mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:51:30 +00:00
shankar0123
072e2af198
Fourth latent bug surfaced by the Auditable Codebase Bundle's cold-DB compose smoke. CI run on master tip5b151e74fails with: certctl-postgres | FATAL: password authentication failed for user "certctl" (SQLSTATE 28P01 — invalid_password) after every other auth gate has been satisfied. The earlier closures (6d0f774DEMO_MODE_ACK,910097emigration 000043 idempotency,58b1441bootstrap-token interpolation) all hold; this one is a different interpolation gap. Root cause: the base compose at deploy/docker-compose.yml:177 builds the certctl-server's database URL via compose-level interpolation: CERTCTL_DATABASE_URL: ${CERTCTL_DATABASE_URL:-postgres://certctl:${POSTGRES_PASSWORD}@postgres:5432/certctl?sslmode=disable} The inner ${POSTGRES_PASSWORD} reads the SHELL environment, not the postgres service's environment: block. The demo overlay sets POSTGRES_PASSWORD: certctl on the postgres service (which feeds postgres's initdb only — that's why the database is seeded with password 'certctl'), but never exports it as a compose-level shell var. In a zero-env-var CI run the shell var is blank, so the generated URL is: postgres://certctl:@postgres:5432/certctl?sslmode=disable ^ empty password while postgres rejects with SCRAM mismatch because its pg_authid holds the hash of 'certctl'. Pre-CI, this gap was masked because every developer running the demo locally had POSTGRES_PASSWORD=certctl in their shell or deploy/.env from earlier sessions; the cold-DB smoke is the first zero-env-var consumer of this overlay. Fix: pin CERTCTL_DATABASE_URL with the literal demo password in the demo overlay's certctl-server environment block. The base compose's ${CERTCTL_DATABASE_URL:-...} default is overlay-overridable, so this literal is overlay-scoped — production deploys that supply their own CERTCTL_DATABASE_URL still win. The overlay was always claimed self-sufficient by its docstring ('Supplies the change-me-... placeholder values for POSTGRES_PASSWORD, CERTCTL_API_KEY, CERTCTL_CONFIG_ENCRYPTION_KEY, and CERTCTL_AGENT_ID so the demo runs without a deploy/.env file') — this commit makes the database URL actually match that claim. Same pattern as the58b1441BOOTSTRAP_TOKEN fix: when compose-level interpolation reads from the shell, the overlay's environment: block alone is not enough; the variable that references it must also be pinned explicitly. Verified: YAML parse clean (python3 yaml.safe_load). All 35 scripts/ci-guards/*.sh green, including complete-path-config-coverage.sh (CERTCTL_DATABASE_URL has a non-config consumer in deploy/), G-3-env-docs-drift, B2-compose-base-no-demo-env, S-1-hardcoded-source-counts.