Add support for tuf metadata endpoints

2017-02-13 14:14:44 -05:00 · 2017-02-13 14:14:44 -05:00 · 9affe193db
commit 9affe193db
parent 6436444274
7 changed files with 78 additions and 26 deletions
--- a/conf/init/nginx_conf_create.sh
+++ b/conf/init/nginx_conf_create.sh
@ -0,0 +1,46 @@
+#!/venv/bin/python
+
+import os.path
+
+import yaml
+import jinja2
+
+
+def generate_nginx_config():
+  """
+  Generates nginx config from the app config
+  """
+  use_https = os.path.exists('conf/stack/ssl.key')
+
+  with open("conf/nginx/nginx.conf.jnj") as f:
+    template = jinja2.Template(f.read())
+    rendered = template.render(
+      use_https=use_https,
+    )
+
+  with open('conf/nginx/nginx.conf', 'w') as f:
+    f.write(rendered)
+
+
+def generate_server_config(config):
+  """
+  Generates server config from the app config
+  """
+  tuf_server = config.get('TUF_SERVER', None)
+  signing_enabled = tuf_server is not None
+
+  with open("conf/nginx/server-base.conf.jnj") as f:
+    template = jinja2.Template(f.read())
+    rendered = template.render(
+      signing_enabled=signing_enabled,
+      tuf_server=tuf_server,
+    )
+
+  with open('conf/nginx/server-base.conf', 'w') as f:
+    f.write(rendered)
+
+
+if __name__ == "__main__":
+  config = yaml.load(file('conf/stack/config.yaml', 'r'))
+  generate_server_config(config)
+  generate_nginx_config()
--- a/conf/init/service/nginx/run
+++ b/conf/init/service/nginx/run
@ -5,13 +5,6 @@ echo 'Starting nginx'
 NAMESERVER=`cat /etc/resolv.conf | grep "nameserver" | awk '{print $2}' | tr '\n' ' '`
 echo "resolver $NAMESERVER valid=10s;" > /conf/nginx/resolver.conf

-if [ -f /conf/stack/ssl.key ]
-then
-  echo "Using HTTPS"
-  /usr/sbin/nginx -c /conf/nginx/nginx.conf
-else
-  echo "No SSL key provided, using HTTP"
-  /usr/sbin/nginx -c /conf/nginx/nginx-nossl.conf
-fi
+/usr/sbin/nginx -c /conf/nginx/nginx.conf

 echo 'Nginx exited'
--- a/conf/nginx/nginx-nossl.conf
+++ b/conf/nginx/nginx-nossl.conf
@ -1,16 +0,0 @@
-# vim: ft=nginx
-
-include root-base.conf;
-
-http {
-    include http-base.conf;
-    include rate-limiting.conf;
-
-    server {
-        include server-base.conf;
-
-        listen 80 default;
-
-        access_log /dev/stdout lb_logs;
-    }
-}
--- a/conf/nginx/nginx.conf.jnj
+++ b/conf/nginx/nginx.conf.jnj
@ -2,6 +2,8 @@

 include root-base.conf;

+{% if use_https %}
+
 http {
    include http-base.conf;
    include hosted-http-base.conf;
@ -48,3 +50,20 @@ http {
        access_log /dev/stdout lb_logs;
    }
 }
+
+{% else %}
+
+http {
+    include http-base.conf;
+    include rate-limiting.conf;
+
+    server {
+        include server-base.conf;
+
+        listen 80 default;
+
+        access_log /dev/stdout lb_logs;
+    }
+}
+
+{% endif %}
--- a/conf/nginx/server-base.conf.jnj
+++ b/conf/nginx/server-base.conf.jnj
@ -79,6 +79,12 @@ location /secscan/ {
    proxy_pass http://jwtproxy_secscan;
 }

+{% if signing_enabled %}
+location ~ ^/v2/(.+)/_trust/tuf/(.*)$ {
+    proxy_pass {{ tuf_server }};
+}
+{% endif %}
+
 location ~ ^/v2 {
    # If we're being accessed via v1.quay.io, pretend we don't support v2.
    if ($host = "v1.quay.io") {