claude
b1ff59dbf2
Phase 14 of the deploy-hardening II master bundle. The procurement- team headline doc + per-connector operator guides for the top 5 most-deployed connectors. NEW docs/deployment-vendor-matrix.md (~30 rows): - Per (connector × vendor-version) status: ✓ / CI / mock / pending / n/a - Known issues + workarounds + e2e test name reference - LTS + current-stable scope per frozen decision 0.1 - Quarterly re-pin cadence guidance for sidecar digests - "How to add a new vendor version" recipe Per frozen decision 0.14: a (connector × vendor-version) cell is "verified" only when ALL apply: ≥1 happy-path e2e green; ≥1 specific-quirk test green for that version; operator manual smoke completed at least once. Cells lacking the third criterion show "CI" status (auto-tests green but pending operator validation). Status snapshot at bundle close: - NGINX 1.25 + 1.27: CI - Apache 2.4: CI - HAProxy 2.6 + 2.8 + 3.0: CI - Traefik 2.x + 3.x: CI - Caddy 2.x: CI - Envoy 1.30 + 1.32: CI (file-mode SDS only; gRPC SDS V3-Pro) - Postfix 3.6 + 3.8: CI - Dovecot 2.3: CI - IIS 10 (2019, 2022): pending (Windows-host-only CI) - F5 v15.1 + v17.0 + v17.5: mock (real-F5 vagrant box documented) - SSH OpenSSH 8.x + 9.x: CI - WinCertStore (2019, 2022): pending (Windows-host-only) - JavaKeystore JDK 11 + 17 + 21: pending - K8s 1.28 + 1.30 + 1.31: CI NEW per-connector deep-dive docs: - docs/connector-nginx.md (~150 lines, 10 quirks documented) - docs/connector-k8s.md (~110 lines, 10 quirks) - docs/connector-iis.md (~120 lines, 10 quirks; Windows-host-only CI constraint loud) - docs/connector-apache.md (~80 lines, 10 quirks) - docs/connector-f5.md (~190 lines, 10 quirks; two-tier validation recipe for operator-supplied real-F5 vagrant box) Each doc follows the same structure: - Overview - Vendor versions tested - Per-quirk operator guidance (one section per TestVendorEdge_<vendor>_<edge>_E2E) - Troubleshooting matrix - V3-Pro deferrals - Related docs cross-refs Other connector docs (HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, SSH, WinCertStore, JavaKeystore) live in docs/connectors.md + are referenced from the matrix. Phase 15 next: per-vendor CI matrix job in .github/workflows/ci.yml.
3.0 KiB
Apache httpd Connector — Operator Deep-Dive
Per Phase 14 of the deploy-hardening II master bundle.
Overview
The Apache connector (internal/connector/target/apache/) deploys
TLS certs to Apache 2.4 LTS via separate cert/chain/key files +
apachectl configtest validate + apachectl graceful reload.
Mirrors the canonical NGINX template (Bundle I Phase 5).
Vendor versions tested
- Apache httpd 2.4 LTS (only LTS branch; 2.6 is dev branch)
Per-quirk operator guidance
Multi-vhost cert-by-vhost
TestVendorEdge_Apache_MultiVhostCertByVhost_DeployIsolated_E2E
When Apache has multiple <VirtualHost> blocks each with its own
SSLCertificateFile, connector deploys to the matching vhost
only. Other vhosts unchanged.
apachectl graceful-stop drains cleanly
TestVendorEdge_Apache_ApachectlGracefulStop_DrainsCleanly_E2E
apachectl graceful (the connector default) preserves in-flight
TLS connections. apachectl restart drops them.
mod_ssl absent
TestVendorEdge_Apache_ModSSLAbsent_DeployFailsWithActionableError_E2E
If mod_ssl isn't loaded, apachectl configtest fails with
"Invalid command 'SSLCertificateFile'". Connector surfaces this
verbatim — operator action: LoadModule ssl_module modules/mod_ssl.so.
.htaccess interactions
TestVendorEdge_Apache_HtaccessRequireSSL_NotImpactedByDeploy_E2E
.htaccess rules requiring SSL are not impacted by cert rotation.
The Require directive evaluates per-request against the
connection's TLS state, not the cert file.
Apache 2.4 LTS reload semantics pinned
TestVendorEdge_Apache_Apache24LTSReloadSemanticsPinned_E2E
apachectl graceful semantics stable across 2.4.x patch versions.
No per-version branch needed.
Syntax error rollback
TestVendorEdge_Apache_SyntaxErrorRollback_E2E
apachectl configtest failure aborts before atomic rename. Live
cert untouched.
Per-vhost key ownership
TestVendorEdge_Apache_PerVhostKeyOwnership_E2E
When multiple vhosts share the same key file, ownership is preserved across rotation. When each vhost has its own key, per-file ownership is preserved per Bundle I Phase 5.
Reload preserves connections
TestVendorEdge_Apache_ReloadVsRestart_PreservesConnections_E2E
In-flight TLS sessions survive apachectl graceful worker
swap. Documented in docs/deployment-atomicity.md.
SNI server_name binding
TestVendorEdge_Apache_SNIServerNameDeployBindsCorrect_E2E
When deploy specifies server_name metadata, connector targets
the matching <VirtualHost> block.
Cert chain ordering
TestVendorEdge_Apache_ChainOrderingNormalized_E2E
Apache requires leaf cert FIRST in SSLCertificateFile (or
chain in SSLCertificateChainFile). Connector preserves operator-
supplied ordering across rotation.
V3-Pro deferrals
- Apache 2.6 (when it ships LTS).
- mod_md (Apache's built-in ACME) interop.