Move Docker V2 key to be loaded from file or generated on server load
Fixes #394
This commit is contained in:
Joseph Schorr
parent
d82dce9f38
commit
2e694dd3f0
2 changed files with 14 additions and 9 deletions
11
app.py
11
app.py
|
|
@ -8,6 +8,8 @@ from flask.ext.principal import Principal
|
|||
from flask.ext.login import LoginManager, UserMixin
|
||||
from flask.ext.mail import Mail
|
||||
from werkzeug.routing import BaseConverter
|
||||
from jwkest.jwk import RSAKey
|
||||
from Crypto.PublicKey import RSA
|
||||
|
||||
import features
|
||||
|
||||
|
|
@ -42,6 +44,8 @@ OVERRIDE_CONFIG_PY_FILENAME = 'conf/stack/config.py'
|
|||
|
||||
OVERRIDE_CONFIG_KEY = 'QUAY_OVERRIDE_CONFIG'
|
||||
|
||||
DOCKER_V2_SIGNINGKEY_FILENAME = 'docker_v2.pem'
|
||||
|
||||
app = Flask(__name__)
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
|
@ -154,6 +158,13 @@ dockerfile_build_queue = WorkQueue(app.config['DOCKERFILE_BUILD_QUEUE_NAME'], tf
|
|||
reporter=MetricQueueReporter(metric_queue))
|
||||
notification_queue = WorkQueue(app.config['NOTIFICATION_QUEUE_NAME'], tf, metric_queue=metric_queue)
|
||||
|
||||
# Check for a key in config. If none found, generate a new signing key for Docker V2 manifests.
|
||||
_v2_key_path = os.path.join(OVERRIDE_CONFIG_DIRECTORY, DOCKER_V2_SIGNINGKEY_FILENAME)
|
||||
if os.path.exists(_v2_key_path):
|
||||
docker_v2_signing_key = RSAKey().load(_v2_key_path)
|
||||
else:
|
||||
docker_v2_signing_key = RSAKey(key=RSA.generate(2048))
|
||||
|
||||
database.configure(app.config)
|
||||
model.config.app_config = app.config
|
||||
model.config.store = storage
|
||||
|
|
|
|||
|
|
@ -9,11 +9,9 @@ import json
|
|||
from flask import make_response, request, url_for
|
||||
from collections import namedtuple, OrderedDict
|
||||
from jwkest.jws import SIGNER_ALGS
|
||||
from jwkest.jwk import RSAKey
|
||||
from Crypto.PublicKey import RSA
|
||||
from datetime import datetime
|
||||
|
||||
from app import storage
|
||||
from app import storage, docker_v2_signing_key
|
||||
from auth.jwt_auth import process_jwt_auth
|
||||
from endpoints.decorators import anon_protect
|
||||
from endpoints.v2 import v2_bp, require_repo_read, require_repo_write
|
||||
|
|
@ -332,12 +330,8 @@ def _generate_and_store_manifest(namespace, repo_name, tag_name):
|
|||
for parent in parents:
|
||||
builder.add_layer(parent.storage.checksum, __get_and_backfill_image_metadata(parent))
|
||||
|
||||
# TODO, stop generating a new key every time we sign a manifest, publish our key
|
||||
new_key = RSA.generate(2048)
|
||||
jwk = RSAKey(key=new_key)
|
||||
|
||||
manifest = builder.build(jwk)
|
||||
|
||||
# Sign the manifest with our signing key.
|
||||
manifest = builder.build(docker_v2_signing_key)
|
||||
manifest_row = model.tag.associate_generated_tag_manifest(namespace, repo_name, tag_name,
|
||||
manifest.digest, manifest.bytes)
|
||||
|
||||
|
|
|
|||
Reference in a new issue