Fix docker-compose service order (#1537)

Without this change, when Fulcio is run in docker-compose, signing an artifact may fail with the error "Error entering certificate in CTL". This happens if the docker-compose service have been run previously on the host and the ctfeConfig volume is populated from the last run, so it would generally only be seen in a developer environment. The error happens because the ctfe_init container starts too soon, and ct_server starts with Fulcio's ephemeral root CA from the last run, which is now the wrong CA. This change fixes the issue by ensuring ct_server only starts after ctfe_init has exited successfully, instead of just after it is started. This also means that Fulcio needs to be one of the first services to start so that it can make the ephemeral CA available to download. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
sigstore · Jan 26, 2024 · 607d673 · 607d673
1 parent b7b2eba
commit 607d673
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -46,7 +46,6 @@ services:
       start_period: 5s
     depends_on:
       - dex-idp
-      - ct_server
     read_only: true
   dex-idp:
     image: dexidp/dex:v2.30.0
@@ -73,6 +72,7 @@ services:
       dockerfile: Dockerfile.ctfe_init
     depends_on:
       - trillian-log-server
+      - fulcio-server
     volumes:
       - ctfeConfig:/etc/config/:rw
   ct_server:
@@ -87,9 +87,12 @@ services:
     ]
     restart: always # retry while ctfe_init is running
     depends_on:
-      - trillian-log-server
-      - trillian-log-signer
-      - ctfe_init
+      trillian-log-server:
+        condition: service_started
+      trillian-log-signer:
+        condition: service_started
+      ctfe_init:
+        condition: service_completed_successfully
     ports:
       - "6962:6962"
   mysql: