mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 19:31:31 +00:00
shankar0123
d809874fa1
Per operator decision the framework-mapping docs are gone. They
were aspirational (no audit, no certification, no validated
mapping); keeping them around was misleading.
Files deleted (1,883 lines):
- docs/compliance/index.md
- docs/compliance/soc2.md
- docs/compliance/pci-dss.md
- docs/compliance/nist-sp-800-57.md
Hyperlinks removed:
- README.md: 'Auditor / compliance' row in the doc table; the
'(compliance mapping included)' parenthetical in the
positioning paragraph
- docs/README.md: the '## Compliance' section table; the
'Auditor / compliance team' reading-order-by-role row
Prose name-drops swept across 24 files:
- README.md: 'FedRAMP boundary CAs / financial-services policy
CAs' → '4-level boundary CAs / 3-level policy CAs';
'Compliance-grade for PCI-DSS Level 1, FedRAMP Moderate / High,
SOC 2 Type II, HIPAA' → cut entirely
- getting-started/{quickstart,concepts,examples,why-certctl,
advanced-demo}.md: 'compliance' → 'audit' / 'policy';
'PCI-DSS / SOC 2 / NIST SP 800-57' framework lists cut;
''pci': 'true'' tag example → ''environment': 'production''
- migration/cert-manager-coexistence.md: 'compliance rules' →
'policy rules'
- operator/approval-workflow.md: 'Compliance customers (PCI-DSS
Level 1, FedRAMP Moderate / High, SOC 2 Type II, HIPAA)' →
'Operators'; entire 'Compliance control mapping' table
(PCI-DSS §6.4.5 / NIST SP 800-53 SA-15 / SOC 2 Type II CC6.1
/ HIPAA §164.308(a)(4)) deleted; 'compliance contract' →
'two-person-integrity contract'; 'compliance auditors' →
'reviewers'
- operator/legacy-clients-tls-1.2.md: 'PCI-DSS v4.0 Req 4 §2.2.5'
audit-reference → CWE-326 (kept); 'PCI-DSS Req 4 §2.2.5
attestation' section retitled to 'TLS posture summary' and
rewritten without framework framing; 'PCI-DSS, NIST, and
major browsers will eventually deprecate TLS 1.2' →
'Major browsers and OS vendors will eventually deprecate
TLS 1.2'
- operator/database-tls.md: PCI-DSS Req 4 §2.2.5 audit-ref →
CWE-319 only; 'PCI-DSS scope' → 'sensitive data'; PCI-DSS
Req 4 v4.0 prose footing → cut
- operator/runbooks/disaster-recovery.md: 'SOC 2 / PCI
procurement-team deliverable' → 'on-call deliverable';
'compliance auditors' → 'reviewers'
- reference/connectors/{acme,aws-acm,azure-kv,globalsign,
local-ca,openssl,ssh,index}.md: 'compliance reporting
(PCI-DSS §3.6, HIPAA §164.312)' → 'audit reporting';
'Compliance environments (PCI-DSS Level 1, FedRAMP High,
HIPAA)' → 'Regulated environments'; 'compliance audits' →
'audit'; 'FedRAMP boundary CA' pattern names →
'4-level boundary CA' (technically descriptive)
- reference/protocols/est.md: 'compliance-hook seam' →
'device-state hook seam'; 'compliance gating' → 'device-state
gating'; 'est_compliance_failed' → 'est_device_state_failed'
- reference/protocols/scep-intune.md: 'Optional compliance
check' → 'Optional device-state check'; failure-counter
'compliance_failed' → 'device_state_failed'; 'Conditional
Access compliance gating' → 'Conditional Access
device-state gating'
- reference/intermediate-ca-hierarchy.md: 'FedRAMP boundary-CA
deployments where the regulator requires...' →
'Boundary-CA deployments where you want separation of policy
and issuing authorities'; pattern A retitled '4-level FedRAMP
boundary CA' → '4-level boundary CA'
- reference/architecture.md: broken Related-docs link to
compliance.md removed; the rest of that block had stale
pre-Phase-2 paths (quickstart.md, demo-advanced.md,
connectors.md, openapi.md, testing-guide.md, test-env.md) —
retargeted to current locations
- reference/deployment-model.md: 'SOC 2 evidence-report
generator' → 'Audit-evidence report generator'
- reference/vendor-matrix.md: 'SOC 2 / PCI auditors paste this
into evidence packs' → 'reviewers paste this into
vendor-evaluation packs'
- contributor/qa-test-suite.md: 'compliance exist' coverage
description cut; 'Compliance (PCI / SOC2 / HIPAA-relevant)'
risk-class label → 'Audit-relevant'
What was kept:
- CWE references (legitimate technical pointers)
- Microsoft API/feature names that happen to use 'compliance'
literally ('Microsoft Graph compliance API',
'device-compliance validators' — these are MS product names,
not framework name-drops)
- 'NIST PQC' on the landing page (Post-Quantum Cryptography is
the actual NIST standard family, not a compliance framework)
Verified: zero hyperlinks into docs/compliance/ remain. All 24
ci-guards/*.sh pass locally. qa-doc-seed-count.sh clean.
Net diff: 26 files / -1,883 deletions in compliance/ + -32 net
across the prose sweep.
Companion edits in cowork/ (CLAUDE.md doc-tree summary +
WORKSPACE-CHANGELOG.md retirement note) land separately.
6.3 KiB
6.3 KiB
Deployment Vendor Compatibility Matrix
Last reviewed: 2026-05-05
Deploy-hardening II master bundle deliverable. The procurement-team headline doc — reviewers paste this into vendor-evaluation packs. Per frozen decision 0.14: a (connector × vendor-version) cell is "verified" only when ALL apply: ≥1 happy-path e2e passes against the real sidecar; ≥1 specific-quirk test for that version passes; operator manual smoke completed at least once on a real (non-CI) instance of that vendor version.
Status legend
- ✓ — verified per the three-criterion bar above
- CI — happy-path + quirk e2e green in CI; operator manual smoke pending (the third criterion)
- mock — verified against the in-tree mock; real-vendor validation is the operator's tier above
- pending — planned; tests written; sidecar not yet wired
- n/a — combination not applicable
Per frozen decision 0.1: only LTS + current-stable versions per vendor. EOL versions explicitly excluded.
Matrix
| Connector | Vendor | Version | Status | Known Issues | Workaround | E2E Test Name(s) |
|---|---|---|---|---|---|---|
| NGINX | nginx.org | 1.25 LTS | CI | SSL session cache holds old cert ~5min | ssl_session_timeout 5m; (default) — operator-tunable |
TestVendorEdge_NGINX_SSLSessionCacheHoldsOldCert_E2E |
| NGINX | nginx.org | 1.27 stable | CI | (same) | (same) | (same) |
| Apache httpd | httpd.apache.org | 2.4 LTS | CI | mod_ssl multi-vhost ownership | per-vhost cert config; SSLCertificateFile per <VirtualHost> |
TestVendorEdge_Apache_MultiVhostCertByVhost_E2E |
| HAProxy | haproxy.org | 2.6 LTS | CI | reload vs restart semantics | use systemctl reload haproxy not restart |
TestVendorEdge_HAProxy_ReloadPreservesConnectionsViaSocketActivation_E2E |
| HAProxy | haproxy.org | 2.8 | CI | (same) | (same) | (same) |
| HAProxy | haproxy.org | 3.0 | CI | (same) | (same) | (same) |
| Traefik | traefik.io | 2.x | CI | static-config cert paths require restart | use dynamic file-provider config | TestVendorEdge_Traefik_StaticConfigRequiresRestart_DocumentedAsLimitation_E2E |
| Traefik | traefik.io | 3.x | CI | (same) | (same) | (same) |
| Caddy | caddyserver.com | 2.x | CI | admin API auth lockdown breaks default deploy | set Caddy.AdminAuthorizationHeader per-target |
TestVendorEdge_Caddy_AdminAPILockedDownWithAuth_DeployUsesConfiguredAuthHeaders_E2E |
| Envoy | envoyproxy.io | 1.30 | CI | file-mode SDS only in V2; gRPC SDS V3-Pro | use SDS=file (default) | TestVendorEdge_Envoy_SDSFileMode_DeployRewritesYAML_EnvoyHotReloads_E2E |
| Envoy | envoyproxy.io | 1.32 | CI | (same) | (same) | (same) |
| Postfix | postfix.org | 3.6 | CI | per-listener cert binding | configure cert per-listener block | TestVendorEdge_Postfix_MultiListenerCertBinding_DeployUpdatesCorrectListener_E2E |
| Postfix | postfix.org | 3.8 | CI | (same) | (same) | (same) |
| Dovecot | dovecot.org | 2.3 | CI | submission/submissions port variants | configure both inet_listener blocks | TestVendorEdge_Dovecot_SubmissionSubmissionsPortVariants_E2E |
| IIS | microsoft.com | IIS 10 (Server 2019) | operator-playbook | Windows-host-only validation per operator playbook; app-pool recycle opt-in | AppPoolRecycle: true per-target if needed |
TestVendorEdge_IIS_AppPoolRecycle_OptInForCertChange_E2E |
| IIS | microsoft.com | IIS 10 (Server 2022) | operator-playbook | (same) | (same) | (same) |
| F5 BIG-IP | f5.com | v15.1 LTS | mock | larger cert chain (>4 links) historical issue | use cert chain ≤4 links OR upgrade to v17 | TestVendorEdge_F5_LargeCertChainHandling_E2E |
| F5 BIG-IP | f5.com | v17.0 | mock | (chain limit lifted) | n/a | (same) |
| F5 BIG-IP | f5.com | v17.5 | mock | (same) | n/a | (same) |
| SSH | openssh.com | OpenSSH 8.x | CI | sftp subsystem may be disabled | connector falls back to scp | TestVendorEdge_SSH_SFTPSubsystemAbsent_FallsBackToSCP_E2E |
| SSH | openssh.com | OpenSSH 9.x | CI | (same) | (same) | (same) |
| WinCertStore | microsoft.com | Windows Server 2019 | operator-playbook | Windows-host-only validation per operator playbook; cert store ACL: NS vs IIS_IUSRS | configure store ACL per IIS app-pool identity | TestVendorEdge_WinCertStore_CertStoreACL_NetworkServiceAccess_E2E |
| WinCertStore | microsoft.com | Windows Server 2022 | operator-playbook | (same) | (same) | (same) |
| JavaKeystore | adoptium.net | JDK 11 LTS | pending | keytool -importkeystore semantics |
use KeytoolPath config to pin to JDK |
TestVendorEdge_JavaKeystore_JDK11_vs_17_vs_21_KeytoolBehavior_E2E |
| JavaKeystore | adoptium.net | JDK 17 LTS | pending | (same) | (same) | (same) |
| JavaKeystore | adoptium.net | JDK 21 LTS | pending | (same) | (same) | (same) |
| Kubernetes | kubernetes.io | 1.28 LTS | CI | kubelet sync ~60s for pod-mounted Secrets | CERTCTL_K8S_DEPLOY_KUBELET_SYNC_TIMEOUT=60s (default) |
TestVendorEdge_K8s_KubeletSyncWaitContract_DefaultTimeout60s_E2E |
| Kubernetes | kubernetes.io | 1.30 | CI | (same) | (same) | (same) |
| Kubernetes | kubernetes.io | 1.31 current | CI | (same) | (same) | (same) |
Quarterly re-pin cadence
Every sidecar FROM in deploy/docker-compose.test.yml carries a
SHA-256 digest pin per the H-001 CI guard. Operator re-pins
quarterly:
- Pull the latest tag of each sidecar image.
- Run the per-vendor e2e matrix against the new digest.
- If green, update the digest in
docker-compose.test.yml+ this matrix's "Status" column. - If red, file an issue against the connector + leave the digest pinned to the last-known-good.
How to add a new vendor version
- Add a new sidecar entry to
deploy/docker-compose.test.ymlwith the new image digest. - Add a row to this matrix marking status as "pending".
- Write
TestVendorEdge_<connector>_<edge>_E2Etest(s) that exercise the vendor's known quirks against the new sidecar. - Once tests pass in CI, mark status "CI".
- After operator manual smoke, mark status "✓".
Per-connector deep-dive docs
For the top 5 most-deployed connectors:
Other connector docs live in docs/connectors.md.