From 860cfeb30fc40b2567f6ce6e016207b7cb7094c9 Mon Sep 17 00:00:00 2001 From: Ilia Denisov Date: Sun, 21 Jun 2026 00:27:43 +0200 Subject: [PATCH] fix(deploy): make bot-link cert leaves readable by the distroless nonroot UID The gateway and bot run on distroless nonroot (UID 65532) and bind-mount the cert dir read-only, but gen-certs.sh wrote the keys 0600 (owner-only, the deploy user), so both crash-looped at boot with "open /certs/*.key: permission denied" and the deploy probe correctly failed (the contour's gateway was down). The .crt files were already 0644 (openssl default); make the leaf keys 0644 too so UID 65532 can read them. These are ephemeral TEST certificates regenerated every deploy on the trusted runner; prod keys come from PROD_ secrets. The CA private key stays 0600 (containers never read it). --- deploy/gen-certs.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/deploy/gen-certs.sh b/deploy/gen-certs.sh index 0f9ad0d..7a15636 100755 --- a/deploy/gen-certs.sh +++ b/deploy/gen-certs.sh @@ -57,5 +57,12 @@ openssl x509 -req -in bot.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "extendedKeyUsage=clientAuth\nkeyUsage=critical,digitalSignature\n") rm -f gateway.csr bot.csr ca.srl -chmod 600 ./*.key +# The gateway and bot run on distroless **nonroot** (UID 65532) and bind-mount this +# dir read-only; a key owned by the deploy user must still be readable by that UID, so +# the leaves are world-readable (0644, like the .crt files). These are ephemeral +# TEST certificates regenerated every deploy on the trusted runner host; production +# keys come from PROD_ secrets, not this script. The CA key never enters a container — +# keep it owner-only. +chmod 644 ./ca.crt ./gateway.crt ./gateway.key ./bot.crt ./bot.key +chmod 600 ./ca.key echo "gen-certs: wrote ca.crt, gateway.crt/key (CN=${gw_name}), bot.crt/key to $dir"