Open
Conversation
Updates the integration-test pkimetal sidecar from v1.20.0 to v1.41.0. Newer ctlint emits a warning for every certificate issued by an issuer that isn't in CCADB, which fires for all of our test certificates; ignore it in both zlint configs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds a Socket option to PKIMetalConfig that, when set, makes the linter dial pkimetal over a unix domain socket via a custom http.Transport. This lets boulder-ca and cert-checker run pkimetal as a sidecar with networking disabled, reducing the production attack surface. Reconfigures the integration-test pkimetal sidecar to exercise this: runs it with network_mode: none, listening only on a shared-volume unix socket configured via /config/config.yaml (env vars don't bind keys without viper defaults, and webserverPath has none). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Socket is now the only way to configure PKIMetal, and the preceding commit was the sole place we still used Addr. Drop the field, its conditional paths in httpClient and execute, and the Addr-half of CheckApplies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Set driver_opts on the pkimetal-socket named volume so the tmpfs it backs is initialized with uid=1001 ownership, matching the pkimetal user in the image. pkimetal can then create the socket without needing the container to run as root, and we can drop the SocketPermissions override and fall back to pkimetal's 0o600 default (the boulder container connects as root, which bypasses mode checks anyway). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds Unix-domain-socket support for communicating with the pkimetal sidecar so pkimetal can run with network_mode: none, reducing network/supply-chain exposure in integration test deployments.
Changes:
- Switch pkimetal lint configuration from HTTP
addrto a Unix socketsocketpath and update lint client code to dial viaunix. - Update docker-compose to mount a shared tmpfs volume for the pkimetal socket and run pkimetal with networking disabled.
- Add a small
wait-for-socket.shhelper and update the test entrypoint to wait for the socket instead of TCP.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
test/wait-for-socket.sh |
New helper script to block until a Unix socket exists. |
test/pkimetal-config.yaml |
pkimetal config to disable TCP listener and bind to a Unix socket path. |
test/entrypoint.sh |
Wait for pkimetal’s Unix socket instead of bpkimetal:8080. |
test/config/zlint.toml |
Update pkimetal lint config to use socket instead of addr. |
test/config-next/zlint.toml |
Same socket-based pkimetal lint config update for “next”. |
linter/lints/rfc/lint_crl_via_pkimetal.go |
Applies pkimetal CRL lint only when a socket is configured. |
linter/lints/rfc/lint_cert_via_pkimetal.go |
Implement Unix-socket HTTP transport and switch pkimetal URL construction accordingly. |
docker-compose.yml |
Add shared tmpfs volume for the socket; run pkimetal with network_mode: none and mount config. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
mcpherrinm
commented
Apr 15, 2026
mcpherrinm
commented
Apr 15, 2026
| @@ -0,0 +1,18 @@ | |||
| #!/bin/bash | |||
Contributor
Author
There was a problem hiding this comment.
this is a pretty straightforward port of wait-for-it.sh to support a socket. I think we could probably do this in docker-compose with a healthcheck and dependencies instead, but I figured that's too much changing at once
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
To minimize supply chain risk, we want to run pkimetal with
networking: none.Support using a Unix socket to talk to pkimetal.
Depends on #8713 to upgrade pkimetal.
Fixes #8530
Coauthered with Claude.