azaion/missions
1
0
Fork 0
mirror of https://github.com/azaion/missions.git synced 2026-06-21 06:41:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
78dea8ebab6c9a74893941f4689ded934b998715
missions/docker-entrypoint.sh
T
Oleksandr Bezdieniezhnykh 78dea8ebab
ci/woodpecker/push/build-arm Pipeline was successful
Details
chore: update configuration and Docker setup for JWT and test results 
Enhanced the .gitignore to exclude test results and updated the Dockerfile to include a new entrypoint script for improved container initialization. Refactored JWT configuration to support additional parameters for automatic refresh intervals, ensuring better control over token management. Updated the ConfigurationResolver to enforce required environment variables without hardcoded fallbacks, enhancing security and flexibility.
2026-05-15 03:23:23 +03:00

35 lines
1.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# Container startup wrapper for the missions service.
#
# Registers any CA certificates mounted into /usr/local/share/ca-certificates/
# with the system trust store, then execs the original ENTRYPOINT command.
#
# Why this exists:
# .NET HttpClient (used by the JwtBearer JWKS retriever) trusts only CAs in
# /etc/ssl/certs/ca-certificates.crt on Debian-based images. A CA file
# dropped into /usr/local/share/ca-certificates/ is NOT picked up until
# `update-ca-certificates` regenerates the bundle. Because the test harness
# mounts the jwks-mock CA at runtime (not build time), we have to run this
# on every container start.
#
# Production semantics:
# When no extra CAs are mounted, `update-ca-certificates --fresh` is a
# no-op that rewrites the bundle from the OS-provided certs unchanged.
# Operators deploying behind an enterprise PKI can mount their CA and have
# it trusted without rebuilding the image.
#
# Error handling:
# We `|| true` only the CA-update step itself (the only failure mode is a
# read-only /etc/ssl/, which would break the existing image too). We do NOT
# swallow errors from the wrapped dotnet command -- those propagate normally
# via `exec`. A genuinely broken TLS trust chain still surfaces loudly when
# the JWKS HTTPS handshake fails.
set -eu
if command -v update-ca-certificates >/dev/null 2>&1; then
update-ca-certificates --fresh >/dev/null 2>&1 || true
fi
exec "$@"
Reference in New Issue View Git Blame Copy Permalink