mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:51:36 +00:00
shankar0123
0729ee46e0
Post-transfer cosmetic + release-critical URL refresh after moving the
repo from github.com/shankar0123/certctl to github.com/certctl-io/certctl
(2026-05-03). GitHub HTTP redirects continue to forward old URLs forever,
so existing operators are not broken — but aligns the canonical
references with the new owner so:
- procurement engineers / contributors browsing the docs see the right
URL on first read
- operators copying the agent install one-liner hit the new path
directly without going through a redirect
- the Helm chart's default image repository points at the canonical org
registry path
- the OnboardingWizard rendered to first-run UI users shows the new
URL in the install snippets and doc anchor links
- the GitHub Actions release workflow pushes container images to
ghcr.io/certctl-io/certctl-{server,agent} (was: shankar0123)
- the release-notes Markdown body in release.yml — which gets stamped
into every future release page — references the post-transfer
cert-identity (cosign keyless signing now uses the certctl-io
workflow URL) and the post-transfer SLSA provenance source-uri.
Without this, every cosign verify / slsa-verifier command on a
v2.1.0+ release would fail because the cert-identity-regexp would
not match the signing identity GitHub Actions OIDC issues post-
transfer. Old releases (v2.0.67 and earlier) keep their immutable
release-notes pointing at the shankar0123 path and remain
verifiable via their own published instructions.
Customer impact:
- Operators on ghcr.io/shankar0123/certctl-{server,agent}:latest
silently freeze on whatever tag was current at transfer time. They
get no errors; they just stop receiving updates. The next release
notes need a one-line callout (Phase 3.1 of cowork/transfer-
certctl-to-org.md) telling them to update their image path to
ghcr.io/certctl-io/certctl-{server,agent}.
- All other URLs (git clone, install one-liner, raw.githubusercontent
URLs, browser links, GitHub API) continue to resolve via permanent
HTTP redirects. The sweep is cosmetic for those.
Files swept (30 total):
.github/workflows/release.yml — IMAGE_NAMESPACE, source-uri,
cosign cert-identity-regexp, IMAGE= snippet (5 refs total).
CHANGELOG.md, README.md — anchor links, badges, install one-liner,
cosign verify snippets in operator-facing sections.
api/openapi.yaml — info / externalDocs URLs.
install-agent.sh — GITHUB_REPO const + systemd unit Documentation=
field.
deploy/ENVIRONMENTS.md, deploy/helm/{CHART_SUMMARY,INDEX,
INSTALLATION,README}.md, deploy/helm/certctl/{Chart.yaml,
README.md,values.yaml}, deploy/helm/examples/values-*.yaml —
chart docs + image repository defaults across dev / prod-ha
overrides.
docs/{certctl-for-cert-manager-users,connector-iis,connectors,
migrate-from-acmesh,migrate-from-certbot,quickstart,test-env,
why-certctl}.md — operator-facing doc URLs.
examples/{acme-nginx,acme-wildcard-dns01,multi-issuer,
private-ca-traefik,step-ca-haproxy}/docker-compose.yml +
examples/step-ca-haproxy/step-ca-haproxy.md — example image:
paths and accompanying narrative.
web/src/pages/OnboardingWizard.tsx — first-run-UI URL refs (curl
install one-liners, agent docker image path, doc anchor links).
Files intentionally NOT swept (Choice A from cowork/transfer-certctl-
to-org.md):
go.mod, go.sum — module declaration stays github.com/shankar0123/
certctl. Existing imports compile because Go uses the path
declared in go.mod, not the URL it was fetched from. Internal-
only project; no external Go consumers; rename will land as a
mechanical sed when one materializes.
~250 *.go files — every import remains github.com/shankar0123/
certctl/internal/...
deploy/test/f5-mock-icontrol/go.mod — separate test sub-module;
same Choice A logic; module path stays.
Files intentionally NOT swept (other reasons):
README.md lines 244-245 — Scarf-pixel docker-pull commands.
shankar0123.docker.scarf.sh/... is a Scarf-account hostname
(per-user, not per-repo) and the pixel keeps tracking pulls
against the operator's personal Scarf account. Migrating to a
certctl-io Scarf account is a separate decision (create org
Scarf account → re-create package → update README).
deploy/test/f5-mock-icontrol/f5-mock-icontrol — checked-in
compiled binary with shankar0123/certctl baked into Go build
info via the sub-module path. Out of scope for a URL sweep;
will refresh on the next `make test-integration` rebuild.
Verification:
gofmt: clean (no .go files touched).
go vet ./...: clean (verified at this SHA in 1.3 of the transfer
checklist; no .go changes since).
go build ./...: clean (same).
go test -short on representative packages: green (same).
Diff shape: 30 files, 74 insertions / 74 deletions, net-zero size,
pure URL substitution.
205 lines
6.2 KiB
YAML
205 lines
6.2 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
# PostgreSQL database for certctl
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
container_name: certctl-postgres-stepca-haproxy
|
|
environment:
|
|
POSTGRES_DB: certctl
|
|
POSTGRES_USER: certctl
|
|
POSTGRES_PASSWORD: ${DB_PASSWORD:-certctl-dev-password}
|
|
volumes:
|
|
- postgres_data:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ['CMD-SHELL', 'pg_isready -U certctl -d certctl']
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 5
|
|
networks:
|
|
- certctl-network
|
|
restart: unless-stopped
|
|
|
|
# Smallstep step-ca (internal private CA)
|
|
# Initialized with default admin token and provisioner configuration
|
|
step-ca:
|
|
image: smallstep/step-ca:latest
|
|
container_name: step-ca-stepca-haproxy
|
|
environment:
|
|
# step-ca root password (for key encryption)
|
|
STEPPATH: /home/step/step-ca
|
|
# Provisioner password will be set up below
|
|
volumes:
|
|
# Persist step-ca configuration and keys
|
|
- step_ca_data:/home/step/step-ca
|
|
- ./step-ca-init.sh:/opt/step-ca-init.sh:ro
|
|
entrypoint: /bin/sh
|
|
command:
|
|
- -c
|
|
- |
|
|
# Initialize step-ca if not already done
|
|
if [ ! -f /home/step/step-ca/config/ca.json ]; then
|
|
echo "Initializing step-ca..."
|
|
step ca init \
|
|
--name="certctl-demo-ca" \
|
|
--dns=step-ca \
|
|
--address=0.0.0.0:9000 \
|
|
--provisioner=admin \
|
|
--provisioner-password-file=<(echo "${STEP_CA_PASSWORD:-stepca-demo-password}") \
|
|
--password-file=<(echo "${STEP_CA_PASSWORD:-stepca-demo-password}") \
|
|
--deployment-type=standalone \
|
|
--acme 2>&1 || true
|
|
fi
|
|
|
|
# Add a JWK provisioner for certctl if not present
|
|
if ! step ca provisioner list 2>/dev/null | grep -q "certctl"; then
|
|
echo "Adding certctl JWK provisioner..."
|
|
step ca provisioner add certctl \
|
|
--type=JWK \
|
|
--password-file=<(echo "${STEP_CA_PROVISIONER_PASSWORD:-certctl-provisioner-demo}") \
|
|
2>&1 || true
|
|
fi
|
|
|
|
# Start step-ca
|
|
echo "Starting step-ca..."
|
|
step-ca /home/step/step-ca/config/ca.json \
|
|
--password-file=<(echo "${STEP_CA_PASSWORD:-stepca-demo-password}")
|
|
ports:
|
|
- '9000:9000'
|
|
healthcheck:
|
|
test: ['CMD-SHELL', 'step ca health --insecure || exit 1']
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 3
|
|
networks:
|
|
- certctl-network
|
|
restart: unless-stopped
|
|
|
|
# certctl server (control plane)
|
|
certctl-server:
|
|
image: ghcr.io/certctl-io/certctl-server:latest
|
|
container_name: certctl-server-stepca-haproxy
|
|
environment:
|
|
# Database
|
|
CERTCTL_DATABASE_URL: postgres://certctl:${DB_PASSWORD:-certctl-dev-password}@postgres:5432/certctl?sslmode=disable
|
|
|
|
# Server settings
|
|
CERTCTL_SERVER_PORT: 8443
|
|
CERTCTL_SERVER_HOST: 0.0.0.0
|
|
|
|
# Auth (disabled for demo; production should use API keys)
|
|
CERTCTL_AUTH_TYPE: none
|
|
|
|
# CORS (allow agent communication)
|
|
CERTCTL_CORS_ORIGINS: '*'
|
|
|
|
# Key generation mode (agent-side in production, server-side for demo)
|
|
CERTCTL_KEYGEN_MODE: agent
|
|
|
|
# step-ca issuer configuration
|
|
# step-ca runs on step-ca:9000 in this compose network
|
|
CERTCTL_STEPCA_URL: https://step-ca:9000
|
|
CERTCTL_STEPCA_ROOT_CERT_PATH: /etc/certctl/step-ca-root.crt
|
|
CERTCTL_STEPCA_PROVISIONER: certctl
|
|
CERTCTL_STEPCA_KEY_PATH: /etc/certctl/step-ca-provisioner.json
|
|
CERTCTL_STEPCA_PASSWORD: ${STEP_CA_PROVISIONER_PASSWORD:-certctl-provisioner-demo}
|
|
|
|
# Logging
|
|
CERTCTL_LOG_LEVEL: info
|
|
volumes:
|
|
# Mount step-ca certs for TLS verification (auto-generated by step-ca init)
|
|
- step_ca_data:/home/step/step-ca/config:ro
|
|
ports:
|
|
- '${SERVER_PORT:-8443}:8443'
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
step-ca:
|
|
condition: service_healthy
|
|
networks:
|
|
- certctl-network
|
|
healthcheck:
|
|
test: ['CMD-SHELL', 'curl -sfk https://localhost:8443/health || exit 1']
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 3
|
|
restart: unless-stopped
|
|
|
|
# certctl agent (runs on the target machine with HAProxy)
|
|
certctl-agent:
|
|
image: ghcr.io/certctl-io/certctl-agent:latest
|
|
container_name: certctl-agent-stepca-haproxy
|
|
environment:
|
|
# Control plane connection
|
|
CERTCTL_SERVER_URL: http://certctl-server:8443
|
|
CERTCTL_API_KEY: ${AGENT_API_KEY:-agent-demo-key}
|
|
|
|
# Key generation (agent-side keys, never sent to server)
|
|
CERTCTL_KEYGEN_MODE: agent
|
|
CERTCTL_KEY_DIR: /var/lib/certctl/keys
|
|
|
|
# Discovery (scan existing certs so operator knows what's already deployed)
|
|
CERTCTL_DISCOVERY_DIRS: /etc/haproxy/ssl
|
|
|
|
# Heartbeat interval
|
|
CERTCTL_HEARTBEAT_INTERVAL: 30s
|
|
|
|
# Agent metadata (self-reported)
|
|
CERTCTL_AGENT_NAME: haproxy-agent-01
|
|
|
|
# Logging
|
|
CERTCTL_LOG_LEVEL: info
|
|
volumes:
|
|
# Mount HAProxy config and cert directories
|
|
# In production, these would be the actual HAProxy paths
|
|
- haproxy_certs:/etc/haproxy/ssl
|
|
- haproxy_conf:/etc/haproxy
|
|
# Agent key storage (persisted across restarts)
|
|
- agent_keys:/var/lib/certctl/keys
|
|
depends_on:
|
|
certctl-server:
|
|
condition: service_healthy
|
|
networks:
|
|
- certctl-network
|
|
restart: unless-stopped
|
|
|
|
# HAProxy reverse proxy / load balancer
|
|
# This is where certificates will be deployed
|
|
haproxy:
|
|
image: haproxy:2.9-alpine
|
|
container_name: certctl-haproxy-stepca-haproxy
|
|
ports:
|
|
- '80:80'
|
|
- '443:443'
|
|
volumes:
|
|
- haproxy_conf:/etc/haproxy
|
|
- haproxy_certs:/etc/haproxy/ssl
|
|
# Default HAProxy config
|
|
- ./haproxy.cfg:/etc/haproxy/haproxy.cfg:ro
|
|
depends_on:
|
|
- certctl-agent
|
|
networks:
|
|
- certctl-network
|
|
healthcheck:
|
|
test: ['CMD-SHELL', 'wget --quiet --tries=1 --spider http://localhost:8080/stats || exit 1']
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 3
|
|
restart: unless-stopped
|
|
|
|
networks:
|
|
certctl-network:
|
|
driver: bridge
|
|
|
|
volumes:
|
|
postgres_data:
|
|
driver: local
|
|
step_ca_data:
|
|
driver: local
|
|
haproxy_certs:
|
|
driver: local
|
|
haproxy_conf:
|
|
driver: local
|
|
agent_keys:
|
|
driver: local
|