certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-12 22:18:55 +00:00

Commit Graph

Author	SHA1	Message	Date
claude	bde2d61c40	feat(apache): atomic deploy + post-deploy TLS verify + rollback + ValidateOnly + test-depth uplift to 34 tests Phase 5 of the deploy-hardening I master bundle. Mirrors the Phase 4 NGINX template for Apache httpd. Test count lifts 3 → 34 (above the prompt's >=30 target; matches and slightly exceeds the IIS bar). Apache-specific quirks codified in apache.go: - Validate command convention is `apachectl configtest` (NOT `apachectl -t` — that flag exists but configtest is the documented operator-facing form). - Reload command convention is `apachectl graceful` for zero- downtime worker swap (NOT `apachectl restart` which drops in-flight TLS sessions). - Per-distro user defaults: Debian/Ubuntu apache2, RHEL/CentOS apache, Alpine httpd. pickFirstExistingUser walks the list and picks the one that resolves on the host; falls back to no-chown when none exist (cross-distro portability without operator config; same approach as nginx). - Default key file mode 0600 for back-compat with operators relying on the historical hard-coded value (matches the pre-Phase-5 implementation behavior). DeployCertificate refactor: - Replaces the duplicated os.WriteFile chain with deploy.Apply. - PreCommit runs the operator's ValidateCommand via the test seam (which wraps `sh -c <cmd>` in production). - PostCommit runs ReloadCommand the same way. - Post-deploy TLS verify (frozen-decision-0.3 default ON when Endpoint is configured): probes the configured target, compares leaf cert SHA-256 against deployed bytes, retries with exponential backoff (default 3 attempts / 2s backoff for load-balanced targets). - Rollback wires: reload-fail → restore backups + retry reload; verify-fail → restore backups + reload again. Second-failure surfaces ErrRollbackFailed for operator-actionable triage. ValidateOnly real implementation replaces the Phase 3 stub. Returns ErrValidateOnlyNotSupported when no ValidateCommand configured; otherwise runs the validate-with-the-target command without touching the live cert. Test seams (SetTestRunValidate / SetTestRunReload / SetTestProbe) allow tests to skip exec without `apachectl` on PATH; mirror the nginx pattern. Tests (34 total: 31 in apache_atomic_test.go + 3 pre-existing in apache_test.go): - Atomic invariants (happy, validate-fail-no-files-changed, reload-fail-rollback, rollback-also-fail-escalation) - SHA-256 idempotency (full skip + partial-mismatch full-deploy) - Post-deploy verify (match-success, mismatch-rollback, dial-timeout-rollback, retries-until-match, retries-exhausted-rollback, no-endpoint-skips, disabled-skips) - Ownership / mode preservation (existing-mode, override-wins, default-key-0600, default-cert-0644) - Backup retention (keeps-N, disabled-no-backups, backup-created) - Concurrency (same-paths-serialize) - ValidateOnly (happy, fails, no-command-sentinel, stderr-in-error) - Edge cases (no-chain, no-key, ctx-cancelled, verify-rollback- reload, deployment-id-prefix, metadata-populated) Coverage: Apache 86.6% (above the >=85% prompt bar). Race detector clean. golangci-lint v2.11.4 clean. Smoke test connectorsAtPhase3 list shrunk from 12 to 11 entries (apache removed; nginx + apache now have real impls). Phase 6 next: HAProxy (combined PEM atomic write + `haproxy -c -f` validate + uplift 3 → >=30).	2026-04-30 14:56:23 +00:00
claude	a8189416ab	feat(nginx): atomic deploy + post-deploy TLS verify + rollback + ValidateOnly + ownership preservation Phase 4 of the deploy-hardening I master bundle. The canonical NGINX implementation that Phases 5-9 model on. Replaces the historical os.WriteFile flow at internal/connector/target/nginx/nginx.go:99 with deploy.Apply() and adds three production-grade competitor-gap features: atomic deploy with rollback, post-deploy TLS verify, file ownership preservation. NGINX connector — internal/connector/target/nginx/nginx.go: - DeployCertificate now wires deploy.Apply with PreCommit running the operator's ValidateCommand (e.g. `nginx -t`), PostCommit running ReloadCommand (e.g. `nginx -s reload`), and an explicit post-deploy TLS verify step that dials the configured endpoint, pulls the leaf cert SHA-256, and compares against what was just deployed. SHA-256 mismatch (wrong vhost / cached cert / NGINX still serving stale) triggers automatic rollback: backup files are restored + reload fired again. Failed-second-reload returns ErrRollbackFailed (operator-actionable; loud audit + alert). - ValidateOnly replaces the Phase 3 stub: runs the operator's ValidateCommand without touching the live cert. V2 contract is syntax-only validation (full pre-deploy temp-config validation is V3-Pro). Returns ErrValidateOnlyNotSupported when no ValidateCommand is configured. - New per-target Config fields: PostDeployVerify (frozen-decision- 0.3 default ON), PostDeployVerifyAttempts (default 3 — defends against load-balanced targets where the verify might hit a different pod that hasn't picked up the new cert yet), PostDeployVerifyBackoff (default 2s exponential), per-file Mode/Owner/Group overrides (KeyFileMode, CertFileMode, KeyFileOwner, etc.), and BackupRetention (default 3, -1 to disable backups entirely — documented foot-gun). - buildPlan honors per-distro nginx user (Debian: www-data, Alpine: nginx, Red Hat: nginx) by checking the local user database; falls back to no-chown when neither exists. Means the connector is portable across distros without operator config. Deploy package — internal/deploy/ownership.go: - applyOwnership now silently swallows chown failures when the agent isn't running as root. Production agents always run as root and chown failures are real bugs; dev / CI runs as a regular user where chown to a different uid will always fail with EPERM (or EINVAL on some tmpfs configs) and would otherwise force every test to run with sudo. Production-grade contract preserved (uid 0 still hard-fails on chown errors). Test suite — internal/connector/target/nginx/nginx_atomic_test.go ships 42 new named tests (NGINX total: 17 pre-existing + 42 new = 59, above the prompt's >=40 bar; matches the IIS depth bar of 41): - Atomic-deploy invariants (cert+chain+key all-or-nothing, validate-fails-no-files-changed, reload-fails-rollback, rollback-also-fails-escalation) - SHA-256 idempotency (full match skips, partial match deploys all) - Post-deploy TLS verify (fingerprint-match-success, SHA256-mismatch-rollback, dial-timeout-rollback, retries-until- match, retries-exhausted-rollback, no-endpoint-skips, disabled-skips-entirely, default-10s-timeout, endpoint-forwarded) - Ownership / mode preservation (existing-mode-preserved, override- wins, KeyFileMode override applied) - Backup retention (keeps-last-N, disabled-creates-no-backups, fresh-deploy-creates-backup) - Concurrency (same-paths-serialize via deploy package's file mutex, different-paths-parallelize) - ValidateOnly (happy-path-nil, command-fails-wrapped-error, no-config-returns-sentinel, ctx-cancelled, stderr-in-message) - Edge cases (no-chain, no-key, no-chain-path, empty-cert-PEM, ctx-cancelled, all-four-one-apply) - Result.Metadata + DeploymentID shape contracts Coverage: NGINX 91.0% (above the >=85% prompt bar). Race detector clean. golangci-lint v2.11.4 clean. Existing 17 tests still all pass (no behavior change in the legacy paths exercised there). Phase 5 next: mirror this implementation for Apache + lift its test count from 3 to >=30. Same template applies through Phases 6-9 for the remaining 11 connectors.	2026-04-30 14:50:56 +00:00
claude	720e773766	feat(target): ValidateOnly dry-run method on Connector interface (default returns ErrValidateOnlyNotSupported) Phase 3 of the deploy-hardening I master bundle. Extends the target.Connector interface with the dry-run method that operators will use to preview a deploy before committing — but ships only the default-stub for all 13 connectors. Phases 4-9 replace each stub with the real validate-with-the-target implementation. interface.go: - Add ErrValidateOnlyNotSupported sentinel (frozen decision 0.6 — connectors that cannot dry-run, like K8s, return this rather than nil so operator triage can errors.Is for "not supported" vs "validated successfully"). - Add ValidateOnly(ctx, request DeploymentRequest) error to Connector interface. 13 new validate_only.go files (one per connector at internal/connector/target/<name>/validate_only.go): - apache, caddy, envoy, f5, haproxy, iis, javakeystore, k8ssecret, nginx, postfix, ssh, traefik, wincertstore. - Each file is identical except for the package declaration: a one-method default stub returning target.ErrValidateOnlyNotSupported. - Per-connector files (rather than a single embed-method approach) let Phases 4-9 replace each connector's stub independently without churning a shared base. Tests: - internal/connector/target/validate_only_test.go pins the sentinel contract (errors.Is identity, Error() string, %w wrap propagation). - internal/connector/target/validate_only_smoke_test.go (external test package) constructs a zero-value &<pkg>.Connector{} for each of the 13 connectors and asserts ValidateOnly returns ErrValidateOnlyNotSupported. The test's connectorsAtPhase3 list is the load-bearing CI guard: - A 14th connector added without wiring ValidateOnly fails the `len(connectorsAtPhase3) != 13` invariant. - A connector whose real ValidateOnly lands (Phase 4 NGINX, Phase 5 Apache, etc.) MUST be removed from this list or the smoke test fails (real impl no longer returns the sentinel). That removal IS the bookkeeping that the operator-visible bit + behavior change are wired together end-to-end. Compile + go vet + golangci-lint v2.11.4 + go test all 0 issues. Phase 4 next: NGINX canonical real-impl — replace the stub with nginx -t -c <temp>; same time replace the existing os.WriteFile flow in DeployCertificate with deploy.Apply(...).	2026-04-30 14:40:51 +00:00

Author

SHA1

Message

Date

claude

bde2d61c40

feat(apache): atomic deploy + post-deploy TLS verify + rollback + ValidateOnly + test-depth uplift to 34 tests

Phase 5 of the deploy-hardening I master bundle. Mirrors the Phase 4
NGINX template for Apache httpd. Test count lifts 3 → 34 (above the
prompt's >=30 target; matches and slightly exceeds the IIS bar).

Apache-specific quirks codified in apache.go:

- Validate command convention is `apachectl configtest` (NOT
  `apachectl -t` — that flag exists but configtest is the documented
  operator-facing form).
- Reload command convention is `apachectl graceful` for zero-
  downtime worker swap (NOT `apachectl restart` which drops
  in-flight TLS sessions).
- Per-distro user defaults: Debian/Ubuntu apache2, RHEL/CentOS
  apache, Alpine httpd. pickFirstExistingUser walks the list and
  picks the one that resolves on the host; falls back to no-chown
  when none exist (cross-distro portability without operator
  config; same approach as nginx).
- Default key file mode 0600 for back-compat with operators
  relying on the historical hard-coded value (matches the
  pre-Phase-5 implementation behavior).

DeployCertificate refactor:
- Replaces the duplicated os.WriteFile chain with deploy.Apply.
- PreCommit runs the operator's ValidateCommand via the test
  seam (which wraps `sh -c <cmd>` in production).
- PostCommit runs ReloadCommand the same way.
- Post-deploy TLS verify (frozen-decision-0.3 default ON when
  Endpoint is configured): probes the configured target,
  compares leaf cert SHA-256 against deployed bytes, retries with
  exponential backoff (default 3 attempts / 2s backoff for
  load-balanced targets).
- Rollback wires: reload-fail → restore backups + retry reload;
  verify-fail → restore backups + reload again. Second-failure
  surfaces ErrRollbackFailed for operator-actionable triage.

ValidateOnly real implementation replaces the Phase 3 stub.
Returns ErrValidateOnlyNotSupported when no ValidateCommand
configured; otherwise runs the validate-with-the-target command
without touching the live cert.

Test seams (SetTestRunValidate / SetTestRunReload / SetTestProbe)
allow tests to skip exec without `apachectl` on PATH; mirror the
nginx pattern.

Tests (34 total: 31 in apache_atomic_test.go + 3 pre-existing
in apache_test.go):

- Atomic invariants (happy, validate-fail-no-files-changed,
  reload-fail-rollback, rollback-also-fail-escalation)
- SHA-256 idempotency (full skip + partial-mismatch full-deploy)
- Post-deploy verify (match-success, mismatch-rollback,
  dial-timeout-rollback, retries-until-match,
  retries-exhausted-rollback, no-endpoint-skips, disabled-skips)
- Ownership / mode preservation (existing-mode, override-wins,
  default-key-0600, default-cert-0644)
- Backup retention (keeps-N, disabled-no-backups, backup-created)
- Concurrency (same-paths-serialize)
- ValidateOnly (happy, fails, no-command-sentinel, stderr-in-error)
- Edge cases (no-chain, no-key, ctx-cancelled, verify-rollback-
  reload, deployment-id-prefix, metadata-populated)

Coverage: Apache 86.6% (above the >=85% prompt bar). Race detector
clean. golangci-lint v2.11.4 clean.

Smoke test connectorsAtPhase3 list shrunk from 12 to 11
entries (apache removed; nginx + apache now have real impls).

Phase 6 next: HAProxy (combined PEM atomic write + `haproxy -c -f`
validate + uplift 3 → >=30).

2026-04-30 14:56:23 +00:00

claude

a8189416ab

feat(nginx): atomic deploy + post-deploy TLS verify + rollback + ValidateOnly + ownership preservation

Phase 4 of the deploy-hardening I master bundle. The canonical NGINX
implementation that Phases 5-9 model on. Replaces the historical
os.WriteFile flow at internal/connector/target/nginx/nginx.go:99
with deploy.Apply() and adds three production-grade competitor-gap
features: atomic deploy with rollback, post-deploy TLS verify, file
ownership preservation.

NGINX connector — internal/connector/target/nginx/nginx.go:

- DeployCertificate now wires deploy.Apply with PreCommit running
  the operator's ValidateCommand (e.g. `nginx -t`), PostCommit
  running ReloadCommand (e.g. `nginx -s reload`), and an explicit
  post-deploy TLS verify step that dials the configured endpoint,
  pulls the leaf cert SHA-256, and compares against what was just
  deployed. SHA-256 mismatch (wrong vhost / cached cert / NGINX
  still serving stale) triggers automatic rollback: backup files
  are restored + reload fired again. Failed-second-reload returns
  ErrRollbackFailed (operator-actionable; loud audit + alert).

- ValidateOnly replaces the Phase 3 stub: runs the operator's
  ValidateCommand without touching the live cert. V2 contract is
  syntax-only validation (full pre-deploy temp-config validation
  is V3-Pro). Returns ErrValidateOnlyNotSupported when no
  ValidateCommand is configured.

- New per-target Config fields: PostDeployVerify (frozen-decision-
  0.3 default ON), PostDeployVerifyAttempts (default 3 — defends
  against load-balanced targets where the verify might hit a
  different pod that hasn't picked up the new cert yet),
  PostDeployVerifyBackoff (default 2s exponential), per-file
  Mode/Owner/Group overrides (KeyFileMode, CertFileMode,
  KeyFileOwner, etc.), and BackupRetention (default 3, -1 to
  disable backups entirely — documented foot-gun).

- buildPlan honors per-distro nginx user (Debian: www-data,
  Alpine: nginx, Red Hat: nginx) by checking the local user
  database; falls back to no-chown when neither exists. Means
  the connector is portable across distros without operator
  config.

Deploy package — internal/deploy/ownership.go:

- applyOwnership now silently swallows chown failures when the
  agent isn't running as root. Production agents always run as
  root and chown failures are real bugs; dev / CI runs as a
  regular user where chown to a different uid will always fail
  with EPERM (or EINVAL on some tmpfs configs) and would
  otherwise force every test to run with sudo. Production-grade
  contract preserved (uid 0 still hard-fails on chown errors).

Test suite — internal/connector/target/nginx/nginx_atomic_test.go
ships 42 new named tests (NGINX total: 17 pre-existing + 42 new = 59,
above the prompt's >=40 bar; matches the IIS depth bar of 41):

- Atomic-deploy invariants (cert+chain+key all-or-nothing,
  validate-fails-no-files-changed, reload-fails-rollback,
  rollback-also-fails-escalation)
- SHA-256 idempotency (full match skips, partial match deploys all)
- Post-deploy TLS verify (fingerprint-match-success,
  SHA256-mismatch-rollback, dial-timeout-rollback, retries-until-
  match, retries-exhausted-rollback, no-endpoint-skips,
  disabled-skips-entirely, default-10s-timeout, endpoint-forwarded)
- Ownership / mode preservation (existing-mode-preserved, override-
  wins, KeyFileMode override applied)
- Backup retention (keeps-last-N, disabled-creates-no-backups,
  fresh-deploy-creates-backup)
- Concurrency (same-paths-serialize via deploy package's file mutex,
  different-paths-parallelize)
- ValidateOnly (happy-path-nil, command-fails-wrapped-error,
  no-config-returns-sentinel, ctx-cancelled, stderr-in-message)
- Edge cases (no-chain, no-key, no-chain-path, empty-cert-PEM,
  ctx-cancelled, all-four-one-apply)
- Result.Metadata + DeploymentID shape contracts

Coverage: NGINX 91.0% (above the >=85% prompt bar). Race detector
clean. golangci-lint v2.11.4 clean. Existing 17 tests still all pass
(no behavior change in the legacy paths exercised there).

Phase 5 next: mirror this implementation for Apache + lift its
test count from 3 to >=30. Same template applies through Phases
6-9 for the remaining 11 connectors.

2026-04-30 14:50:56 +00:00

claude

720e773766

feat(target): ValidateOnly dry-run method on Connector interface (default returns ErrValidateOnlyNotSupported)

Phase 3 of the deploy-hardening I master bundle. Extends the
target.Connector interface with the dry-run method that operators
will use to preview a deploy before committing — but ships only the
default-stub for all 13 connectors. Phases 4-9 replace each stub
with the real validate-with-the-target implementation.

interface.go:
- Add ErrValidateOnlyNotSupported sentinel (frozen decision 0.6 —
  connectors that cannot dry-run, like K8s, return this rather than
  nil so operator triage can errors.Is for "not supported" vs
  "validated successfully").
- Add ValidateOnly(ctx, request DeploymentRequest) error to
  Connector interface.

13 new validate_only.go files (one per connector at
internal/connector/target/<name>/validate_only.go):
- apache, caddy, envoy, f5, haproxy, iis, javakeystore, k8ssecret,
  nginx, postfix, ssh, traefik, wincertstore.
- Each file is identical except for the package declaration: a
  one-method default stub returning target.ErrValidateOnlyNotSupported.
- Per-connector files (rather than a single embed-method approach)
  let Phases 4-9 replace each connector's stub independently
  without churning a shared base.

Tests:
- internal/connector/target/validate_only_test.go pins the sentinel
  contract (errors.Is identity, Error() string, %w wrap propagation).
- internal/connector/target/validate_only_smoke_test.go (external
  test package) constructs a zero-value &<pkg>.Connector{} for each
  of the 13 connectors and asserts ValidateOnly returns
  ErrValidateOnlyNotSupported. The test's
  connectorsAtPhase3 list is the load-bearing CI guard:
  - A 14th connector added without wiring ValidateOnly fails the
    `len(connectorsAtPhase3) != 13` invariant.
  - A connector whose real ValidateOnly lands (Phase 4 NGINX, Phase
    5 Apache, etc.) MUST be removed from this list or the smoke test
    fails (real impl no longer returns the sentinel). That removal
    IS the bookkeeping that the operator-visible bit + behavior
    change are wired together end-to-end.

Compile + go vet + golangci-lint v2.11.4 + go test all 0 issues.

Phase 4 next: NGINX canonical real-impl — replace the stub with
nginx -t -c <temp>; same time replace the existing os.WriteFile
flow in DeployCertificate with deploy.Apply(...).

2026-04-30 14:40:51 +00:00

3 Commits