mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 12:41:30 +00:00
shankar0123
52248be717
Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
92 lines
1.3 KiB
Plaintext
92 lines
1.3 KiB
Plaintext
# Binaries for programs and plugins
|
|
*.exe
|
|
*.exe~
|
|
*.dll
|
|
*.so
|
|
*.so.*
|
|
*.dylib
|
|
bin/
|
|
|
|
# Frontend
|
|
web/node_modules/
|
|
web/dist/
|
|
|
|
# Test binary, built with `go test -c`
|
|
*.test
|
|
|
|
# Output of the go coverage tool
|
|
*.out
|
|
coverage.out
|
|
coverage.html
|
|
|
|
# Go workspace file
|
|
go.work
|
|
|
|
# Dependency directories
|
|
vendor/
|
|
|
|
# Environment variables
|
|
.env
|
|
.env.local
|
|
.env.*.local
|
|
|
|
# IDE
|
|
.idea/
|
|
.vscode/
|
|
*.swp
|
|
*.swo
|
|
*~
|
|
.DS_Store
|
|
*.iml
|
|
|
|
# Temporary files
|
|
tmp/
|
|
temp/
|
|
*.log
|
|
*.bak
|
|
|
|
# Private keys (agent-generated, never commit)
|
|
cmd/agent/*.key
|
|
cmd/agent/*.pem
|
|
|
|
# Database
|
|
*.db
|
|
*.sqlite3
|
|
|
|
# Allow migration SQL files (don't ignore *.sql globally)
|
|
# SQL files in migrations/ are tracked
|
|
|
|
# Build artifacts
|
|
certctl-server
|
|
certctl-agent
|
|
certctl-cli
|
|
/server
|
|
/agent
|
|
/cli
|
|
/mcp-server
|
|
|
|
# Private strategy docs
|
|
strategy.md
|
|
SECURITY_REMEDIATION.md
|
|
|
|
# OS
|
|
.DS_Store
|
|
Thumbs.db
|
|
|
|
# Local Go build/module caches (session-scoped, never committed)
|
|
/.gocache/
|
|
/.gomodcache/
|
|
/.gopath/
|
|
/.gomodcache-gopath/
|
|
|
|
# Design scratch files (session-scoped)
|
|
/.i004-design.md
|
|
/.i005-design.md
|
|
|
|
# HTTPS-Everywhere (M-007) Phase 6: the docker-compose.test.yml tls-init
|
|
# container writes ca.crt / server.crt / server.key into this directory so
|
|
# the host-side integration_test.go binary can pin the CA via
|
|
# CERTCTL_TEST_CA_BUNDLE=./certs/ca.crt. Material is regenerated on every
|
|
# `docker compose up` and never belongs in git.
|
|
/deploy/test/certs/
|