mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:01:30 +00:00
shankar0123
25996f86fa
Phase 2 SEC-H3 (commit 69a2b5c) added a fail-closed requirement: when
CERTCTL_DEMO_MODE_ACK=true, the server refuses to start unless
CERTCTL_DEMO_MODE_ACK_TS=<unix-epoch> is set and within the last 24h.
The demo overlay (docker-compose.demo.yml) sets DEMO_MODE_ACK=true
but didn't supply the paired TS, so:
Failed to load configuration: phase-2 SEC-H3 fail-closed guard
(missing TS): CERTCTL_DEMO_MODE_ACK=true requires
CERTCTL_DEMO_MODE_ACK_TS=<unix-epoch> set within the last 24h —
refuse to start.
This bricks the cold-DB compose smoke job, the README quickstart
(`docker compose -f .yml -f demo.yml up`), and every operator using
the demo overlay locally — symptom: certctl-server container restart
loop with the SEC-H3 message above.
Fix is three-piece:
1. deploy/docker-compose.demo.yml passes the TS through from the
shell env via `CERTCTL_DEMO_MODE_ACK_TS: "${CERTCTL_DEMO_MODE_ACK_TS:-}"`.
The overlay can't hardcode the value (it would rot the next day)
and SEC-H3 is designed to refresh on every up.
2. deploy/demo-up.sh — new helper that mints
`CERTCTL_DEMO_MODE_ACK_TS=$(date +%s)` and forwards args to
`docker compose up`. The SEC-H3 error message points operators
at it. Replaces the bare `docker compose -f ... up` invocation
in the overlay's docstring + README quickstart references.
3. .github/workflows/ci.yml cold-db-compose-smoke job exports a fresh
TS before the initial up-d AND re-emits it into /tmp/_smoke.env so
the force-recreate at step 4 inherits the value (--env-file replaces
the shell-env source for compose-file interpolation, so omitting the
re-emission would re-trip the guard).
Other CI compose surfaces verified clean:
- docker-compose.test.yml uses auth=api-key (not demo-mode); not
affected.
- security-deep-scan.yml uses the base compose without the demo
overlay; not affected.
Verified locally: YAML parses, bash syntax check passes on demo-up.sh,
overlay's docstring + the SEC-H3 error message now agree on the helper
script's existence.
39 lines
1.5 KiB
Bash
Executable File
39 lines
1.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# deploy/demo-up.sh — boot the certctl demo stack with the fresh
|
|
# CERTCTL_DEMO_MODE_ACK_TS the Phase 2 SEC-H3 guard requires.
|
|
#
|
|
# The demo overlay sets CERTCTL_DEMO_MODE_ACK=true. Phase 2 SEC-H3
|
|
# (2026-05-13) pairs that with a fail-closed requirement: the server
|
|
# refuses to start unless CERTCTL_DEMO_MODE_ACK_TS=<unix-epoch> is set
|
|
# and is within the last 24h (with 1-minute future clock-skew tolerance).
|
|
#
|
|
# A static value in docker-compose.demo.yml would rot the next day, so
|
|
# the overlay passthroughs the value from the shell environment. This
|
|
# helper mints a fresh TS at run time and forwards any extra args to
|
|
# `docker compose up`, so operators can use it as a drop-in replacement
|
|
# for the bare command. Example:
|
|
#
|
|
# ./demo-up.sh -d # cold boot in detached mode
|
|
# ./demo-up.sh -d --pull always # forward any flags through
|
|
#
|
|
# The cold-DB compose smoke in .github/workflows/ci.yml does the same
|
|
# thing inline; this script exists so local operators don't have to
|
|
# remember the export.
|
|
|
|
set -euo pipefail
|
|
|
|
# cd to the deploy/ dir so the relative `-f` paths resolve regardless
|
|
# of where the operator invokes this from. The script lives next to
|
|
# the compose files it references.
|
|
cd "$(dirname "$0")"
|
|
|
|
export CERTCTL_DEMO_MODE_ACK_TS="$(date +%s)"
|
|
|
|
echo "[demo-up] minting CERTCTL_DEMO_MODE_ACK_TS=$CERTCTL_DEMO_MODE_ACK_TS"
|
|
echo "[demo-up] running: docker compose -f docker-compose.yml -f docker-compose.demo.yml up $*"
|
|
|
|
exec docker compose \
|
|
-f docker-compose.yml \
|
|
-f docker-compose.demo.yml \
|
|
up "$@"
|