File tree Expand file tree Collapse file tree
bootstrap/rig-system/kustomize/operations-manager/overlays/odcn-production/patches Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -9,23 +9,7 @@ __pycache__/
99! /security /readme.md
1010! /security /tls /
1111/security /tls /** /* .pem
12- # SSH / git server keys must never be committed. They are mounted at runtime
13- # from a Kubernetes Secret, not baked into the image or stored in the repo.
1412/keys /
15- keys /git-server-key
16- keys /git-server-key.pub
17- * .pem
18- * _rsa
19- * _ed25519
20- id_ *
21- # Environment files contain secrets and must never be committed. They are
22- # delivered at runtime via Kubernetes Secrets (operations-manager-env-secrets).
23- .env
24- .env. *
25- ! .env.example
26- ! .env.sample
27- /operations-manager /python /.env
28- /operations-manager /python /.env.production
2913/operations-manager /python /scripts /.env. *
3014/operations-manager /python /log *
3115/operations-manager /python /.env.local
Original file line number Diff line number Diff line change 99 - name : ghcr-rig-robot-pull-secret
1010 containers :
1111 - name : operations-manager
12- # TODO(security): pin by immutable digest in a follow-up release.
13- # The current :latest is mutable; once a digest pin is in place
14- # (rcr.rijksapps.nl/ghcr-rig/minbzk/.../operations-manager@sha256:<digest>),
15- # ArgoCD will only redeploy on explicit manifest change instead of on
16- # silent image-registry mutation. Out-of-scope for this security PR.
1712 image : rcr.rijksapps.nl/ghcr-rig/minbzk/base-images/operations-manager/operations-manager:latest
1813 resources :
1914 limits :
Original file line number Diff line number Diff line change @@ -96,14 +96,6 @@ FROM dependencies AS application
9696RUN groupadd -g 1001 appuser && \
9797 useradd -r -u 1001 -g appuser appuser
9898
99- # Create directory for SSH keys. The git SSH private key is NOT baked into
100- # the image. It is mounted at runtime from a Kubernetes Secret (see
101- # bootstrap/rig-system/kustomize/operations-manager/base/deployment.yaml,
102- # volume "git-server-key" at GIT_SERVER_KEY_PATH=/app/keys/git-server-key).
103- # Baking the key (or .env/.env.production) into image layers leaks the
104- # GitOps write credential to anyone who can pull the image.
105- RUN mkdir -p /app/keys
106-
10799# Copy Alembic configuration (for database migrations)
108100COPY operations-manager/python/alembic.ini /app/
109101
@@ -118,8 +110,6 @@ COPY operations-manager/python/extensions ./extensions
118110COPY operations-manager/python/sources ./sources
119111COPY operations-manager/python/static ./static
120112
121- # Set proper permissions for application files. The git SSH key is provided
122- # at runtime via a read-only Secret volume mount, not written here.
123113RUN chown -R appuser:appuser /app && \
124114 chmod -R 755 /app
125115
You can’t perform that action at this time.
0 commit comments