fix: Kuma import tokens/paused, Docker hardening, migrate-secrets idempotency #116

2026-06-12T12:43:22Z

lerko commented

2026-06-12 12:43:22 +00:00

Summary

Four fixes from the review-findings backlog.

Kuma import maps push tokens + paused state — push monitors now get a generated crypto/rand token (were imported with empty token → sat DOWN forever). Active=false now sets Paused=true (paused Kuma monitors were coming in unpaused and alerting).
Docker HEALTHCHECK — wget -qO- http://localhost:8080/api/health || exit 1 with 30s interval. Container orchestrators can detect unhealthy instances.
migrate-secrets idempotent — encryptor set before loading alerts so already-encrypted settings are decrypted correctly on second run. Was failing with JSON unmarshal error.
docker-compose.yml container hardening — read_only, cap_drop: [ALL], security_opt: [no-new-privileges:true], tmpfs: [/tmp].

Also verified and checked off three items already resolved by PR #104: grype gate un-neutered, latest tag only on tag push, CI coverage via branch protection.

Test plan

go test -count=1 ./... — all pass
golangci-lint — 0 issues

## Summary Four fixes from the review-findings backlog. 1. **Kuma import maps push tokens + paused state** — push monitors now get a generated crypto/rand token (were imported with empty token → sat DOWN forever). `Active=false` now sets `Paused=true` (paused Kuma monitors were coming in unpaused and alerting). 2. **Docker HEALTHCHECK** — `wget -qO- http://localhost:8080/api/health || exit 1` with 30s interval. Container orchestrators can detect unhealthy instances. 3. **migrate-secrets idempotent** — encryptor set before loading alerts so already-encrypted settings are decrypted correctly on second run. Was failing with JSON unmarshal error. 4. **docker-compose.yml container hardening** — `read_only`, `cap_drop: [ALL]`, `security_opt: [no-new-privileges:true]`, `tmpfs: [/tmp]`. Also verified and checked off three items already resolved by PR #104: grype gate un-neutered, `latest` tag only on tag push, CI coverage via branch protection. ## Test plan - [x] `go test -count=1 ./...` — all pass - [x] `golangci-lint` — 0 issues

lerko added 1 commit 2026-06-12 12:43:23 +00:00

fix: Kuma import tokens/paused, Docker hardening, migrate-secrets idempotency

CI / test (pull_request) Successful in 1m54s

Details

CI / lint (pull_request) Successful in 1m27s

Details

CI / vulncheck (pull_request) Successful in 56s

Details

edfe6122b1

1. Kuma import now maps push monitor tokens (generates crypto/rand
   token) and paused state (Active=false → Paused=true). Previously
   push monitors imported with empty token sat DOWN forever, and
   paused Kuma monitors came in unpaused and started alerting.

2. Dockerfile adds HEALTHCHECK against /api/health on port 8080.
   Container orchestrators can now detect unhealthy instances.

3. migrate-secrets sets the encryptor before loading alerts, so
   already-encrypted settings are decrypted correctly on second run
   instead of failing with a JSON unmarshal error.

4. docker-compose.yml adds container hardening: read_only filesystem,
   cap_drop ALL, no-new-privileges, tmpfs for /tmp.

lerko merged commit edfe6122b1 into main

2026-06-12 12:49:21 +00:00

lerko deleted branch fix/import-docker-hardening

2026-06-12 12:49:21 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lerkolabs/uptop#116