-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
- Loading branch information
1 parent
ed67da0
commit f5d13e0
Showing
6 changed files
with
1,513 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# `sign.kontain.me` | ||
|
||
## Examples | ||
|
||
Pull a mirrored [`busybox`](https://hub.docker.com/_/busybox) image: | ||
|
||
``` | ||
docker pull sign.kontain.me/busybox | ||
``` | ||
|
||
Or by tag: | ||
|
||
``` | ||
docker pull sign.kontain.me/busybox:musl | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -euxo pipefail | ||
|
||
gcloud run deploy sign \ | ||
--project=kontaindotme \ | ||
--region=us-central1 \ | ||
--allow-unauthenticated \ | ||
--set-env-vars=BUCKET=kontaindotme \ | ||
--image=$(KO_DOCKER_REPO=gcr.io/kontaindotme ko publish -P ./cmd/sign) \ | ||
--memory=1Gi \ | ||
--cpu=1 \ | ||
--concurrency=80 \ | ||
--timeout=60 # 1m |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
package main | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"log" | ||
"net/http" | ||
"os" | ||
"strings" | ||
|
||
"github.com/google/go-containerregistry/pkg/name" | ||
"github.com/imjasonh/kontain.me/pkg/serve" | ||
|
||
"github.com/sigstore/cosign/cmd/cosign/cli/options" | ||
"github.com/sigstore/cosign/cmd/cosign/cli/sign" | ||
fulcioclient "github.com/sigstore/fulcio/pkg/client" | ||
) | ||
|
||
func main() { | ||
ctx := context.Background() | ||
st, err := serve.NewStorage(ctx) | ||
if err != nil { | ||
log.Fatalf("serve.NewStorage: %v", err) | ||
} | ||
http.Handle("/v2/", &server{ | ||
info: log.New(os.Stdout, "I ", log.Ldate|log.Ltime|log.Lshortfile), | ||
error: log.New(os.Stderr, "E ", log.Ldate|log.Ltime|log.Lshortfile), | ||
storage: st, | ||
}) | ||
http.Handle("/", http.RedirectHandler("https://github.com/imjasonh/kontain.me/blob/main/cmd/sign", http.StatusSeeOther)) | ||
|
||
log.Println("Starting...") | ||
port := os.Getenv("PORT") | ||
if port == "" { | ||
port = "8080" | ||
log.Printf("Defaulting to port %s", port) | ||
} | ||
log.Printf("Listening on port %s", port) | ||
log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s", port), nil)) | ||
} | ||
|
||
type server struct { | ||
info, error *log.Logger | ||
storage *serve.Storage | ||
} | ||
|
||
func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) { | ||
s.info.Println("handler:", r.Method, r.URL) | ||
path := strings.TrimPrefix(r.URL.String(), "/v2/") | ||
|
||
switch { | ||
case path == "": | ||
// API Version check. | ||
w.Header().Set("Docker-Distribution-API-Version", "registry/2.0") | ||
return | ||
case strings.Contains(path, "/blobs/"), | ||
strings.Contains(path, "/manifests/sha256:"): | ||
// Extract requested blob digest and redirect to serve it from GCS. | ||
// If it doesn't exist, this will return 404. | ||
parts := strings.Split(r.URL.Path, "/") | ||
digest := parts[len(parts)-1] | ||
serve.Blob(w, r, digest) | ||
case strings.Contains(path, "/manifests/"): | ||
s.serveSignManifest(w, r) | ||
default: | ||
serve.Error(w, serve.ErrNotFound) | ||
} | ||
} | ||
|
||
// sign.kontain.me/ubuntu -> mirror ubuntu and serve | ||
func (s *server) serveSignManifest(w http.ResponseWriter, r *http.Request) { | ||
ctx := r.Context() | ||
path := strings.TrimPrefix(r.URL.Path, "/v2/") | ||
parts := strings.Split(path, "/") | ||
|
||
refstr := strings.Join(parts[:len(parts)-2], "/") | ||
tagOrDigest := parts[len(parts)-1] | ||
if strings.HasPrefix(tagOrDigest, "sha256:") { | ||
refstr += "@" + tagOrDigest | ||
} else { | ||
refstr += ":" + tagOrDigest | ||
} | ||
for strings.HasPrefix(refstr, "sign.kontain.me/") { | ||
refstr = strings.TrimPrefix(refstr, "sign.kontain.me/") | ||
} | ||
|
||
ref, err := name.ParseReference(refstr) | ||
if err != nil { | ||
s.error.Printf("ERROR (ParseReference(%q)): %v", refstr, err) | ||
serve.Error(w, err) | ||
return | ||
} | ||
|
||
// If it's a HEAD request, and request was by digest, and we have that | ||
// manifest mirrored by digest already, serve HEAD response from GCS. | ||
// If it's a HEAD request and the other conditions aren't met, we'll | ||
// handle this later by consulting the real registry. | ||
if r.Method == http.MethodHead { | ||
if d, ok := ref.(name.Digest); ok { | ||
if desc, err := s.storage.BlobExists(ctx, d.DigestStr()); err == nil { | ||
w.Header().Set("Docker-Content-Digest", d.DigestStr()) | ||
w.Header().Set("Content-Type", string(desc.MediaType)) | ||
w.Header().Set("Content-Length", fmt.Sprintf("%d", desc.Size)) | ||
return | ||
} | ||
} | ||
} | ||
|
||
ko := sign.KeyOpts{ | ||
FulcioURL: fulcioclient.SigstorePublicServerURL, | ||
RekorURL: "https://rekor.sigstore.dev", | ||
OIDCIssuer: "https://oauth2.sigstore.dev/auth", | ||
OIDCClientID: "sigstore", | ||
} | ||
|
||
fmt.Println("Image:", refstr) | ||
err = sign.SignCmd(context.TODO(), ko, options.RegistryOptions{}, nil, []string{refstr}, "", true, "", false, false, "") | ||
|
||
if err != nil { | ||
s.error.Printf("ERROR (Cosign Keyless Sign(%q)): %v", refstr, err) | ||
serve.Error(w, err) | ||
return | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -euxo pipefail | ||
|
||
time crane validate --remote=sign.kontain.me/busybox | ||
time crane validate --remote=sign.kontain.me/busybox |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.