Kyle Isom
c7e1232f98
Add CertProvisioner that requests TLS certificates from Metacrypt's CA API during deploy. When a service has L7 routes, the agent checks for an existing cert, re-issues if missing or within 30 days of expiry, and writes chain+key to mc-proxy's cert directory before registering routes. - Add MetacryptConfig to agent config (server_url, ca_cert, mount, issuer, token_path) with defaults and env overrides - Add CertProvisioner (internal/agent/certs.go): REST client for Metacrypt IssueCert, atomic file writes, cert expiry checking - Wire into Agent struct and deploy flow (before route registration) - Add hasL7Routes/l7Hostnames helpers in deploy.go - Fix pre-existing lint issues: unreachable code in portalloc.go, gofmt in servicedef.go, gosec suppressions, golangci v2 config - Update vendored mc-proxy to fix protobuf init panic - 10 new tests, make all passes with 0 issues Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
90 lines
1.8 KiB
YAML
90 lines
1.8 KiB
YAML
version: "2"
|
|
|
|
run:
|
|
timeout: 5m
|
|
tests: true
|
|
|
|
linters:
|
|
exclusions:
|
|
paths:
|
|
- vendor
|
|
rules:
|
|
# In test files, suppress gosec rules that are false positives:
|
|
# G101: hardcoded test credentials
|
|
# G304: file paths from variables (t.TempDir paths)
|
|
# G306: WriteFile with 0644 (cert files need to be readable)
|
|
# G404: weak RNG (not security-relevant in tests)
|
|
- path: "_test\\.go"
|
|
linters:
|
|
- gosec
|
|
text: "G101|G304|G306|G404"
|
|
# Nil context is acceptable in tests for nil-receiver safety checks.
|
|
- path: "_test\\.go"
|
|
linters:
|
|
- staticcheck
|
|
text: "SA1012"
|
|
default: none
|
|
enable:
|
|
- errcheck
|
|
- govet
|
|
- ineffassign
|
|
- unused
|
|
- errorlint
|
|
- gosec
|
|
- staticcheck
|
|
- revive
|
|
|
|
settings:
|
|
errcheck:
|
|
check-blank: false
|
|
check-type-assertions: true
|
|
|
|
govet:
|
|
enable-all: true
|
|
disable:
|
|
- shadow
|
|
- fieldalignment
|
|
|
|
gosec:
|
|
severity: medium
|
|
confidence: medium
|
|
excludes:
|
|
- G104
|
|
|
|
errorlint:
|
|
errorf: true
|
|
asserts: true
|
|
comparison: true
|
|
|
|
revive:
|
|
rules:
|
|
- name: error-return
|
|
severity: error
|
|
- name: unexported-return
|
|
severity: error
|
|
- name: error-strings
|
|
severity: warning
|
|
- name: if-return
|
|
severity: warning
|
|
- name: increment-decrement
|
|
severity: warning
|
|
- name: var-naming
|
|
severity: warning
|
|
- name: range
|
|
severity: warning
|
|
- name: time-naming
|
|
severity: warning
|
|
- name: indent-error-flow
|
|
severity: warning
|
|
- name: early-return
|
|
severity: warning
|
|
|
|
formatters:
|
|
enable:
|
|
- gofmt
|
|
- goimports
|
|
|
|
issues:
|
|
max-issues-per-linter: 0
|
|
max-same-issues: 0
|