gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:21:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(compose): DEPL-002 — pin alpine/openssl + postgres:16-alpine by digest + H-002 CI guard

Browse Source 
Sprint 3 unified-master-audit closure. The production-shaped compose
(deploy/docker-compose.yml) — explicitly self-described as
'PRODUCTION-SHAPED (Bundle 2)' in its header — pulled two images by
floating tag:

    image: alpine/openssl:latest
    image: postgres:16-alpine

The certctl Dockerfiles have been digest-pinned for two bundles
(see Bundle A / H-001 + the digest-validity.sh CI guard). Compose
shipped on the lower bar — a registry-side tag swap could change
what an operator deploys without their seeing the diff in their
infra repo.

Fix:
  - Pin both images by @sha256: (alpine/openssl looked up via Docker
    Hub tag API on 2026-05-16; postgres:16-alpine the same).
  - New scripts/ci-guards/H-002-bare-compose-image.sh — analogous
    to H-001 — fails the build if any 'image:' line in
    deploy/docker-compose.yml lacks a @sha256 digest. Test compose
    files (deploy/docker-compose.test.yml + the loadtest stack)
    and examples/ stay scoped out by design: those are throwaway
    development-loop tooling where floating tags are intentional.
  - The existing digest-validity.sh CI guard auto-discovers
    digests via grep across deploy/ so the new pins get verified
    on the same run that pulls them, without a separate change.

Closes DEPL-002.
This commit is contained in:
shankar0123
2026-05-16 04:31:14 +00:00
parent b721596213
commit 360eaa75bc
2 changed files with 63 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/docker-compose.yml
+13 -2
View File
@@ -62,7 +62,13 @@ services:
# handshake. ECDSA-P256 with SHA-256 is universally supported. See
# docs/tls.md Pattern 1.
certctl-tls-init:
image: alpine/openssl:latest
# DEPL-002 closure (Sprint 3, 2026-05-16): digest-pin so the
# production-shaped compose has the same supply-chain posture as
# the certctl Dockerfiles (which CI guards via digest-validity.sh).
# The :latest tag floats; the digest is captured at the time
# this comment was written. Bump after running the digest-
# validity guard to confirm the new digest is still pullable.
image: alpine/openssl:latest@sha256:41036db23542ed4cc09bc278d8a7e23b3da01690abb4b0e353b1bb87d70520ed
container_name: certctl-tls-init
restart: "no"
entrypoint: /bin/sh
@@ -123,7 +129,12 @@ services:
# `unhealthy` flap to cascade into certctl-server's `service_healthy`
# depends_on, blocking the whole stack.
postgres:
image: postgres:16-alpine
# DEPL-002 closure (Sprint 3, 2026-05-16): digest-pin matching the
# alpine/openssl pin above. The `16-alpine` tag is the stable
# major-version stream; the digest snapshots today's image so a
# silent upstream rebuild can't slip into a production deploy
# mid-rollout. Bump alongside dependency reviews.
image: postgres:16-alpine@sha256:890480b08124ce7f79960a9bb16fe39729aa302bd384bfd7c408fee6c8f7adb7
container_name: certctl-postgres
environment:
POSTGRES_DB: certctl