mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:51:36 +00:00
shankar0123
8a56a78282
Closes Rank 5 (Azure half) of the 2026-05-03 Infisical deep-research deliverable (cowork/infisical-deep-research-results.md Part 5). Pre-fix, certctl had no path to deploy certs to Azure-managed TLS- termination endpoints (Application Gateway / Front Door / App Service / Container Apps) — operators terminating TLS at Azure had to use manual `az keyvault certificate import` invocations or external automation. This commit lands the SDK-driven Azure Key Vault target connector that closes the gap, mirroring the AWS ACM target shape shipped in commitedf6bee. Architecture: - internal/connector/target/azurekv/azurekv.go — Connector wraps *azcertificates.Client behind the KeyVaultClient interface seam (mirrors awsacm's ACMClient + awsacmpca's ACMPCAClient). Lives in azurekv.go alongside the PFX (PKCS#12) wrapping helper that bundles the operator-supplied PEM cert + chain + key into the base64-PFX wire format azcertificates.ImportCertificate accepts. - internal/connector/target/azurekv/sdk_client.go — SDK-loading code isolated so the test path (NewWithClient) compiles without pulling azcore + azidentity transitive deps into the test binary. DefaultAzureCredential / ManagedIdentityCredential / EnvironmentCredential / WorkloadIdentityCredential selected via Config.CredentialMode (closed enum). - Pre-deploy snapshot via GetCertificate(name, "" /* latest */) so on-import-failure rollback restores the previous cert. Mirrors Bundle 5+. The Azure-specific quirk: rollback creates a NEW VERSION (Key Vault doesn't support version-restore without soft-delete recovery, which we keep off the minimum-RBAC surface). Operators reading audit dashboards see e.g. v1=initial, v2=failed-renewal, v3=rollback-of-v2; the certctl-managed-by + certctl-certificate-id provenance tags + future certctl-rollback-of metadata tag let an operator filter rollback artifacts. - Provenance tags identical to AWS ACM (certctl-managed-by=certctl + certctl-certificate-id=<mc-id>), automatically applied on every import. Key Vault carries tags forward across versions (unlike ACM which strips on re-import), so no separate AddTags call is required. - DeploymentRequest.KeyPEM held in agent memory only; PFX wrapping happens in-memory via software.sslmate.com/src/go-pkcs12. No disk write. Tests: - azurekv_test.go: 13-subtest happy-path + validation matrix — ValidateConfig (success / missing-vault-url / malformed-vault- url / missing-cert-name / invalid-credential-mode / reserved- tag rejection), DeployCertificate (fresh import / rollback-on- serial-mismatch / empty-key-rejected / no-client-rejected / SDK-error-surfaced), ValidateOnly (returns sentinel), ValidateDeployment (serial match / mismatch). - All tests use the NewWithClient injection seam; no real-Azure API calls. - go test -short -count=1 ./internal/connector/target/azurekv/... green. Wiring: - internal/domain/connector.go: TargetTypeAzureKeyVault = "AzureKeyVault". - internal/service/target.go: validTargetTypes set extended. - cmd/agent/main.go::createTargetConnector: AzureKeyVault case arm mirroring the AWSACM shape exactly. - cmd/agent/agent_test.go::TestCreateTargetConnector_AllSupported Types: AzureKeyVault added to the type matrix + the InvalidJSON matrix (16 supported target types now, up from 15). go.mod / go.sum: - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 (direct). - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 (direct). - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/ azcertificates v1.4.0 (direct). The deprecated /keyvault/azcertificates path appears as a transitive indirect via Microsoft's microsoft-authentication-library-for-go; we use the new /security/keyvault/ path exclusively. Documentation: - docs/connectors.md "Azure Key Vault" section: config table, RBAC role recipe (off-the-shelf "Key Vault Certificates Officer" or custom role with 3 data-plane actions), AKS workload-identity / managed-identity / service-principal / default credential recipes, atomic-rollback contract + Azure-version semantics explanation, soft-delete caveat, App Gateway / Front Door Terraform attachment snippet, threat model carve-outs (no disk writes, mandatory provenance tags, no long-lived secrets in Config), 5-bullet procurement checklist crib. Out of scope (intentional, flagged in V3-Pro forward path): - Azure Front Door direct-attach (UpdateRoutingConfig — different Azure RBAC scope). - App Gateway / App Service auto-bind (V3-Pro auto-attach). - Soft-delete recovery (acm:RecoverDeletedCertificate-equivalent requires extra RBAC; V2 keeps minimum-permission surface). - GCP Certificate Manager (separate cloud, separate connector). Verified locally: - gofmt clean. - go vet ./internal/connector/target/azurekv/... ./internal/domain/... ./internal/service/... ./cmd/agent/... clean. - go test -short -count=1 ./internal/connector/target/azurekv/... ./cmd/agent/... green (all 16 supported target types instantiate via the agent factory). Reference: cowork/infisical-deep-research-results.md Part 5 Rank 5. Acquisition prompt: cowork/rank-5-aws-acm-azure-kv-target-adapters-prompt.md. Companion commit (AWS half):edf6bee.
120 lines
5.7 KiB
Modula-2
120 lines
5.7 KiB
Modula-2
module github.com/shankar0123/certctl
|
|
|
|
go 1.25.9
|
|
|
|
require (
|
|
github.com/google/uuid v1.6.0
|
|
github.com/lib/pq v1.10.9
|
|
github.com/modelcontextprotocol/go-sdk v1.4.1
|
|
github.com/testcontainers/testcontainers-go v0.35.0
|
|
)
|
|
|
|
require (
|
|
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
|
|
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
|
|
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.4.0
|
|
github.com/aws/aws-sdk-go-v2 v1.41.7
|
|
github.com/aws/aws-sdk-go-v2/config v1.32.17
|
|
github.com/aws/aws-sdk-go-v2/service/acm v1.38.3
|
|
github.com/aws/aws-sdk-go-v2/service/acmpca v1.46.14
|
|
github.com/aws/smithy-go v1.25.1
|
|
github.com/go-jose/go-jose/v4 v4.1.4
|
|
github.com/leanovate/gopter v0.2.11
|
|
github.com/masterzen/winrm v0.0.0-20250927112105-5f8e6c707321
|
|
github.com/pkg/sftp v1.13.10
|
|
golang.org/x/crypto v0.45.0
|
|
golang.org/x/sync v0.18.0
|
|
software.sslmate.com/src/go-pkcs12 v0.7.0
|
|
)
|
|
|
|
require (
|
|
dario.cat/mergo v1.0.0 // indirect
|
|
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
|
|
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates v0.9.0 // indirect
|
|
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
|
|
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect
|
|
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
|
|
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
|
|
github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
|
|
github.com/ChrisTrenkamp/goxpath v0.0.0-20210404020558-97928f7e12b6 // indirect
|
|
github.com/Microsoft/go-winio v0.6.2 // indirect
|
|
github.com/aws/aws-sdk-go-v2/credentials v1.19.16 // indirect
|
|
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 // indirect
|
|
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 // indirect
|
|
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 // indirect
|
|
github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 // indirect
|
|
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 // indirect
|
|
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 // indirect
|
|
github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 // indirect
|
|
github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 // indirect
|
|
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 // indirect
|
|
github.com/aws/aws-sdk-go-v2/service/sts v1.42.1 // indirect
|
|
github.com/bodgit/ntlmssp v0.0.0-20240506230425-31973bb52d9b // indirect
|
|
github.com/bodgit/windows v1.0.1 // indirect
|
|
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
|
|
github.com/containerd/containerd v1.7.18 // indirect
|
|
github.com/containerd/log v0.1.0 // indirect
|
|
github.com/containerd/platforms v0.2.1 // indirect
|
|
github.com/cpuguy83/dockercfg v0.3.2 // indirect
|
|
github.com/davecgh/go-spew v1.1.1 // indirect
|
|
github.com/distribution/reference v0.6.0 // indirect
|
|
github.com/docker/docker v27.1.1+incompatible // indirect
|
|
github.com/docker/go-connections v0.5.0 // indirect
|
|
github.com/docker/go-units v0.5.0 // indirect
|
|
github.com/felixge/httpsnoop v1.0.4 // indirect
|
|
github.com/go-logr/logr v1.4.1 // indirect
|
|
github.com/go-logr/stdr v1.2.2 // indirect
|
|
github.com/go-ole/go-ole v1.2.6 // indirect
|
|
github.com/gofrs/uuid v4.4.0+incompatible // indirect
|
|
github.com/gogo/protobuf v1.3.2 // indirect
|
|
github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
|
|
github.com/google/jsonschema-go v0.4.2 // indirect
|
|
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
|
|
github.com/hashicorp/go-uuid v1.0.3 // indirect
|
|
github.com/jcmturner/aescts/v2 v2.0.0 // indirect
|
|
github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
|
|
github.com/jcmturner/gofork v1.7.6 // indirect
|
|
github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
|
|
github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
|
|
github.com/jcmturner/rpc/v2 v2.0.3 // indirect
|
|
github.com/klauspost/compress v1.17.4 // indirect
|
|
github.com/kr/fs v0.1.0 // indirect
|
|
github.com/kr/text v0.2.0 // indirect
|
|
github.com/kylelemons/godebug v1.1.0 // indirect
|
|
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
|
|
github.com/magiconair/properties v1.8.7 // indirect
|
|
github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786 // indirect
|
|
github.com/moby/docker-image-spec v1.3.1 // indirect
|
|
github.com/moby/patternmatcher v0.6.0 // indirect
|
|
github.com/moby/sys/sequential v0.5.0 // indirect
|
|
github.com/moby/sys/user v0.1.0 // indirect
|
|
github.com/moby/term v0.5.0 // indirect
|
|
github.com/morikuni/aec v1.0.0 // indirect
|
|
github.com/opencontainers/go-digest v1.0.0 // indirect
|
|
github.com/opencontainers/image-spec v1.1.0 // indirect
|
|
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
|
|
github.com/pkg/errors v0.9.1 // indirect
|
|
github.com/pmezard/go-difflib v1.0.0 // indirect
|
|
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
|
|
github.com/segmentio/asm v1.1.3 // indirect
|
|
github.com/segmentio/encoding v0.5.4 // indirect
|
|
github.com/shirou/gopsutil/v3 v3.23.12 // indirect
|
|
github.com/shoenig/go-m1cpu v0.1.6 // indirect
|
|
github.com/sirupsen/logrus v1.9.3 // indirect
|
|
github.com/stretchr/testify v1.11.1 // indirect
|
|
github.com/tidwall/transform v0.0.0-20201103190739-32f242e2dbde // indirect
|
|
github.com/tklauser/go-sysconf v0.3.12 // indirect
|
|
github.com/tklauser/numcpus v0.6.1 // indirect
|
|
github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
|
|
github.com/yusufpapurcu/wmi v1.2.3 // indirect
|
|
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
|
|
go.opentelemetry.io/otel v1.24.0 // indirect
|
|
go.opentelemetry.io/otel/metric v1.24.0 // indirect
|
|
go.opentelemetry.io/otel/trace v1.24.0 // indirect
|
|
golang.org/x/net v0.47.0 // indirect
|
|
golang.org/x/oauth2 v0.34.0 // indirect
|
|
golang.org/x/sys v0.40.0 // indirect
|
|
golang.org/x/text v0.31.0 // indirect
|
|
gopkg.in/yaml.v3 v3.0.1 // indirect
|
|
)
|