mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 21:11:30 +00:00
shankar0123
52248be717
Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
182 lines
7.1 KiB
YAML
182 lines
7.1 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
- v2-dev
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
|
|
jobs:
|
|
go-build-and-test:
|
|
name: Go Build & Test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version: '1.25.9'
|
|
|
|
- name: Go Build
|
|
run: |
|
|
go build ./cmd/server/...
|
|
go build ./cmd/agent/...
|
|
go build ./cmd/mcp-server/...
|
|
go build ./cmd/cli/...
|
|
|
|
- name: Go Vet
|
|
run: go vet ./...
|
|
|
|
- name: Install golangci-lint
|
|
run: |
|
|
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.4
|
|
|
|
- name: Run golangci-lint
|
|
run: golangci-lint run ./... --timeout 5m
|
|
|
|
- name: Install govulncheck
|
|
run: go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
|
|
- name: Run govulncheck
|
|
run: govulncheck ./...
|
|
|
|
- name: Race Detection
|
|
run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/crypto/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s
|
|
|
|
- name: Go Test with Coverage
|
|
run: |
|
|
go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out
|
|
|
|
- name: Check Coverage Thresholds
|
|
run: |
|
|
# Extract per-package coverage from test output
|
|
echo "=== Coverage Report ==="
|
|
go tool cover -func=coverage.out | tail -1
|
|
|
|
# Check service layer coverage (target: 60%+)
|
|
SERVICE_COV=$(go tool cover -func=coverage.out | grep 'internal/service' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
|
|
echo "Service layer coverage: ${SERVICE_COV}%"
|
|
|
|
# Check handler layer coverage (target: 60%+)
|
|
HANDLER_COV=$(go tool cover -func=coverage.out | grep 'internal/api/handler' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
|
|
echo "Handler layer coverage: ${HANDLER_COV}%"
|
|
|
|
# Check domain layer coverage (target: 40%+)
|
|
DOMAIN_COV=$(go tool cover -func=coverage.out | grep 'internal/domain' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
|
|
echo "Domain layer coverage: ${DOMAIN_COV}%"
|
|
|
|
# Check middleware layer coverage (target: 50%+)
|
|
MIDDLEWARE_COV=$(go tool cover -func=coverage.out | grep 'internal/api/middleware' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
|
|
echo "Middleware layer coverage: ${MIDDLEWARE_COV}%"
|
|
|
|
# Check crypto package coverage (target: 85%+)
|
|
# M-8 rationale: encryption primitives are a security-critical gate.
|
|
# v2 format, key-derivation, fallback, and fail-closed sentinel paths
|
|
# all need exhaustive coverage to avoid silent regressions (CWE-916 / CWE-329).
|
|
CRYPTO_COV=$(go tool cover -func=coverage.out | grep 'internal/crypto' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
|
|
echo "Crypto package coverage: ${CRYPTO_COV}%"
|
|
|
|
# Fail if thresholds not met
|
|
if [ "$(echo "$SERVICE_COV < 55" | bc -l)" -eq 1 ]; then
|
|
echo "::error::Service layer coverage ${SERVICE_COV}% is below 55% threshold"
|
|
exit 1
|
|
fi
|
|
if [ "$(echo "$HANDLER_COV < 60" | bc -l)" -eq 1 ]; then
|
|
echo "::error::Handler layer coverage ${HANDLER_COV}% is below 60% threshold"
|
|
exit 1
|
|
fi
|
|
if [ "$(echo "$DOMAIN_COV < 40" | bc -l)" -eq 1 ]; then
|
|
echo "::error::Domain layer coverage ${DOMAIN_COV}% is below 40% threshold"
|
|
exit 1
|
|
fi
|
|
if [ "$(echo "$MIDDLEWARE_COV < 30" | bc -l)" -eq 1 ]; then
|
|
echo "::error::Middleware layer coverage ${MIDDLEWARE_COV}% is below 30% threshold"
|
|
exit 1
|
|
fi
|
|
if [ "$(echo "$CRYPTO_COV < 85" | bc -l)" -eq 1 ]; then
|
|
echo "::error::Crypto package coverage ${CRYPTO_COV}% is below 85% threshold"
|
|
exit 1
|
|
fi
|
|
echo "Coverage thresholds passed!"
|
|
|
|
- name: Upload Coverage Report
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: go-coverage
|
|
path: coverage.out
|
|
retention-days: 30
|
|
|
|
frontend-build:
|
|
name: Frontend Build
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '22'
|
|
|
|
- name: Install Dependencies
|
|
working-directory: web
|
|
run: npm ci
|
|
|
|
- name: TypeScript Check
|
|
working-directory: web
|
|
run: npx tsc --noEmit
|
|
|
|
- name: Run Frontend Tests
|
|
working-directory: web
|
|
run: npx vitest run
|
|
|
|
- name: Build Frontend
|
|
working-directory: web
|
|
run: npx vite build
|
|
|
|
helm-lint:
|
|
name: Helm Chart Validation
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Helm
|
|
uses: azure/setup-helm@v4
|
|
with:
|
|
version: '3.13.0'
|
|
|
|
# HTTPS-Everywhere (v2.0.47): the chart fails render when no TLS source is
|
|
# configured. Every lint/template invocation below must pick exactly one
|
|
# provisioning mode — see deploy/helm/certctl/templates/_helpers.tpl
|
|
# (certctl.tls.required) and docs/tls.md.
|
|
- name: Lint Helm Chart
|
|
run: |
|
|
helm lint deploy/helm/certctl/ \
|
|
--set server.tls.existingSecret=certctl-tls-ci
|
|
|
|
- name: Template Helm Chart (existingSecret mode)
|
|
run: |
|
|
helm template certctl deploy/helm/certctl/ \
|
|
--set server.tls.existingSecret=certctl-tls-ci \
|
|
> /dev/null
|
|
|
|
- name: Template Helm Chart (cert-manager mode)
|
|
run: |
|
|
helm template certctl deploy/helm/certctl/ \
|
|
--set server.tls.certManager.enabled=true \
|
|
--set server.tls.certManager.issuerRef.name=letsencrypt-prod \
|
|
> /dev/null
|
|
|
|
- name: Template Helm Chart (guard fails without TLS)
|
|
run: |
|
|
# Inverse test: the chart MUST refuse to render when no TLS source is
|
|
# configured. If this ever renders successfully, the fail-loud guard
|
|
# in certctl.tls.required has regressed.
|
|
if helm template certctl deploy/helm/certctl/ > /dev/null 2>&1; then
|
|
echo "::error::Helm chart rendered without a TLS source — fail-loud guard regressed"
|
|
exit 1
|
|
fi
|