Debt/GPCAPIM 354 remove dev cert handling

.devcontainer/devcontainer.json

@@ -1,10 +1,7 @@
 {
   "name": "gateway-api-build-container",
   "build": {
-    "dockerfile": "../infrastructure/images/build-container/Dockerfile",
-    "args": {
-      "INCLUDE_DEV_CERTS": "true"
-    }
+    "dockerfile": "../infrastructure/images/build-container/Dockerfile"
   },
   "customizations": {
     "vscode": {

.vscode/cspell-dictionary.txt

@@ -1,8 +1,25 @@
+addgroup
+adduser
 asid
+buildx
+chsh
+doas
 fhir
 getstructuredrecord
 GPCAPIM
 gpconnect
-searchset
+linters
+musllinux
+nonroot
+nopass
+pipx
 proxygen
+pyenv
+PYTHONPATH
+searchset
+tfstate
+tfvars
 usefixtures
+usermod
+virtualenv
+zstd

Makefile

@@ -20,7 +20,6 @@ endif
 IMAGE_NAME := ${IMAGE_REPOSITORY}:${IMAGE_TAG}
 COMMIT_VERSION := $(shell git rev-parse --short HEAD)
 BUILD_DATE := $(shell date -u +"%Y%m%d")
-INCLUDE_DEV_CERTS ?= ${DEV_CERTS_INCLUDED}
 # ==============================================================================
 
 # Example CI/CD targets are: dependencies, build, publish, deploy, clean, etc.
@@ -42,25 +41,13 @@ build-gateway-api: dependencies
 	@rm -rf ../infrastructure/images/gateway-api/resources/build/
 	@mkdir ../infrastructure/images/gateway-api/resources/build/
 	@cp -r ./target/gateway-api ../infrastructure/images/gateway-api/resources/build/
-	# If dev certificates are present inside the dev container, copy them into
-	# the gateway-api image build context so they can be installed there too.
-	@if [ -d "/resources/dev-certificates" ]; then \
-		rm -rf ../infrastructure/images/gateway-api/resources/dev-certificates; \
-		mkdir -p ../infrastructure/images/gateway-api/resources/dev-certificates; \
-		cp -r /resources/dev-certificates/* ../infrastructure/images/gateway-api/resources/dev-certificates/; \
-	fi
 	# Remove temporary build artefacts once build has completed
 	@rm -rf target && rm -rf dist
 
 .PHONY: build
 build: build-gateway-api # Build the project artefact @Pipeline
 	@echo "Building Docker x86 image using Docker. Utilising python version: ${PYTHON_VERSION} ..."
-	@if [[ -n "$${IN_BUILD_CONTAINER}" ]]; then \
-		echo "building with dev certs ..." ; \
-		$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} --build-arg INCLUDE_DEV_CERTS=${INCLUDE_DEV_CERTS} -t ${IMAGE_NAME} infrastructure/images/gateway-api
-	else \
-		$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api
-	fi
+	$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api
 	@echo "Docker image '${IMAGE_NAME}' built successfully!"
 
 publish: # Publish the project artefact @Pipeline
@@ -99,11 +86,6 @@ stop:
 	@$(docker) stop gateway-api || echo "No Gateway API container currently running."
 
 config:: # Configure development environment (main) @Configuration
-	# Configure poetry to trust dev certificate if specified
-	@if [[ -n "$${DEV_CERTS_INCLUDED}" ]]; then \
-		echo "Configuring poetry to trust the dev certificate..."  ; \
-		poetry config certificates.PyPI.cert /etc/ssl/cert.pem ; \
-	fi
 	make _install-dependencies
 
 # ==============================================================================

README.md

@@ -109,8 +109,6 @@ The project is configured to run inside a [Dev Container](https://containers.dev
 The dev container sits on the same network, `gateway-local`, as [the `gateway-api` container](infrastructure/README.md#docker-images), if deployed. Docker DNS will resolve <http://gateway-api> to the deployed Gateway API.
 
 > [!NOTE]
-> **Certificates:** If additional certificates are needed, add them to `infrastructure/images/build-container/resources/dev-certificates` and set the `INCLUDE_DEV_CERTS` Docker build argument to `true`.
->
 > **WSL users:** Configure the Dev Containers extension with `{"dev.containers.executeInWSL": true}`, clone the repository into the WSL filesystem, connect VS Code to WSL first, then open the repository folder and build the container.
 
 ### Prerequisites

infrastructure/README.md

@@ -33,7 +33,7 @@ The `preview/` environment creates an isolated, per-branch deployment of the Gat
 Key input variables:
 
 | Variable | Description | Default |
-|---|---|---|
+| --- | --- | --- |
 | `branch_name` | Git branch name — used to derive the hostname and resource names | *(required)* |
 | `image_tag` | Docker image tag to deploy; defaults to `branch_name` if empty | `""` |
 | `base_domain` | Base domain for the preview URL | `dev.endpoints.clinical-data-gateway.national.nhs.uk` |
@@ -70,7 +70,6 @@ A dev container image used by CI/CD pipelines, based on the VS Code Alpine base
 - Python (via asdf)
 - Docker CLI and Buildx
 - Linters and checkers: vale, hadolint (via npm/markdownlint), ShellCheck
-- Development certificate support for machines behind corporate proxies
 
 ## Terraform Operations
 

infrastructure/images/build-container/Dockerfile

@@ -5,27 +5,10 @@ ENV PYTHON_VERSION="3.14"
 ENV ASDF_DOWNLOAD_URL="https://github.com/asdf-vm/asdf/releases/download/v0.18.0"
 ENV EDITORCONFIG_DOWNLOAD_URL="https://github.com/editorconfig-checker/editorconfig-checker/releases/download/v3.4.1"
 
-ARG INCLUDE_DEV_CERTS
-ARG DEV_CERT_FILENAME
-
-# Add development certificates to node if provided.
-ENV NODE_EXTRA_CA_CERTS=${INCLUDE_DEV_CERTS:+/etc/ssl/certs/ca-certificates.crt}
-ENV DEV_CERTS_INCLUDED=$INCLUDE_DEV_CERTS
-
 ENV IN_BUILD_CONTAINER=true
 
 COPY resources/ /resources
 
-# Install required certificates for dev machines.
-RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] ; then \
-    cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \
-    update-ca-certificates; \
-
-    cp -r /resources/dev-certificates/* /etc/ssl/certs/; \
-else \
-    rm -r /resources/dev-certificates; \
-fi
-
 RUN apk update && \
     apk add --no-cache --update bash \
     # Required to manage user permissions.
@@ -52,20 +35,19 @@ RUN apk update && \
     readline-dev \
     sqlite-dev \
     tk-dev \
-    zstd-dev
-
-# Configure doas to allow members of the wheel group to run commands as root.
-RUN echo "permit :wheel" >> /etc/doas.conf \
-    && echo "permit nopass :wheel as root cmd apk" >> /etc/doas.conf \
-    && echo "permit nopass :wheel as root cmd docker" >> /etc/doas.conf \
+    zstd-dev && \
+    # Configure doas to allow members of the wheel group to run commands as root.
+    echo "permit :wheel" >> /etc/doas.conf && \
+    echo "permit nopass :wheel as root cmd apk" >> /etc/doas.conf && \
+    echo "permit nopass :wheel as root cmd docker" >> /etc/doas.conf && \
     # Change default shell to bash for root user.
-    && chsh -s /bin/bash root
+    chsh -s /bin/bash root
 
 # Ensure pyenv is on the PATH
 ENV PYENV_ROOT="/.pyenv"
 ENV PATH="$PYENV_ROOT/bin:$PATH"
 
-# Install Python (via pyenv) and intialize it.
+# Install Python (via pyenv) and initialize it.
 RUN curl --proto "=https" -fsSL https://pyenv.run | bash && \
     /.pyenv/bin/pyenv install ${PYTHON_VERSION} && \
     /.pyenv/bin/pyenv global ${PYTHON_VERSION} && \
@@ -80,7 +62,7 @@ ENV ASDF_DATA_DIR="/.asdf"
 RUN mkdir /asdf
 WORKDIR /asdf
 
-# If we're running on an arm64 architecture download the arm64 executeable.
+# If we're running on an arm64 architecture download the arm64 executable.
 RUN if [ "$(uname -m)" = "aarch64" ] ; then \
         echo "Installing ARM asdf executable..." && \
         wget -O asdf.tar.gz "$ASDF_DOWNLOAD_URL/asdf-v0.18.0-linux-arm64.tar.gz"; \

infrastructure/images/gateway-api/Dockerfile

@@ -2,21 +2,9 @@
 ARG PYTHON_VERSION=invalid
 FROM python:${PYTHON_VERSION}-alpine3.23 AS gateway-api
 
-# Controls whether dev certificates (if present) are installed into this image.
-ARG INCLUDE_DEV_CERTS=false
-
 COPY resources/ /resources
 
-# Install required certificates for dev machines.
-RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] && [ -d /resources/dev-certificates ]; then \
-        cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \
-        update-ca-certificates; \
-        cp -r /resources/dev-certificates/* /etc/ssl/certs/; \
-    else \
-        rm -rf /resources/dev-certificates || true; \
-    fi && \
-
-    apk upgrade --no-cache && \
+RUN apk upgrade --no-cache && \
     pip install --no-cache-dir --upgrade pip && \
     addgroup -S nonroot && \
     adduser -S gateway_api_user -G nonroot