Skip to content

Commit 40bbf94

Browse files
fix: opruimen SSH-key referenties uit Dockerfile, patches, gitignore
- Dockerfile: /app/keys mkdir + verbose comment-blok weg - patches/deployment.yaml: TODO-comment over digest-pin weg (zit in follow-up issue #92) - .gitignore: alleen /keys/ als forward-protection; comments + onnodige patronen weg
1 parent 74ed0eb commit 40bbf94

3 files changed

Lines changed: 0 additions & 31 deletions

File tree

.gitignore

Lines changed: 0 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -9,23 +9,7 @@ __pycache__/
99
!/security/readme.md
1010
!/security/tls/
1111
/security/tls/**/*.pem
12-
# SSH / git server keys must never be committed. They are mounted at runtime
13-
# from a Kubernetes Secret, not baked into the image or stored in the repo.
1412
/keys/
15-
keys/git-server-key
16-
keys/git-server-key.pub
17-
*.pem
18-
*_rsa
19-
*_ed25519
20-
id_*
21-
# Environment files contain secrets and must never be committed. They are
22-
# delivered at runtime via Kubernetes Secrets (operations-manager-env-secrets).
23-
.env
24-
.env.*
25-
!.env.example
26-
!.env.sample
27-
/operations-manager/python/.env
28-
/operations-manager/python/.env.production
2913
/operations-manager/python/scripts/.env.*
3014
/operations-manager/python/log*
3115
/operations-manager/python/.env.local

bootstrap/rig-system/kustomize/operations-manager/overlays/odcn-production/patches/deployment.yaml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,6 @@ spec:
99
- name: ghcr-rig-robot-pull-secret
1010
containers:
1111
- name: operations-manager
12-
# TODO(security): pin by immutable digest in a follow-up release.
13-
# The current :latest is mutable; once a digest pin is in place
14-
# (rcr.rijksapps.nl/ghcr-rig/minbzk/.../operations-manager@sha256:<digest>),
15-
# ArgoCD will only redeploy on explicit manifest change instead of on
16-
# silent image-registry mutation. Out-of-scope for this security PR.
1712
image: rcr.rijksapps.nl/ghcr-rig/minbzk/base-images/operations-manager/operations-manager:latest
1813
resources:
1914
limits:

operations-manager/Dockerfile

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -96,14 +96,6 @@ FROM dependencies AS application
9696
RUN groupadd -g 1001 appuser && \
9797
useradd -r -u 1001 -g appuser appuser
9898

99-
# Create directory for SSH keys. The git SSH private key is NOT baked into
100-
# the image. It is mounted at runtime from a Kubernetes Secret (see
101-
# bootstrap/rig-system/kustomize/operations-manager/base/deployment.yaml,
102-
# volume "git-server-key" at GIT_SERVER_KEY_PATH=/app/keys/git-server-key).
103-
# Baking the key (or .env/.env.production) into image layers leaks the
104-
# GitOps write credential to anyone who can pull the image.
105-
RUN mkdir -p /app/keys
106-
10799
# Copy Alembic configuration (for database migrations)
108100
COPY operations-manager/python/alembic.ini /app/
109101

@@ -118,8 +110,6 @@ COPY operations-manager/python/extensions ./extensions
118110
COPY operations-manager/python/sources ./sources
119111
COPY operations-manager/python/static ./static
120112

121-
# Set proper permissions for application files. The git SSH key is provided
122-
# at runtime via a read-only Secret volume mount, not written here.
123113
RUN chown -R appuser:appuser /app && \
124114
chmod -R 755 /app
125115

0 commit comments

Comments
 (0)