mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:51:31 +00:00
shankar0123
672e1d991d
Addresses Medium finding M-4 in the audit report. The multi-stage
Dockerfiles previously had no ARG declarations for HTTP_PROXY,
HTTPS_PROXY, or NO_PROXY, so corporate-proxy environments silently
failed at 'npm ci' (frontend stage) and 'go mod download' (Go builder).
The npm retry idiom (`npm ci --include=dev || npm ci --include=dev`)
masked the failure because the upstream 'Exit handler never called!'
bug exits 0 despite the install crash.
Fix: thread HTTP_PROXY / HTTPS_PROXY / NO_PROXY ARGs through every
Docker build stage that performs network I/O, re-export them as ENV
with both upper- and lower-case aliases (apk/curl/npm read lowercase;
Go/Node read uppercase), and forward the host shell's environment via
`build.args:` in every compose file and `build-args:` in the release
workflow's docker/build-push-action steps. Defaults are empty strings
so un-proxied builds remain byte-identical to the pre-fix tree.
Scope: Dockerfile (frontend + Go builder stages), Dockerfile.agent
(Go builder stage), deploy/docker-compose.yml (server + agent),
deploy/docker-compose.dev.yml (server + agent), deploy/docker-compose.test.yml
(server + agent), .github/workflows/release.yml (both docker/build-push-action
v6 invocations). Zero Go, web, test, or runtime code changes. Zero
base-image changes. Existing npm `||` retry idiom and `ARG TARGETARCH`
preserved verbatim.
CWE-1173 (Improper Use of Validated Input) / CWE-16 (Configuration).
Verification:
- YAML parses clean across all four compose files and release.yml.
- yamllint -d relaxed: clean exit across all five YAML files.
- All six `build.args:` blocks expose HTTP_PROXY, HTTPS_PROXY, NO_PROXY
with default-empty ${VAR:-} substitution.
- Both release.yml docker/build-push-action steps expose the same
three keys sourced from ${{ secrets.HTTP_PROXY }}, etc.
- Dockerfiles contain 5 proxy ARG declarations total (Dockerfile has 2
stages × 3 ARGs = 6 lines, Dockerfile.agent has 1 stage × 3 ARGs = 3
lines); lowercase ENV aliases verified present in every stage.
- git diff --shortstat: 6 files changed, 117 insertions(+), 0 deletions.
Pure additive.
Docker-live verification (`docker build`, `docker compose config`)
deferred to CI / post-commit smoke because the sandbox has no Docker
runtime. hadolint, go, golangci-lint, govulncheck likewise unavailable
in the sandbox; per-layer CI coverage gates (service 55%, handler 60%,
domain 40%, middleware 30%) are trivially unaffected as M-4 touches
zero Go source files.
78 lines
2.8 KiB
YAML
78 lines
2.8 KiB
YAML
version: '3.8'
|
|
|
|
# Development overrides for docker-compose.yml
|
|
# Usage: docker-compose -f deploy/docker-compose.yml -f deploy/docker-compose.dev.yml up
|
|
|
|
services:
|
|
# Override server configuration for development
|
|
certctl-server:
|
|
build:
|
|
context: ..
|
|
dockerfile: Dockerfile
|
|
# Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
|
|
# vars into the Docker build so the Node frontend stage and Go module
|
|
# download can reach the public registries behind corporate proxies.
|
|
# Defaults to empty; omit the variables from the host environment for
|
|
# un-proxied builds and the behaviour is byte-identical to the pre-fix
|
|
# tree.
|
|
args:
|
|
HTTP_PROXY: ${HTTP_PROXY:-}
|
|
HTTPS_PROXY: ${HTTPS_PROXY:-}
|
|
NO_PROXY: ${NO_PROXY:-}
|
|
environment:
|
|
# Verbose logging for development
|
|
CERTCTL_LOG_LEVEL: debug
|
|
CERTCTL_SERVER_HOST: 0.0.0.0
|
|
CERTCTL_SERVER_PORT: "8443"
|
|
volumes:
|
|
# Mount local source for hot reload (requires air or similar)
|
|
# Uncomment if using air or similar for hot reload:
|
|
# - ../cmd:/app/cmd
|
|
# - ../internal:/app/internal
|
|
# - ../api:/app/api
|
|
ports:
|
|
- "8443:8443"
|
|
- "40000:40000" # Delve debugger port (if debugging)
|
|
|
|
# Override agent configuration for development
|
|
certctl-agent:
|
|
build:
|
|
context: ..
|
|
dockerfile: Dockerfile.agent
|
|
# Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
|
|
# vars into the Docker build so the Go module download stage can reach
|
|
# the public Go module proxy behind corporate proxies. Defaults to
|
|
# empty; omit the variables from the host environment for un-proxied
|
|
# builds and the behaviour is byte-identical to the pre-fix tree.
|
|
args:
|
|
HTTP_PROXY: ${HTTP_PROXY:-}
|
|
HTTPS_PROXY: ${HTTPS_PROXY:-}
|
|
NO_PROXY: ${NO_PROXY:-}
|
|
environment:
|
|
CERTCTL_LOG_LEVEL: debug
|
|
|
|
# PgAdmin for database exploration
|
|
pgadmin:
|
|
image: dpage/pgadmin4:latest
|
|
container_name: certctl-pgadmin
|
|
environment:
|
|
PGADMIN_DEFAULT_EMAIL: ${PGADMIN_EMAIL:-admin@example.com}
|
|
PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_PASSWORD:-admin}
|
|
PGADMIN_CONFIG_SERVER_MODE: 'False'
|
|
PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED: 'False'
|
|
ports:
|
|
- "${PGADMIN_PORT:-5050}:80"
|
|
networks:
|
|
- certctl-network
|
|
depends_on:
|
|
- postgres
|
|
restart: unless-stopped
|
|
|
|
# Notes for development:
|
|
# 1. Enable hot reload by installing air: go install github.com/cosmtrek/air@latest
|
|
# Then in cmd/server and cmd/agent, create .air.toml for watch configuration
|
|
# 2. Debug the server by attaching Delve to port 40000
|
|
# 3. Access PgAdmin at http://localhost:5050 to browse the database
|
|
# 4. View server logs: docker-compose logs -f certctl-server
|
|
# 5. View agent logs: docker-compose logs -f certctl-agent
|