From 86e28809b63f151e9e840582288da1b5ef15244f Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Wed, 8 Apr 2026 13:05:06 +0000 Subject: [PATCH 1/5] [GPCAPIM-354]: Update cspell dictionary entries --- .vscode/cspell-dictionary.txt | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.vscode/cspell-dictionary.txt b/.vscode/cspell-dictionary.txt index 85932785..712e9872 100644 --- a/.vscode/cspell-dictionary.txt +++ b/.vscode/cspell-dictionary.txt @@ -1,8 +1,12 @@ +addgroup +adduser asid fhir getstructuredrecord GPCAPIM gpconnect -searchset +nonroot proxygen +PYTHONPATH +searchset usefixtures From b99cbea30a43f3252eaef8339d0f25e8412f1129 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Wed, 8 Apr 2026 13:05:25 +0000 Subject: [PATCH 2/5] [GPCAPIM-354]: Remove development certificate handling from Dockerfile --- infrastructure/images/gateway-api/Dockerfile | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/infrastructure/images/gateway-api/Dockerfile b/infrastructure/images/gateway-api/Dockerfile index 1a5c94b2..e9c11a85 100644 --- a/infrastructure/images/gateway-api/Dockerfile +++ b/infrastructure/images/gateway-api/Dockerfile @@ -8,15 +8,7 @@ ARG INCLUDE_DEV_CERTS=false COPY resources/ /resources # Install required certificates for dev machines. -RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] && [ -d /resources/dev-certificates ]; then \ - cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \ - update-ca-certificates; \ - cp -r /resources/dev-certificates/* /etc/ssl/certs/; \ - else \ - rm -rf /resources/dev-certificates || true; \ - fi && \ - - apk upgrade --no-cache && \ +RUN apk upgrade --no-cache && \ pip install --no-cache-dir --upgrade pip && \ addgroup -S nonroot && \ adduser -S gateway_api_user -G nonroot From 0d380d9b7088dbaf2ca88dc94978588700b07ea5 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Wed, 8 Apr 2026 13:27:09 +0000 Subject: [PATCH 3/5] [GPCAPIM-354]: Remove development certificate handling - Eliminate handling of development certificates from the Makefile - Remove related build arguments and conditional logic from the Dockerfile --- Makefile | 15 +-------------- infrastructure/images/gateway-api/Dockerfile | 4 ---- 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/Makefile b/Makefile index 16da7fd5..208bc50a 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,6 @@ endif IMAGE_NAME := ${IMAGE_REPOSITORY}:${IMAGE_TAG} COMMIT_VERSION := $(shell git rev-parse --short HEAD) BUILD_DATE := $(shell date -u +"%Y%m%d") -INCLUDE_DEV_CERTS ?= ${DEV_CERTS_INCLUDED} # ============================================================================== # Example CI/CD targets are: dependencies, build, publish, deploy, clean, etc. @@ -42,25 +41,13 @@ build-gateway-api: dependencies @rm -rf ../infrastructure/images/gateway-api/resources/build/ @mkdir ../infrastructure/images/gateway-api/resources/build/ @cp -r ./target/gateway-api ../infrastructure/images/gateway-api/resources/build/ - # If dev certificates are present inside the dev container, copy them into - # the gateway-api image build context so they can be installed there too. - @if [ -d "/resources/dev-certificates" ]; then \ - rm -rf ../infrastructure/images/gateway-api/resources/dev-certificates; \ - mkdir -p ../infrastructure/images/gateway-api/resources/dev-certificates; \ - cp -r /resources/dev-certificates/* ../infrastructure/images/gateway-api/resources/dev-certificates/; \ - fi # Remove temporary build artefacts once build has completed @rm -rf target && rm -rf dist .PHONY: build build: build-gateway-api # Build the project artefact @Pipeline @echo "Building Docker x86 image using Docker. Utilising python version: ${PYTHON_VERSION} ..." - @if [[ -n "$${IN_BUILD_CONTAINER}" ]]; then \ - echo "building with dev certs ..." ; \ - $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} --build-arg INCLUDE_DEV_CERTS=${INCLUDE_DEV_CERTS} -t ${IMAGE_NAME} infrastructure/images/gateway-api - else \ - $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api - fi + $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api @echo "Docker image '${IMAGE_NAME}' built successfully!" publish: # Publish the project artefact @Pipeline diff --git a/infrastructure/images/gateway-api/Dockerfile b/infrastructure/images/gateway-api/Dockerfile index e9c11a85..00cf681f 100644 --- a/infrastructure/images/gateway-api/Dockerfile +++ b/infrastructure/images/gateway-api/Dockerfile @@ -2,12 +2,8 @@ ARG PYTHON_VERSION=invalid FROM python:${PYTHON_VERSION}-alpine3.23 AS gateway-api -# Controls whether dev certificates (if present) are installed into this image. -ARG INCLUDE_DEV_CERTS=false - COPY resources/ /resources -# Install required certificates for dev machines. RUN apk upgrade --no-cache && \ pip install --no-cache-dir --upgrade pip && \ addgroup -S nonroot && \ From dfed3f2a89def8e27ed5b551f631260c77cec6c0 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:13:20 +0000 Subject: [PATCH 4/5] [GPCAPIM-354]: Remove development certificate handling - Eliminate support for development certificates in the Dockerfile - Update README to reflect the removal of certificate handling instructions - Remove related configuration from Makefile and devcontainer.json - Revise cspell dictionary to include additional terms --- .devcontainer/devcontainer.json | 5 +---- .vscode/cspell-dictionary.txt | 13 ++++++++++++ Makefile | 5 ----- README.md | 2 -- infrastructure/README.md | 3 +-- .../images/build-container/Dockerfile | 21 ++----------------- 6 files changed, 17 insertions(+), 32 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 2dcf360c..685278ed 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,10 +1,7 @@ { "name": "gateway-api-build-container", "build": { - "dockerfile": "../infrastructure/images/build-container/Dockerfile", - "args": { - "INCLUDE_DEV_CERTS": "true" - } + "dockerfile": "../infrastructure/images/build-container/Dockerfile" }, "customizations": { "vscode": { diff --git a/.vscode/cspell-dictionary.txt b/.vscode/cspell-dictionary.txt index 712e9872..a8e45c77 100644 --- a/.vscode/cspell-dictionary.txt +++ b/.vscode/cspell-dictionary.txt @@ -1,12 +1,25 @@ addgroup adduser asid +buildx +chsh +doas fhir getstructuredrecord GPCAPIM gpconnect +linters +musllinux nonroot +nopass +pipx proxygen +pyenv PYTHONPATH searchset +tfstate +tfvars usefixtures +usermod +virtualenv +zstd diff --git a/Makefile b/Makefile index 208bc50a..198e2aa3 100644 --- a/Makefile +++ b/Makefile @@ -86,11 +86,6 @@ stop: @$(docker) stop gateway-api || echo "No Gateway API container currently running." config:: # Configure development environment (main) @Configuration - # Configure poetry to trust dev certificate if specified - @if [[ -n "$${DEV_CERTS_INCLUDED}" ]]; then \ - echo "Configuring poetry to trust the dev certificate..." ; \ - poetry config certificates.PyPI.cert /etc/ssl/cert.pem ; \ - fi make _install-dependencies # ============================================================================== diff --git a/README.md b/README.md index a237a767..b7d88fe0 100644 --- a/README.md +++ b/README.md @@ -109,8 +109,6 @@ The project is configured to run inside a [Dev Container](https://containers.dev The dev container sits on the same network, `gateway-local`, as [the `gateway-api` container](infrastructure/README.md#docker-images), if deployed. Docker DNS will resolve to the deployed Gateway API. > [!NOTE] -> **Certificates:** If additional certificates are needed, add them to `infrastructure/images/build-container/resources/dev-certificates` and set the `INCLUDE_DEV_CERTS` Docker build argument to `true`. -> > **WSL users:** Configure the Dev Containers extension with `{"dev.containers.executeInWSL": true}`, clone the repository into the WSL filesystem, connect VS Code to WSL first, then open the repository folder and build the container. ### Prerequisites diff --git a/infrastructure/README.md b/infrastructure/README.md index 4994b8ec..dd92267a 100644 --- a/infrastructure/README.md +++ b/infrastructure/README.md @@ -33,7 +33,7 @@ The `preview/` environment creates an isolated, per-branch deployment of the Gat Key input variables: | Variable | Description | Default | -|---|---|---| +| --- | --- | --- | | `branch_name` | Git branch name — used to derive the hostname and resource names | *(required)* | | `image_tag` | Docker image tag to deploy; defaults to `branch_name` if empty | `""` | | `base_domain` | Base domain for the preview URL | `dev.endpoints.clinical-data-gateway.national.nhs.uk` | @@ -70,7 +70,6 @@ A dev container image used by CI/CD pipelines, based on the VS Code Alpine base - Python (via asdf) - Docker CLI and Buildx - Linters and checkers: vale, hadolint (via npm/markdownlint), ShellCheck -- Development certificate support for machines behind corporate proxies ## Terraform Operations diff --git a/infrastructure/images/build-container/Dockerfile b/infrastructure/images/build-container/Dockerfile index 062b0569..7ed9d6a7 100644 --- a/infrastructure/images/build-container/Dockerfile +++ b/infrastructure/images/build-container/Dockerfile @@ -5,27 +5,10 @@ ENV PYTHON_VERSION="3.14" ENV ASDF_DOWNLOAD_URL="https://github.com/asdf-vm/asdf/releases/download/v0.18.0" ENV EDITORCONFIG_DOWNLOAD_URL="https://github.com/editorconfig-checker/editorconfig-checker/releases/download/v3.4.1" -ARG INCLUDE_DEV_CERTS -ARG DEV_CERT_FILENAME - -# Add development certificates to node if provided. -ENV NODE_EXTRA_CA_CERTS=${INCLUDE_DEV_CERTS:+/etc/ssl/certs/ca-certificates.crt} -ENV DEV_CERTS_INCLUDED=$INCLUDE_DEV_CERTS - ENV IN_BUILD_CONTAINER=true COPY resources/ /resources -# Install required certificates for dev machines. -RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] ; then \ - cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \ - update-ca-certificates; \ - - cp -r /resources/dev-certificates/* /etc/ssl/certs/; \ -else \ - rm -r /resources/dev-certificates; \ -fi - RUN apk update && \ apk add --no-cache --update bash \ # Required to manage user permissions. @@ -65,7 +48,7 @@ RUN echo "permit :wheel" >> /etc/doas.conf \ ENV PYENV_ROOT="/.pyenv" ENV PATH="$PYENV_ROOT/bin:$PATH" -# Install Python (via pyenv) and intialize it. +# Install Python (via pyenv) and initialize it. RUN curl --proto "=https" -fsSL https://pyenv.run | bash && \ /.pyenv/bin/pyenv install ${PYTHON_VERSION} && \ /.pyenv/bin/pyenv global ${PYTHON_VERSION} && \ @@ -80,7 +63,7 @@ ENV ASDF_DATA_DIR="/.asdf" RUN mkdir /asdf WORKDIR /asdf -# If we're running on an arm64 architecture download the arm64 executeable. +# If we're running on an arm64 architecture download the arm64 executable. RUN if [ "$(uname -m)" = "aarch64" ] ; then \ echo "Installing ARM asdf executable..." && \ wget -O asdf.tar.gz "$ASDF_DOWNLOAD_URL/asdf-v0.18.0-linux-arm64.tar.gz"; \ From 2e3b7da0952efdb70d8b2ff7797a625671d2be37 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:32:10 +0000 Subject: [PATCH 5/5] [GPCAPIM-354]: Refactor doas configuration in Dockerfile - Combine zstd-dev installation with doas configuration commands - Ensure proper shell usage for root user --- infrastructure/images/build-container/Dockerfile | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/infrastructure/images/build-container/Dockerfile b/infrastructure/images/build-container/Dockerfile index 7ed9d6a7..798b3b8c 100644 --- a/infrastructure/images/build-container/Dockerfile +++ b/infrastructure/images/build-container/Dockerfile @@ -35,14 +35,13 @@ RUN apk update && \ readline-dev \ sqlite-dev \ tk-dev \ - zstd-dev - -# Configure doas to allow members of the wheel group to run commands as root. -RUN echo "permit :wheel" >> /etc/doas.conf \ - && echo "permit nopass :wheel as root cmd apk" >> /etc/doas.conf \ - && echo "permit nopass :wheel as root cmd docker" >> /etc/doas.conf \ + zstd-dev && \ + # Configure doas to allow members of the wheel group to run commands as root. + echo "permit :wheel" >> /etc/doas.conf && \ + echo "permit nopass :wheel as root cmd apk" >> /etc/doas.conf && \ + echo "permit nopass :wheel as root cmd docker" >> /etc/doas.conf && \ # Change default shell to bash for root user. - && chsh -s /bin/bash root + chsh -s /bin/bash root # Ensure pyenv is on the PATH ENV PYENV_ROOT="/.pyenv"