Files
scrabble-game/deploy/gen-certs.sh
T
Ilia Denisov 860cfeb30f
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 13s
CI / ui (pull_request) Successful in 54s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 53s
fix(deploy): make bot-link cert leaves readable by the distroless nonroot UID
The gateway and bot run on distroless nonroot (UID 65532) and bind-mount the
cert dir read-only, but gen-certs.sh wrote the keys 0600 (owner-only, the deploy
user), so both crash-looped at boot with "open /certs/*.key: permission denied"
and the deploy probe correctly failed (the contour's gateway was down).

The .crt files were already 0644 (openssl default); make the leaf keys 0644 too
so UID 65532 can read them. These are ephemeral TEST certificates regenerated
every deploy on the trusted runner; prod keys come from PROD_ secrets. The CA
private key stays 0600 (containers never read it).
2026-06-21 00:27:43 +02:00

69 lines
2.8 KiB
Bash
Executable File

#!/usr/bin/env bash
# Generate the bot-link mTLS material for the TEST contour: a private CA, a gateway
# server leaf and a bot client leaf. The gateway requires the leaf + the bot the
# client leaf to bring up the reverse bot-link; the CA signs both so each peer trusts
# only the other.
#
# Production certificates come from PROD_ secrets, NOT this script. Private keys never
# leave the host/secrets; deploy/certs/ is gitignored. The script is idempotent: it
# reuses an existing CA + leaves unless --force is passed (rotation re-mints the
# leaves from the same long-lived CA).
#
# Usage:
# deploy/gen-certs.sh [--force] [dir]
# Env:
# BOTLINK_GATEWAY_NAME gateway certificate SAN/CN (default: gateway, the compose
# service name the bot dials in the test contour)
set -euo pipefail
force=0
dir=""
for arg in "$@"; do
case "$arg" in
--force) force=1 ;;
*) dir="$arg" ;;
esac
done
dir="${dir:-$(cd "$(dirname "$0")" && pwd)/certs}"
gw_name="${BOTLINK_GATEWAY_NAME:-gateway}"
mkdir -p "$dir"
cd "$dir"
if [[ -f gateway.crt && -f bot.crt && "$force" -ne 1 ]]; then
echo "gen-certs: certificates already present in $dir (use --force to rotate the leaves)"
exit 0
fi
# CA: long-lived (10y), reused across leaf rotations.
if [[ ! -f ca.crt || ! -f ca.key ]]; then
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
-keyout ca.key -out ca.crt -days 3650 -subj "/CN=scrabble-botlink-ca"
echo "gen-certs: created CA"
fi
# Gateway server leaf (SAN matches the name the bot dials).
openssl req -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
-keyout gateway.key -out gateway.csr -subj "/CN=${gw_name}"
openssl x509 -req -in gateway.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out gateway.crt -days 825 \
-extfile <(printf "subjectAltName=DNS:%s,DNS:localhost\nextendedKeyUsage=serverAuth\nkeyUsage=critical,digitalSignature\n" "$gw_name")
# Bot client leaf.
openssl req -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
-keyout bot.key -out bot.csr -subj "/CN=scrabble-bot"
openssl x509 -req -in bot.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out bot.crt -days 825 \
-extfile <(printf "extendedKeyUsage=clientAuth\nkeyUsage=critical,digitalSignature\n")
rm -f gateway.csr bot.csr ca.srl
# The gateway and bot run on distroless **nonroot** (UID 65532) and bind-mount this
# dir read-only; a key owned by the deploy user must still be readable by that UID, so
# the leaves are world-readable (0644, like the .crt files). These are ephemeral
# TEST certificates regenerated every deploy on the trusted runner host; production
# keys come from PROD_ secrets, not this script. The CA key never enters a container —
# keep it owner-only.
chmod 644 ./ca.crt ./gateway.crt ./gateway.key ./bot.crt ./bot.key
chmod 600 ./ca.key
echo "gen-certs: wrote ca.crt, gateway.crt/key (CN=${gw_name}), bot.crt/key to $dir"