Closes Top-10 fix#5 of the 2026-05-03 issuer-coverage audit (see
cowork/issuer-coverage-audit-2026-05-03/RESULTS.md). Pre-fix, the
VaultPKI adapter authenticated with a static token and never called
renew-self. Long-lived deploys hit token expiry; the first
operator-visible signal was failed cert renewals on production
targets.
This commit:
1. Connector.Start(ctx) spawns a goroutine that calls
POST /v1/auth/token/renew-self at TTL/2 cadence (computed from a
one-shot lookup-self at startup). Honours ctx.Done() for
graceful shutdown via a per-loop done channel + Stop().
2. On `renewable: false` response (initial lookup OR any subsequent
renewal), the loop emits a WARN, increments the not_renewable
counter, and exits. The operator must rotate the token before
Vault's Max TTL elapses.
3. New Prometheus counter certctl_vault_token_renewals_total with
labels result={success,failure,not_renewable}. Registered
alongside existing certctl_issuance_* counters in
internal/api/handler/metrics.go.
4. ERROR-level logging on renewal failure with operator-actionable
substring ("vault token renewal failed; rotate the token before
TTL expires") so journalctl + grep find it. Loop keeps ticking
after a failure — transient blips don't kill it.
New optional issuer.Lifecycle interface:
type Lifecycle interface {
Start(ctx context.Context) error
Stop()
}
Connectors that hold no background goroutines (almost all of them)
do not implement this — IssuerRegistry.StartLifecycles /
StopLifecycles feature-detect via type assertion. New
lifecycle-bearing connectors plug in by implementing the interface;
no further registry plumbing required.
Wiring (cmd/server/main.go):
- service.NewVaultRenewalMetrics() instance is shared between
issuerRegistry.SetVaultRenewalMetrics (so Vault connectors built
by Rebuild get a recorder) and metricsHandler.SetVaultRenewals
(so the Prometheus exposer emits the new series).
- issuerRegistry.StartLifecycles(ctx) is called after
issuerService.BuildRegistry; defer issuerRegistry.StopLifecycles
is paired so goroutines exit cleanly on signal.
- IssuerConnectorAdapter.Underlying() exposes the wrapped
issuer.Connector so registry-level machinery can reach the
concrete connector behind the adapter without duplicating the
wiring at every call site.
Tests (internal/connector/issuer/vault/vault_renew_test.go):
- TestVault_RenewLoop_TickAtHalfTTL — three ticks → three
renewals, all "success".
- TestVault_RenewLoop_StopsOnNotRenewable — second renewal returns
renewable=false, loop exits, third tick fires no HTTP call.
- TestVault_RenewLoop_FailureSurfacesViaMetric — first renewal 403
bumps "failure", second renewal succeeds → loop kept ticking.
- TestVault_RenewLoop_CtxCancellation_StopsCleanly — Stop returns
within 200ms after ctx cancel.
- TestVault_RenewLoop_StartsNothingWhenNotRenewable — token
already non-renewable at boot ⇒ no goroutine, "not_renewable"
metric increments at startup so operators see it in Grafana.
- TestVault_ComputeInterval — 4 cases pinning TTL/2 +
minRenewInterval floor.
- TestVault_RenewSelf_ParseFailure_NamesActionableInError —
surfaced error contains "vault token renewal failed" + "rotate
the token".
Cadence is dynamic — every successful renewal re-derives TTL/2
from the renewed lease's lease_duration, so a short bootstrap
token that gets renewed up to a longer Max TTL shifts to the
longer cadence automatically (defends against degenerate fast
ticking on a token whose Max TTL is far longer than its initial
TTL).
Documentation:
- docs/connectors.md Vault PKI section gains "Token TTL +
automatic renewal" subsection (operator-facing: cadence, metric,
renewable=false rotation playbook).
Out of scope (intentional, flagged in the audit follow-up):
- AppRole / Kubernetes / AWS IAM auth methods (different renewal
semantics).
- Hot-reload of rotated token from disk (operator restarts
today; future: GUI/MCP issuer-update path triggers Rebuild
which Stops the old connector and Starts the new one).
- Auto-re-auth after token death (operator playbook owns it).
CHANGELOG.md is intentionally not hand-edited (per CHANGELOG.md
itself: "no longer maintains a hand-edited per-version changelog;
per-release notes are auto-generated from commit messages between
consecutive tags").
Verified locally:
- gofmt clean.
- go vet ./internal/service/... ./internal/api/handler/...
./internal/connector/issuer/vault/... ./cmd/server/... clean.
- go test -short -count=1 ./internal/connector/issuer/vault/...
./internal/service/... ./internal/api/handler/... green.
- go test -race -count=10 -run 'TestVault_RenewLoop|TestVault_ComputeInterval'
./internal/connector/issuer/vault/... green.
Audit reference: cowork/issuer-coverage-audit-2026-05-03/RESULTS.md
Top-10 fix#5.
Closes Top-10 fix#2 of the 2026-05-03 issuer-coverage audit (see
cowork/issuer-coverage-audit-2026-05-03/RESULTS.md). Pre-fix,
vault.Config.Token and digicert.Config.APIKey were plain string
fields. Practical impact:
1. GET /api/v1/issuers responses marshalled the credential into
the JSON body. An acquirer's procurement engineer running
'curl /api/v1/issuers | jq' saw the token / API key in plain
text on screen.
2. DEBUG-level HTTP request logging printed the credential
header verbatim.
3. A heap dump of the running server contained the credential
as readable bytes for the lifetime of the process.
Bundle I from the 2026-05-01 audit closed this for AWSACMPCA,
EJBCA, GlobalSign, Sectigo (Phase 1+2). Vault and DigiCert were
left out. This commit ports the same migration onto them.
Mechanics:
- Config.Token / Config.APIKey type changed from 'string' to
'*secret.Ref'. UnmarshalJSON of a JSON string populates the
Ref via NewRefFromString — operator config files are
unchanged.
- Every header-write call site routed through Ref.Use, with the
byte buffer zeroed after the callback returns. Vault: 3 sites
(IssueCertificate, RevokeCertificate, GetCACertPEM). DigiCert:
5 sites (ValidateConfig, IssueCertificate, RevokeCertificate,
pollOrderOnce, downloadCertificate).
- ValidateConfig nil-checks switch from 'cfg.Token == ""' to
'cfg.Token.IsEmpty()' (mirrors Sectigo's existing pattern).
- Tests migrated: every Config{Token:"..."} →
Config{Token: secret.NewRefFromString("...")}. The
'json.Marshal(config) → ValidateConfig(rawConfig)' round-trip
pattern in DigiCert's ValidateConfig_Success test is now
broken by the redact-on-marshal contract — switched that one
to construct the rawConfig as a JSON literal (mirrors
Sectigo's existing test pattern).
- Two new tests pin the redact-on-marshal contract:
- TestVault_Config_TokenMarshalsAsRedacted (vault_redact_test.go)
- TestDigiCert_Config_APIKeyMarshalsAsRedacted (digicert_redact_test.go)
Both assert the marshaled JSON contains '"[redacted]"' and
does NOT contain the plaintext bytes.
Operator-visible: GET /api/v1/issuers responses for type=vault
and type=digicert now show the credential as '[redacted]'.
Existing config files keep working — the Ref unmarshal accepts
strings.
CHANGELOG note: certctl/CHANGELOG.md is intentionally not
hand-edited; release notes are auto-generated from commit
messages between consecutive tags. This commit's message body is
the release-note artifact.
Verified locally:
- gofmt clean across the repo.
- go vet ./... clean across the repo.
- go test -race -count=1 -short
./internal/connector/issuer/vault/...
./internal/connector/issuer/digicert/...
./internal/secret/... green.
Audit reference: cowork/issuer-coverage-audit-2026-05-03/
RESULTS.md Top-10 fix#2.
Mechanical reformat. The new 'gofmt drift' CI step (added in
ci-pipeline-cleanup Phase 4, commit 71b2245) surfaced 111 files
with accumulated gofmt drift across cmd/, internal/, and deploy/test/.
Each file's diff is gofmt-standard: whitespace adjustments, intra-
group import sorting (alphabetical by import path within blank-line-
separated groups), and struct-tag column alignment. No semantic
changes — verified via 'git diff --ignore-all-space' which shows only
the line-position deltas from import reordering.
The gate stays in place after this commit. Going forward it catches
gofmt drift at PR time.
Enforce certificate profile crypto constraints across all 5 issuance paths
(renewal, agent CSR, EST, SCEP). ValidateCSRAgainstProfile() rejects CSRs
with key algorithm/size that don't match profile rules. MaxTTL enforcement
caps certificate validity per issuer connector (Local CA, Vault, step-ca
enforce directly; ACME/DigiCert/Sectigo pass through). Key algorithm and
size are now persisted in certificate_versions for audit compliance.
16 new tests (12 service-layer + 4 Local CA connector). Removes hardcoded
version number from GUI sidebar. Documentation updated across architecture,
features, connectors, and README.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
shankar0123