mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 22:01:36 +00:00
shankar0123
49f1a60762
Phase 3 of the deploy-hardening I master bundle. Extends the
target.Connector interface with the dry-run method that operators
will use to preview a deploy before committing — but ships only the
default-stub for all 13 connectors. Phases 4-9 replace each stub
with the real validate-with-the-target implementation.
interface.go:
- Add ErrValidateOnlyNotSupported sentinel (frozen decision 0.6 —
connectors that cannot dry-run, like K8s, return this rather than
nil so operator triage can errors.Is for "not supported" vs
"validated successfully").
- Add ValidateOnly(ctx, request DeploymentRequest) error to
Connector interface.
13 new validate_only.go files (one per connector at
internal/connector/target/<name>/validate_only.go):
- apache, caddy, envoy, f5, haproxy, iis, javakeystore, k8ssecret,
nginx, postfix, ssh, traefik, wincertstore.
- Each file is identical except for the package declaration: a
one-method default stub returning target.ErrValidateOnlyNotSupported.
- Per-connector files (rather than a single embed-method approach)
let Phases 4-9 replace each connector's stub independently
without churning a shared base.
Tests:
- internal/connector/target/validate_only_test.go pins the sentinel
contract (errors.Is identity, Error() string, %w wrap propagation).
- internal/connector/target/validate_only_smoke_test.go (external
test package) constructs a zero-value &<pkg>.Connector{} for each
of the 13 connectors and asserts ValidateOnly returns
ErrValidateOnlyNotSupported. The test's
connectorsAtPhase3 list is the load-bearing CI guard:
- A 14th connector added without wiring ValidateOnly fails the
`len(connectorsAtPhase3) != 13` invariant.
- A connector whose real ValidateOnly lands (Phase 4 NGINX, Phase
5 Apache, etc.) MUST be removed from this list or the smoke test
fails (real impl no longer returns the sentinel). That removal
IS the bookkeeping that the operator-visible bit + behavior
change are wired together end-to-end.
Compile + go vet + golangci-lint v2.11.4 + go test all 0 issues.
Phase 4 next: NGINX canonical real-impl — replace the stub with
nginx -t -c <temp>; same time replace the existing os.WriteFile
flow in DeployCertificate with deploy.Apply(...).
85 lines
3.7 KiB
Go
85 lines
3.7 KiB
Go
package target
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"time"
|
|
)
|
|
|
|
// ErrValidateOnlyNotSupported is returned by ValidateOnly when the
|
|
// connector cannot dry-run a deploy (e.g., K8s — there is no API
|
|
// for "would this Secret update succeed without modifying state?").
|
|
//
|
|
// Frozen decision 0.6 of the deploy-hardening I master bundle:
|
|
// ValidateOnly returns this sentinel rather than nil so operators
|
|
// can errors.Is to distinguish "validated successfully" from
|
|
// "validation not supported on this connector type."
|
|
var ErrValidateOnlyNotSupported = errors.New("target connector does not support ValidateOnly dry-run")
|
|
|
|
// Connector defines the interface for certificate deployment operations.
|
|
type Connector interface {
|
|
// ValidateConfig validates the deployment target configuration.
|
|
ValidateConfig(ctx context.Context, config json.RawMessage) error
|
|
|
|
// DeployCertificate deploys a certificate to the target.
|
|
// The request contains the certificate and chain in PEM format, but never a private key.
|
|
DeployCertificate(ctx context.Context, request DeploymentRequest) (*DeploymentResult, error)
|
|
|
|
// ValidateOnly runs the validate step (PreCommit) of a deploy
|
|
// WITHOUT touching the live cert. Returns nil when the deploy
|
|
// would succeed at the validate stage; returns
|
|
// ErrValidateOnlyNotSupported when the connector cannot dry-run
|
|
// (e.g., K8s — there's no API for "would this Secret update
|
|
// succeed without modifying state?"); returns any other error
|
|
// from the connector's validate step.
|
|
//
|
|
// Operators preview a deploy via this method before committing.
|
|
// Phase 3 of the deploy-hardening I master bundle adds the
|
|
// interface method; Phases 4-9 implement the meaningful path
|
|
// per connector.
|
|
ValidateOnly(ctx context.Context, request DeploymentRequest) error
|
|
|
|
// ValidateDeployment verifies that a deployed certificate is valid and accessible.
|
|
ValidateDeployment(ctx context.Context, request ValidationRequest) (*ValidationResult, error)
|
|
}
|
|
|
|
// DeploymentRequest contains the parameters for deploying a certificate to a target.
|
|
// In agent keygen mode, KeyPEM is populated from the agent's local key store.
|
|
// In server keygen mode (demo only), KeyPEM may be empty if the key was embedded in the cert version.
|
|
type DeploymentRequest struct {
|
|
CertPEM string `json:"cert_pem"`
|
|
KeyPEM string `json:"key_pem,omitempty"`
|
|
ChainPEM string `json:"chain_pem"`
|
|
TargetConfig json.RawMessage `json:"target_config"`
|
|
Metadata map[string]string `json:"metadata,omitempty"`
|
|
}
|
|
|
|
// DeploymentResult contains the result of a successful certificate deployment.
|
|
type DeploymentResult struct {
|
|
Success bool `json:"success"`
|
|
TargetAddress string `json:"target_address"`
|
|
DeploymentID string `json:"deployment_id"`
|
|
Message string `json:"message"`
|
|
DeployedAt time.Time `json:"deployed_at"`
|
|
Metadata map[string]string `json:"metadata,omitempty"`
|
|
}
|
|
|
|
// ValidationRequest contains the parameters for validating a deployed certificate.
|
|
type ValidationRequest struct {
|
|
CertificateID string `json:"certificate_id"`
|
|
Serial string `json:"serial"`
|
|
TargetConfig json.RawMessage `json:"target_config"`
|
|
Metadata map[string]string `json:"metadata,omitempty"`
|
|
}
|
|
|
|
// ValidationResult contains the result of a certificate validation check.
|
|
type ValidationResult struct {
|
|
Valid bool `json:"valid"`
|
|
Serial string `json:"serial"`
|
|
TargetAddress string `json:"target_address"`
|
|
Message string `json:"message"`
|
|
ValidatedAt time.Time `json:"validated_at"`
|
|
Metadata map[string]string `json:"metadata,omitempty"`
|
|
}
|