Add support for tuf metadata endpoints

Dockerfile

@@ -129,6 +129,7 @@ ADD conf/init/doupdatelimits.sh /etc/my_init.d/
 ADD conf/init/copy_syslog_config.sh /etc/my_init.d/
 ADD conf/init/certs_create.sh /etc/my_init.d/
 ADD conf/init/certs_install.sh /etc/my_init.d/
+ADD conf/init/nginx_conf_create.sh /etc/my_init.d/
 ADD conf/init/runmigration.sh /etc/my_init.d/
 ADD conf/init/syslog-ng.conf /etc/syslog-ng/
 ADD conf/init/zz_boot.sh /etc/my_init.d/

conf/init/nginx_conf_create.sh

@@ -0,0 +1,46 @@
+#!/venv/bin/python
+
+import os.path
+
+import yaml
+import jinja2
+
+
+def generate_nginx_config():
+  """
+  Generates nginx config from the app config
+  """
+  use_https = os.path.exists('conf/stack/ssl.key')
+
+  with open("conf/nginx/nginx.conf.jnj") as f:
+    template = jinja2.Template(f.read())
+    rendered = template.render(
+      use_https=use_https,
+    )
+
+  with open('conf/nginx/nginx.conf', 'w') as f:
+    f.write(rendered)
+
+
+def generate_server_config(config):
+  """
+  Generates server config from the app config
+  """
+  tuf_server = config.get('TUF_SERVER', None)
+  signing_enabled = tuf_server is not None
+
+  with open("conf/nginx/server-base.conf.jnj") as f:
+    template = jinja2.Template(f.read())
+    rendered = template.render(
+      signing_enabled=signing_enabled,
+      tuf_server=tuf_server,
+    )
+
+  with open('conf/nginx/server-base.conf', 'w') as f:
+    f.write(rendered)
+
+
+if __name__ == "__main__":
+  config = yaml.load(file('conf/stack/config.yaml', 'r'))
+  generate_server_config(config)
+  generate_nginx_config()

conf/init/service/nginx/run

@@ -5,13 +5,6 @@ echo 'Starting nginx'
 NAMESERVER=`cat /etc/resolv.conf | grep "nameserver" | awk '{print $2}' | tr '\n' ' '`
 echo "resolver $NAMESERVER valid=10s;" > /conf/nginx/resolver.conf
 
-if [ -f /conf/stack/ssl.key ]
+/usr/sbin/nginx -c /conf/nginx/nginx.conf
-then
-  echo "Using HTTPS"
-  /usr/sbin/nginx -c /conf/nginx/nginx.conf
-else
-  echo "No SSL key provided, using HTTP"
-  /usr/sbin/nginx -c /conf/nginx/nginx-nossl.conf
-fi
 
 echo 'Nginx exited'

conf/nginx/nginx-nossl.conf

@@ -1,16 +0,0 @@
-# vim: ft=nginx
-
-include root-base.conf;
-
-http {
-    include http-base.conf;
-    include rate-limiting.conf;
-
-    server {
-        include server-base.conf;
-
-        listen 80 default;
-
-        access_log /dev/stdout lb_logs;
-    }
-}

conf/nginx/nginx.conf.jnj

@@ -2,6 +2,8 @@
 
 include root-base.conf;
 
+{% if use_https %}
+
 http {
     include http-base.conf;
     include hosted-http-base.conf;
@@ -48,3 +50,20 @@ http {
         access_log /dev/stdout lb_logs;
     }
 }
+
+{% else %}
+
+http {
+    include http-base.conf;
+    include rate-limiting.conf;
+
+    server {
+        include server-base.conf;
+
+        listen 80 default;
+
+        access_log /dev/stdout lb_logs;
+    }
+}
+
+{% endif %}

conf/nginx/server-base.conf.jnj

@@ -79,6 +79,12 @@ location /secscan/ {
     proxy_pass http://jwtproxy_secscan;
 }
 
+{% if signing_enabled %}
+location ~ ^/v2/(.+)/_trust/tuf/(.*)$ {
+    proxy_pass {{ tuf_server }};
+}
+{% endif %}
+
 location ~ ^/v2 {
     # If we're being accessed via v1.quay.io, pretend we don't support v2.
     if ($host = "v1.quay.io") {

config.py

@@ -165,10 +165,10 @@ class DefaultConfig(object):
   # Feature Flag: Whether Google login is supported.
   FEATURE_GOOGLE_LOGIN = False
 
-  # Feature Flag: Whther Dex login is supported.
+  # Feature Flag: Whether Dex login is supported.
   FEATURE_DEX_LOGIN = False
 
-  # Feature flag, whether to enable support chat
+  # Feature flag: whether to enable support chat
   FEATURE_SUPPORT_CHAT = False
 
   # Feature Flag: Whether to support GitHub build triggers.
@@ -414,3 +414,6 @@ class DefaultConfig(object):
   FEATURE_RECAPTCHA = False
   RECAPTCHA_SITE_KEY = None
   RECAPTCHA_SECRET_KEY = None
+
+  # Server where TUF metadata can be found
+  TUF_SERVER = None