gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:21:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

auth-bundle-1 fix: bundled certctl-agent restart loop (latent since 2026-03-14)

Browse Source 
The bundled `docker-compose.yml` started the `certctl-agent` service
without setting `CERTCTL_AGENT_ID`. `cmd/agent/main.go:1297-1300`
fails fast on missing AGENT_ID with "Error: -agent-id flag or
CERTCTL_AGENT_ID env var is required", which sends the container
into a silent restart loop on every fresh `docker compose up`.

Latent since commit d395776 (2026-03-14), which added the env-var
contract on the agent side but never wired a pre-seeded matching
row + env injection on the compose side. The integration test
compose (`docker-compose.test.yml`) does set CERTCTL_AGENT_ID +
seed agent-test-01 via seed_test.sql, which is why CI didn't
surface the bug. Caught when an external operator first cloned
dev/auth-bundle-1 to test Bundle 1.

Closure mirrors the integration-test pattern:

* migrations/seed_demo.sql pre-seeds an `agent-demo-1` row
  alongside the existing server-scanner sentinel. ON CONFLICT
  (id) DO NOTHING preserves idempotency. api_key_hash is a
  no-auth placeholder since demo runs with CERTCTL_AUTH_TYPE=none
  (synthetic actor-demo-anon covers every request).
* deploy/docker-compose.yml certctl-server: add
  CERTCTL_DEMO_SEED=true so the demo seed (which holds the
  agent-demo-1 row + the rest of the demo fixtures) actually
  runs in the bundled compose. The compose is already a demo
  posture (CERTCTL_AUTH_TYPE=none + CERTCTL_KEYGEN_MODE=server),
  so this is consistent. docker-compose.demo.yml still works
  (it sets the same flag) and stays for backward compat.
* deploy/docker-compose.yml certctl-agent: set
  CERTCTL_AGENT_ID=agent-demo-1 (overridable via env) so the
  agent finds its row on first heartbeat.
* Makefile qa-stats: agents-table count bumped 12 -> 13.

Production deploys are unaffected: they override CERTCTL_AUTH_TYPE,
CERTCTL_KEYGEN_MODE, CERTCTL_DEMO_SEED, and CERTCTL_AGENT_ID with
their own compose. The agent is registered via
POST /api/v1/agents and the returned ID is plugged into
CERTCTL_AGENT_ID per docs/operator/installation.md.

Verified path: `docker compose -f deploy/docker-compose.yml up
--build` boots green; certctl-agent reaches Online state on the
first heartbeat; `curl --cacert ... https://localhost:8443/api/v1/agents`
returns agent-demo-1 with status Online instead of an empty list.
This commit is contained in:
shankar0123
2026-05-10 00:51:25 +00:00
parent 45122d7edb
commit efea4d0e03
3 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/docker-compose.yml
+20
View File
@@ -133,6 +133,15 @@ services:
CERTCTL_KEYGEN_MODE: server # Demo uses server-side keygen; production should use "agent"
CERTCTL_NETWORK_SCAN_ENABLED: "true" # Enable network scan GUI with seeded demo targets
CERTCTL_CONFIG_ENCRYPTION_KEY: ${CERTCTL_CONFIG_ENCRYPTION_KEY:-change-me-32-char-encryption-key} # AES-256-GCM for dynamic issuer/target config
# Bundle 1 follow-on: this compose IS the bundled demo path
# (CERTCTL_AUTH_TYPE=none + KEYGEN_MODE=server above), so the
# demo seed runs by default. seed_demo.sql pre-seeds the
# agent-demo-1 row that the bundled certctl-agent below needs
# to authenticate. The docker-compose.demo.yml overlay still
# works (it sets the same flag) and remains for backward
# compat. Production deploys override CERTCTL_AUTH_TYPE +
# KEYGEN_MODE + DEMO_SEED via their own compose.
CERTCTL_DEMO_SEED: "true"
ports:
- "8443:8443"
volumes:
@@ -183,6 +192,17 @@ services:
CERTCTL_SERVER_URL: https://certctl-server:8443
CERTCTL_SERVER_CA_BUNDLE_PATH: /etc/certctl/tls/ca.crt
CERTCTL_API_KEY: ${CERTCTL_API_KEY:-change-me-in-production}
# Bundle 1 follow-on: pre-Bundle-1 the bundled agent had no
# CERTCTL_AGENT_ID set, hit cmd/agent/main.go's fail-fast guard
# ("agent-id flag or CERTCTL_AGENT_ID env var is required"), and
# restart-looped silently on every fresh `docker compose up`.
# Latent since 2026-03-14 (commit d395776). seed_demo.sql now
# pre-seeds the matching agents row; the demo runs with
# CERTCTL_AUTH_TYPE=none on the server so the api_key Bearer
# token is irrelevant here. Production deploys override
# CERTCTL_AGENT_ID with the value returned from
# POST /api/v1/agents during registration.
CERTCTL_AGENT_ID: ${CERTCTL_AGENT_ID:-agent-demo-1}
CERTCTL_AGENT_NAME: docker-agent
CERTCTL_LOG_LEVEL: info
CERTCTL_DISCOVERY_DIRS: /var/lib/certctl/keys # Agent scans this directory for existing certificates