-001 guard. NEW deploy/test/f5-mock-icontrol/ — in-tree Go server implementing the iControl REST surface the F5 connector exercises: - POST /mgmt/shared/authn/login (token-based auth) - POST /mgmt/shared/file-transfer/uploads/<filename> - POST /mgmt/tm/sys/crypto/cert + /key (install) - POST /mgmt/tm/transaction (create) + /<txn-id> (commit) - PATCH /mgmt/tm/ltm/profile/client-ssl/<name> (update SSL profile) - GET / DELETE variants - /healthz for sidecar readiness probes - HTTPS via per-process self-signed ECDSA P-256 cert - In-memory state map (lost on container restart; CI tests handle via test-init re-auth) Per frozen decision 0.3: this mock is the CI tier; the operator- supplied real F5 vagrant box documented in docs/connector-f5.md (Phase 14 deliverable) is the validation tier above. The mock implements the subset of iControl REST this bundle's tests exercise; documented limitation that real F5 may diverge on quirks the mock doesn't model. NEW per-vendor config bind-mounts (deploy/test/<vendor>/): - apache/httpd-ssl.conf + init-cert.sh - haproxy/haproxy.cfg - traefik/traefik-dynamic.yml - caddy/Caddyfile - envoy/envoy.yaml - dovecot/dovecot.conf Each minimal config: bind /etc/<vendor>/certs to a named volume so the e2e tests rotate certs via the per-connector atomic-deploy primitive (Bundle I Phase 4-9). Network IPs: 10.30.50.{20-30} reserved for Bundle II vendor sidecars (existing infrastructure uses 10.30.50.{2-9}). f5-mock-icontrol Go binary: gofmt clean, go vet clean, go build clean. Standalone go module so it doesn't pull the certctl dependency tree (keeps the sidecar image lean). Phase 2 next: NGINX vendor-edge audit + 10 e2e tests.	2026-04-30 16:05:44 +00:00

Author

SHA1

Message

Date

shankar0123

3e91c7a1f0

chore(security): bump Go toolchain 1.25.9 -> 1.25.10 + golang.org/x/net 0.49 -> 0.53

CI run #484's Go Build & Test job failed govulncheck (M-024 hard
gate). Six standard-library CVEs land in go1.25.9 + one
golang.org/x/net CVE in v0.49.0; all are fixed in go1.25.10 + x/net
v0.53.0 respectively. The advisories that fired were:

  GO-2026-4986  Quadratic string concat in net/mail.consumeComment
                — called via internal/api/handler/validation.go's
                ValidateCommonName -> mail.ParseAddress
  GO-2026-4977  Quadratic string concat in net/mail.consumePhrase
                — same call site
  GO-2026-4982  Bypass of meta-content URL escaping in html/template
                — called via internal/service/digest.go's
                RenderDigestHTML -> Template.Execute
  GO-2026-4980  Escaper bypass in html/template
                — same call site
  GO-2026-4971  Panic in net.Dial / LookupPort on Windows NUL bytes
                — many call sites (email notifier, SSH connector,
                ACME validators, validation.ValidateSafeURL, ...)
  GO-2026-4918  Infinite loop in net/http2 transport on bad
                SETTINGS_MAX_FRAME_SIZE
                — called via internal/connector/target/f5.go's
                F5Client.Authenticate -> http.Client.Do

Bumps applied:

* `go.mod`: `go 1.25.9` -> `go 1.25.10`; `golang.org/x/net v0.49.0`
  -> `v0.53.0` (kept indirect — the upgrade is force-pulled by the
  module-version directive; transitive deps will pick the higher).
* `.github/workflows/{ci,codeql,release}.yml`: setup-go pin and the
  release.yml `GO_VERSION` env var bumped to 1.25.10. The
  security-deep-scan.yml workflow uses the major-minor `1.25` pin
  which auto-resolves to the latest 1.25.x and is unaffected.
* `Dockerfile` + `Dockerfile.agent`: `golang:1.25-alpine@sha256:5caa...`
  re-pinned to `golang:1.25.10-alpine@sha256:8d22e29d960bc50cd0...`
  (digest looked up against `registry-1.docker.io/v2/library/golang/
  manifests/1.25.10-alpine`; verified by the digest-validity ci-guard).
  The explicit `1.25.10-alpine` tag form replaces the moving
  `1.25-alpine` pin so the image-spec is reproducible end-to-end
  even without the digest reference.
* `deploy/test/f5-mock-icontrol/Dockerfile`: `golang:1.25.9-bookworm
  @sha256:1a14...` re-pinned to `golang:1.25.10-bookworm@sha256:
  e3a54b77385b4f8a31c1...` (looked up the same way).
* `deploy/test/f5-mock-icontrol/go.mod`: `go 1.25.9` -> `go 1.25.10`.
* `internal/api/handler/version.go` + `api/openapi.yaml`: the
  `runtime.Version()`-shape comment + OpenAPI `example: go1.25.9`
  bumped to keep doc/example freshness.
* `docs/contributor/ci-pipeline.md` + `docs/reference/connectors/
  iis.md`: doc-only `Go 1.25.9` -> `Go 1.25.10` references.

Verification done in-tree:

* All `scripts/ci-guards/*.sh` pass locally including
  `digest-validity.sh` (the new digests resolve cleanly against
  Docker Hub).
* `S-1-hardcoded-source-counts.sh` clean (the false-positive on
  "Bundle 1 migrations" was fixed in the prior commit).

Operator step required post-push (sandbox has no Go toolchain):

  cd certctl && go mod tidy

This regenerates go.sum's `golang.org/x/net v0.49.0` h1: lines into
v0.53.0 ones. CI's `go mod tidy && git diff --exit-code go.mod
go.sum` step will catch the drift if missed; in that case run the
command, commit, and push the go.sum-only delta.

2026-05-09 21:35:46 -04:00

shankar0123

c48a82c4c8

fix(ci): real digests + matrix→service mapping for deploy-vendor-e2e

Bundle II Phases 1+15 shipped fabricated @sha256 digests across 11
sidecars (deploy/docker-compose.test.yml) plus the f5-mock-icontrol
Dockerfile golang FROM line. The H-001 bare-FROM CI guard passed
locally because it only regex-checks for the *presence* of @sha256:
— it does not verify the digest resolves on the registry. Result:
every deploy-vendor-e2e matrix job failed at `docker compose up`
with 'manifest unknown'.

Two classes of fix:

1. Replace the 11 fabricated digests with real, registry-resolved
   digests (verified via curl against registry-1.docker.io,
   ghcr.io, mcr.microsoft.com manifest endpoints):

   - httpd:2.4-alpine
   - haproxy:3.0-alpine
   - traefik:v3.1
   - caddy:2.8-alpine
   - envoyproxy/envoy:v1.32-latest
   - boky/postfix:latest
   - dovecot/dovecot:latest
   - lscr.io/linuxserver/openssh-server:latest (via ghcr.io)
   - kindest/node:v1.31.0
   - mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2022
     (manifest.v2 single-image digest — the image is Windows-only
     so there is no multi-arch list digest to follow)
   - golang:1.25.9-bookworm (in deploy/test/f5-mock-icontrol/Dockerfile)

   debian:bookworm-slim was also fabricated under the comment
   claiming it 'matches libest sidecar'; replaced with the real
   amd64-linux digest.

2. Special-case the matrix.vendor → docker-compose service mapping
   in .github/workflows/ci.yml::deploy-vendor-e2e step 'Bring up
   vendor sidecar'. The original step assumed a uniform
   '${{ matrix.vendor }}-test' suffix, but four matrix entries
   don't conform:

   - nginx → reuses apache-test (the legacy nginx sidecar in the
     compose file is named 'nginx' with no profile; the nginx
     vendor-edge tests in deploy/test/nginx_vendor_e2e_test.go
     call requireSidecar(t,"apache") because the sidecar map
     doesn't include an 'nginx' key — comment in source explains)
   - ssh → openssh-test
   - k8s → k8s-kind-test
   - f5-mock → f5-mock-icontrol (must be built first; no published image)
   - javakeystore → no sidecar (pure-Go placeholder stubs)

   Wraps the bring-up in a case statement that maps every matrix
   entry to its real sidecar name (or '' for the no-sidecar case),
   and exits 0 cleanly for vendors that don't need a sidecar.

Per the CLAUDE.md 'never go from memory' + 'complete path' rules,
this fix:
- ground-truths every digest against the actual registry (curl
  against the OCI v2 manifest endpoint with the right Accept
  header), not memory or grep
- closes the 'lying field' footgun: H-001 guard now validates a
  contract that's actually satisfied (digests exist + pull)

Verification: yaml parses on both files, H-001 guard simulation
returns no bare FROMs, all 12 manifest endpoints return HTTP 200
on the new digests.

2026-04-30 18:48:13 +00:00

shankar0123

889c1a5a9e

feat(test): docker-compose deploy-e2e sidecar matrix — apache + haproxy + traefik + caddy + envoy + postfix + dovecot + openssh + f5-mock-icontrol + k8s-kind + windows-iis

Phase 1 of the deploy-hardening II master bundle. Adds the 11 missing
target sidecars to deploy/docker-compose.test.yml under
profiles: [deploy-e2e] (windows-iis-test under [deploy-e2e-windows]
because Windows containers run only on Windows hosts).

Per frozen decision 0.2: pull pre-built images from official
registries where they exist (NGINX, HAProxy, Traefik, Caddy, Envoy,
Postfix via boky, Dovecot, OpenSSH via lscr.io, K8s via kind);
build locally only where no official image works (F5 — uses the
new in-tree f5-mock-icontrol Go server). Every FROM digest-pinned
per H-001 guard.

NEW deploy/test/f5-mock-icontrol/ — in-tree Go server implementing
the iControl REST surface the F5 connector exercises:
  - POST /mgmt/shared/authn/login (token-based auth)
  - POST /mgmt/shared/file-transfer/uploads/<filename>
  - POST /mgmt/tm/sys/crypto/cert + /key (install)
  - POST /mgmt/tm/transaction (create) + /<txn-id> (commit)
  - PATCH /mgmt/tm/ltm/profile/client-ssl/<name> (update SSL profile)
  - GET / DELETE variants
  - /healthz for sidecar readiness probes
  - HTTPS via per-process self-signed ECDSA P-256 cert
  - In-memory state map (lost on container restart; CI tests handle
    via test-init re-auth)

Per frozen decision 0.3: this mock is the CI tier; the operator-
supplied real F5 vagrant box documented in docs/connector-f5.md
(Phase 14 deliverable) is the validation tier above. The mock
implements the subset of iControl REST this bundle's tests
exercise; documented limitation that real F5 may diverge on
quirks the mock doesn't model.

NEW per-vendor config bind-mounts (deploy/test/<vendor>/):
  - apache/httpd-ssl.conf + init-cert.sh
  - haproxy/haproxy.cfg
  - traefik/traefik-dynamic.yml
  - caddy/Caddyfile
  - envoy/envoy.yaml
  - dovecot/dovecot.conf

Each minimal config: bind /etc/<vendor>/certs to a named volume
so the e2e tests rotate certs via the per-connector atomic-deploy
primitive (Bundle I Phase 4-9).

Network IPs: 10.30.50.{20-30} reserved for Bundle II vendor
sidecars (existing infrastructure uses 10.30.50.{2-9}).

f5-mock-icontrol Go binary: gofmt clean, go vet clean, go build
clean. Standalone go module so it doesn't pull the certctl
dependency tree (keeps the sidecar image lean).

Phase 2 next: NGINX vendor-edge audit + 10 e2e tests.

2026-04-30 16:05:44 +00:00

3 Commits