-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix docker-compose service order #1537
Conversation
Without this change, when Fulcio is run in docker-compose, signing an artifact may fail with the error "Error entering certificate in CTL". This happens if the docker-compose service have been run previously on the host and the ctfeConfig volume is populated from the last run, so it would generally only be seen in a developer environment. The error happens because the ctfe_init container starts too soon, and ct_server starts with Fulcio's ephemeral root CA from the last run, which is now the wrong CA. This change fixes the issue by ensuring ct_server only starts after ctfe_init has exited successfully, instead of just after it is started. This also means that Fulcio needs to be one of the first services to start so that it can make the ephemeral CA available to download. Signed-off-by: Colleen Murphy <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1537 +/- ##
==========================================
+ Coverage 57.58% 57.74% +0.16%
==========================================
Files 50 50
Lines 3112 3112
==========================================
+ Hits 1792 1797 +5
+ Misses 1160 1156 -4
+ Partials 160 159 -1 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we should also be enforcing that the CT log is healthy when starting up the service, here:
Lines 262 to 277 in b7b2eba
if logURL := viper.GetString("ct-log-url"); logURL != "" { | |
opts := jsonclient.Options{ | |
Logger: logAdaptor{logger: log.Logger}, | |
} | |
// optionally add CT log public key to verify SCTs | |
if pubKeyPath := viper.GetString("ct-log-public-key-path"); pubKeyPath != "" { | |
pemPubKey, err := os.ReadFile(filepath.Clean(pubKeyPath)) | |
if err != nil { | |
log.Logger.Fatal(err) | |
} | |
opts.PublicKey = string(pemPubKey) | |
} | |
ctClient, err = ctclient.New(logURL, &http.Client{Timeout: 30 * time.Second}, opts) | |
if err != nil { | |
log.Logger.Fatal(err) | |
} |
This would prevent Fulcio starting up while the CT log failed to, and all requests failing.
We would have a chicken-and-egg problem though - Fulcio requiring the CT log, the CT log init script requiring Fulcio. We could generate the CA certificate out of band and give that to the CT log rather than use the init script, though we'll need another script to generate fresh CA certs.
Anywho, not a blocker, just something we could change later on.
Right, this wouldn't be possible with the way we're currently running fulcio with |
Without this change, when Fulcio is run in docker-compose, signing an artifact may fail with the error "Error entering certificate in CTL". This happens if the docker-compose service have been run previously on the host and the ctfeConfig volume is populated from the last run, so it would generally only be seen in a developer environment. The error happens because the ctfe_init container starts too soon, and ct_server starts with Fulcio's ephemeral root CA from the last run, which is now the wrong CA. This change fixes the issue by ensuring ct_server only starts after ctfe_init has exited successfully, instead of just after it is started. This also means that Fulcio needs to be one of the first services to start so that it can make the ephemeral CA available to download.
Summary
Release Note
NONE
Documentation