fix(deploy): make bot-link cert leaves readable by the distroless nonroot UID
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 13s
CI / ui (pull_request) Successful in 54s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 53s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 13s
CI / ui (pull_request) Successful in 54s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 53s
The gateway and bot run on distroless nonroot (UID 65532) and bind-mount the cert dir read-only, but gen-certs.sh wrote the keys 0600 (owner-only, the deploy user), so both crash-looped at boot with "open /certs/*.key: permission denied" and the deploy probe correctly failed (the contour's gateway was down). The .crt files were already 0644 (openssl default); make the leaf keys 0644 too so UID 65532 can read them. These are ephemeral TEST certificates regenerated every deploy on the trusted runner; prod keys come from PROD_ secrets. The CA private key stays 0600 (containers never read it).
This commit is contained in:
+8
-1
@@ -57,5 +57,12 @@ openssl x509 -req -in bot.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
|
||||
-extfile <(printf "extendedKeyUsage=clientAuth\nkeyUsage=critical,digitalSignature\n")
|
||||
|
||||
rm -f gateway.csr bot.csr ca.srl
|
||||
chmod 600 ./*.key
|
||||
# The gateway and bot run on distroless **nonroot** (UID 65532) and bind-mount this
|
||||
# dir read-only; a key owned by the deploy user must still be readable by that UID, so
|
||||
# the leaves are world-readable (0644, like the .crt files). These are ephemeral
|
||||
# TEST certificates regenerated every deploy on the trusted runner host; production
|
||||
# keys come from PROD_ secrets, not this script. The CA key never enters a container —
|
||||
# keep it owner-only.
|
||||
chmod 644 ./ca.crt ./gateway.crt ./gateway.key ./bot.crt ./bot.key
|
||||
chmod 600 ./ca.key
|
||||
echo "gen-certs: wrote ca.crt, gateway.crt/key (CN=${gw_name}), bot.crt/key to $dir"
|
||||
|
||||
Reference in New Issue
Block a user