mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:11:31 +00:00
shankar0123
5ea8fb48eb
Pure mode-change commit. The previous 3275f9f commit dropped the
executable bit (100755 → 100644) on five files in scripts/ci-guards/
plus scripts/qa-doc-seed-count.sh and scripts/dev-setup.sh — a
sandbox-tooling artefact, not intentional. The CI pipeline calls
each guard via 'bash "$g"' so the missing exec bit didn't break
anything operationally, but operators who run a guard directly via
'./scripts/ci-guards/<id>.sh' would hit a permission-denied. Restore
to 100755 to match the rest of scripts/ci-guards/*.sh.
No content changes.
52 lines
2.2 KiB
Bash
Executable File
52 lines
2.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# scripts/ci-guards/U-2-plaintext-healthcheck.sh
|
|
#
|
|
# U-2 closed cat-u-healthcheck_protocol_mismatch by switching the
|
|
# published image's HEALTHCHECK from `curl -f http://localhost:
|
|
# 8443/health` (always failed against the HTTPS-only listener) to
|
|
# `curl -fsk https://localhost:8443/health`. This script grep-fails
|
|
# the build if any Dockerfile in the repo carries the pre-U-2
|
|
# plaintext shape — either explicitly (`http://localhost:8443/
|
|
# health` in a HEALTHCHECK) or via the looser pattern of any
|
|
# HEALTHCHECK that targets `http://` against the certctl server
|
|
# port.
|
|
#
|
|
# Comment lines and the docs/archive/upgrades/to-tls-v2.2.md:182 expected-to-
|
|
# fail invariant ("plaintext is gone, expect Connection refused")
|
|
# are intentionally exempt — we DO want the upgrade-doc string
|
|
# `http://localhost:8443/health` to remain there, since it
|
|
# documents what operators should test for to confirm plaintext
|
|
# is dead. The guardrail is scoped to Dockerfile* only, so docs
|
|
# are out of its reach.
|
|
#
|
|
# See coverage-gap-audit-2026-04-24-v5/unified-audit.md
|
|
# cat-u-healthcheck_protocol_mismatch for the closure rationale,
|
|
# or deploy/test/healthcheck_test.go for the binary-image
|
|
# contract the runtime test pins.
|
|
|
|
set -e
|
|
|
|
# Patterns that catch the actual regression shapes:
|
|
# - HEALTHCHECK directive carrying any http:// (even if the
|
|
# port differs, no plaintext probe should ship).
|
|
# - The exact pre-U-2 string for grep-friendliness.
|
|
BAD=$(grep -rnEH \
|
|
-e 'HEALTHCHECK.*http://' \
|
|
-e 'curl[^|&;]*-f[^|&;]*http://localhost:8443/health' \
|
|
Dockerfile Dockerfile.agent Dockerfile.* 2>/dev/null \
|
|
| grep -vE '^\s*[^:]+:[0-9]+:\s*#' \
|
|
|| true)
|
|
if [ -n "$BAD" ]; then
|
|
echo "::error::U-2 regression: plaintext HEALTHCHECK reappeared in a Dockerfile:"
|
|
echo "$BAD"
|
|
echo ""
|
|
echo "Allowed: HTTPS HEALTHCHECK with -k (acceptable for"
|
|
echo "localhost-to-localhost), or non-HTTP probe shapes"
|
|
echo "(pgrep, /proc check). See Dockerfile / Dockerfile.agent"
|
|
echo "for the post-U-2 reference shape and"
|
|
echo "coverage-gap-audit-2026-04-24-v5/unified-audit.md"
|
|
echo "cat-u-healthcheck_protocol_mismatch for rationale."
|
|
exit 1
|
|
fi
|
|
echo "U-2 plaintext-healthcheck: clean."
|