mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 23:01:30 +00:00
shankar0123
2d9110b0c4
Bundle 2 Phase 0 stages the dependencies + auth-type discriminator
literal that later phases consume. No handler chain wired yet; an
operator who sets CERTCTL_AUTH_TYPE=oidc on this commit gets a clear
refuse-to-start error rather than a silent fallback to api-key (the
G-1 failure mode that drove "jwt" out of the allowed set).
Deliverables:
* go.mod: github.com/coreos/go-oidc/v3 v3.18.0 added as a direct
require. Per the pre-bundle dependency audit (Apache-2.0, zero CVEs
ever per OSV.dev, 2,400+ stars, used by Hashicorp Vault + Dex +
Hydra + Authentik + every Kubernetes OIDC integration), this is the
ecosystem-standard Go OIDC client. Pinned to a specific minor
(v3.18.0) per the prompt's "no bare latest" rule.
* go.mod: golang.org/x/oauth2 promoted from // indirect to direct,
bumped from v0.34.0 to v0.36.0 by go mod tidy. Both versions are
OSV-clean. Maintained by the Go team.
* No JSON-path library added (forbidden by the dependency audit; the
group-claim resolver is hand-rolled in Phase 3).
* internal/config/config.go: AuthTypeOIDC constant added with a
load-bearing comment explaining (a) this is the AUTH-TYPE literal,
not a JWT alg literal, so the G-1 closure invariant is preserved
("jwt" stays out of ValidAuthTypes forever); (b) the runtime guard
in cmd/server/main.go intentionally refuses-to-start when oidc is
set pre-Phase-6 to avoid the silent-downgrade failure mode.
ValidAuthTypes() now returns {api-key, none, oidc}.
* internal/config/config_test.go: TestValidAuthTypesIsExactly_APIKey_None
renamed to TestValidAuthTypesIsExactly_APIKey_None_OIDC and now pins
the 3-entry set. TestValidAuthTypesDoesNotContainJWT (G-1 closure
test) still passes because "jwt" is never added back.
TestValidate_GenericInvalidAuthType's bad-types list updated:
"oidc" removed (now valid), "saml" added (correctly rejected per
Decision 5's SAML deferral).
* cmd/server/main.go: defense-in-depth runtime auth-type guard now
has an explicit AuthTypeOIDC case that exit(1)s with an actionable
message: "the OIDC auth chain is not yet wired in this build (Auth
Bundle 2 Phase 6 ships the session middleware that consumes this
auth-type literal)." This closes the lying-field gap the literal
would otherwise create. Phase 6 of Bundle 2 relaxes this case to
fall through alongside api-key + none.
* api/openapi.yaml: /v1/auth/info auth_type enum extended from
[api-key, none] to [api-key, none, oidc] with an in-line comment
explaining the Phase-0-vs-Phase-6 timing so an OpenAPI consumer
isn't surprised by "oidc" appearing here pre-Bundle-2-merge.
* deploy/helm/certctl/templates/_helpers.tpl::certctl.validateAuthType:
valid set extended to include "oidc". Chart-time validation now
passes for type=oidc; the binary's runtime guard takes over to
refuse the start. Once Bundle 2 ships, the runtime guard relaxes
and OIDC works end-to-end with no further chart edits.
* .env.example: CERTCTL_AUTH_TYPE comment block updated to document
the three valid values + the Phase-0-vs-Phase-6 timing.
* internal/auth/oidc/doc.go: new package directory with package doc
+ transitional blank imports for coreos/go-oidc/v3 + x/oauth2 so
go mod tidy keeps both deps as direct requires until Phase 3's
service.go replaces the blanks with real symbol use. Doc explains
the package layout (oidc/ + oidc/domain/ + oidc/groupclaim/ +
oidc/testfixtures/) so the post-Bundle-2 reader can navigate.
Verifications:
* gofmt clean on every changed file.
* go vet clean on internal/config + cmd/server + internal/auth/oidc.
* go test -short -count=1 green on internal/config (including the
G-1 closure + new validation tests), cmd/server, internal/auth (all
Bundle 1 packages), internal/service/auth.
* govulncheck ./... clean (M-024 hard CI gate).
* All 24 ci-guards pass locally.
Phase 0 exit criteria from cowork/auth-bundle-2-prompt.md:
* go.mod shows coreos/go-oidc/v3 as direct: yes.
* golang.org/x/oauth2 is direct (not indirect): yes.
* govulncheck ./... clean: yes.
* No JSON-path library in go.mod / go.sum deltas: confirmed (only
v3 of go-oidc + the x/oauth2 bump landed).
* make verify green: gofmt + vet + go test pass; full make verify
(which would invoke golangci-lint) deferred to CI since the
sandbox doesn't have golangci-lint installed; the operator runs
make verify locally before pushing per CLAUDE.md operating rule.
68 lines
3.5 KiB
Bash
68 lines
3.5 KiB
Bash
# Certctl Configuration Example
|
|
# Copy this file to .env and configure for your environment
|
|
# DO NOT commit .env with real secrets to version control
|
|
|
|
# ==============================================================================
|
|
# PostgreSQL (used by Docker Compose for the postgres container)
|
|
# ==============================================================================
|
|
POSTGRES_DB=certctl
|
|
POSTGRES_USER=certctl
|
|
POSTGRES_PASSWORD=change-me-in-production
|
|
|
|
# ==============================================================================
|
|
# Certctl Server
|
|
# All server vars use the CERTCTL_ prefix (see internal/config/config.go)
|
|
# ==============================================================================
|
|
# IMPORTANT: keep the password segment of CERTCTL_DATABASE_URL in sync with
|
|
# POSTGRES_PASSWORD above. If you deploy via `deploy/docker-compose.yml`,
|
|
# this value is *overridden* by the compose file's
|
|
# `postgres://certctl:${POSTGRES_PASSWORD:-certctl}@postgres:5432/...`
|
|
# interpolation — but if you run the binary directly with this .env loaded
|
|
# (e.g. `set -a; source .env; ./certctl-server`), update *both* lines.
|
|
# Background: editing POSTGRES_PASSWORD after the postgres data directory
|
|
# has been initialized once does NOT rotate the password — initdb only
|
|
# seeds pg_authid on first boot of an empty volume. See docs/quickstart.md
|
|
# "Warning" callout and `internal/repository/postgres/db.go::wrapPingError`
|
|
# for the SQLSTATE 28P01 diagnostic that fires when the two drift.
|
|
CERTCTL_DATABASE_URL=postgres://certctl:change-me-in-production@postgres:5432/certctl?sslmode=disable
|
|
CERTCTL_SERVER_HOST=0.0.0.0
|
|
CERTCTL_SERVER_PORT=8443
|
|
CERTCTL_LOG_LEVEL=info
|
|
CERTCTL_LOG_FORMAT=json
|
|
|
|
# Auth type: "api-key" (production), "none" (demo/development), or
|
|
# "oidc" (Auth Bundle 2 - native OIDC SSO via coreos/go-oidc/v3, ships
|
|
# in Bundle 2 phases 5+6; setting CERTCTL_AUTH_TYPE=oidc on a build
|
|
# without Bundle 2 wired triggers a clear refuse-to-start error rather
|
|
# than a silent fallback to api-key). For JWT / SAML / LDAP, continue to
|
|
# run an authenticating gateway in front of certctl (oauth2-proxy /
|
|
# Envoy ext_authz / Traefik ForwardAuth / Pomerium) and set
|
|
# CERTCTL_AUTH_TYPE=none on the upstream - see docs/architecture.md
|
|
# "Authenticating-gateway pattern". G-1 removed the in-process "jwt"
|
|
# option (no JWT middleware shipped - silent auth downgrade); see
|
|
# docs/upgrade-to-v2-jwt-removal.md if you previously set
|
|
# CERTCTL_AUTH_TYPE=jwt.
|
|
CERTCTL_AUTH_TYPE=none
|
|
# Required when CERTCTL_AUTH_TYPE is "api-key".
|
|
# Generate with: openssl rand -base64 32
|
|
# CERTCTL_AUTH_SECRET=change-me-in-production
|
|
|
|
# ==============================================================================
|
|
# Certctl Agent
|
|
# ==============================================================================
|
|
# HTTPS-only as of v2.2 (TLS 1.3 pinned). Agents reject http:// URLs at
|
|
# startup. Use the docker-compose self-signed bootstrap CA bundle from
|
|
# `deploy/test/certs/ca.crt` or supply your own via CERTCTL_SERVER_CA_BUNDLE_PATH.
|
|
CERTCTL_SERVER_URL=https://localhost:8443
|
|
CERTCTL_API_KEY=change-me-in-production
|
|
CERTCTL_AGENT_NAME=local-agent
|
|
|
|
# ==============================================================================
|
|
# Optional: Scheduler Tuning (defaults are usually fine)
|
|
# ==============================================================================
|
|
# CERTCTL_SCHEDULER_RENEWAL_CHECK_INTERVAL=1h
|
|
# CERTCTL_SCHEDULER_JOB_PROCESSOR_INTERVAL=30s
|
|
# CERTCTL_SCHEDULER_AGENT_HEALTH_CHECK_INTERVAL=2m
|
|
# CERTCTL_SCHEDULER_NOTIFICATION_PROCESS_INTERVAL=1m
|
|
# CERTCTL_DATABASE_MAX_CONNS=25
|