Skip to content

Commit aeceebe

Browse files
aaronlew02aaronlew02
committed
Add flags to control service startup
Signed-off-by: Aaron Lew <[email protected]>
1 parent cb48a63 commit aeceebe

File tree

2 files changed

+139
-99
lines changed

2 files changed

+139
-99
lines changed

actions/setup-sigstore-env/build-trusted-root.sh

Lines changed: 85 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,21 @@ docker build ./ -f "$SCRIPT_DIR"/Dockerfile.cosign -t cosign
3333
COSIGN_CMD="docker run --user=$(id -u):$(id -g) --rm -v $WORKDIR/:$WORKDIR/ cosign"
3434
CMD="$COSIGN_CMD trusted-root create"
3535

36+
FULCIO_SIGNING_CONFIGS=""
37+
38+
add_fulcio_to_signing_config () {
39+
if [ -n "$FULCIO_SIGNING_CONFIGS" ]; then
40+
FULCIO_SIGNING_CONFIGS="$FULCIO_SIGNING_CONFIGS,
41+
"
42+
fi
43+
FULCIO_SIGNING_CONFIGS="$FULCIO_SIGNING_CONFIGS{
44+
\"url\": \"$1\",
45+
\"majorApiVersion\": 1,
46+
\"validFor\": { \"start\": \"2025-05-25T00:00:00Z\" },
47+
\"operator\": \"scaffolding-setup-sigstore-env\"
48+
}"
49+
}
50+
3651
REKOR_SIGNING_CONFIGS=""
3752

3853
add_rekor_to_signing_config () {
@@ -64,73 +79,75 @@ add_tsa_to_signing_config () {
6479
}
6580

6681
while [[ "$#" -gt 0 ]]; do
67-
case $1 in
68-
--fulcio)
69-
FULCIO_URL="$2"
70-
KEYFILE="$3"
71-
shift
72-
shift
73-
74-
# copy to our WORKDIR to be mounted in our cosign container.
75-
cp "$KEYFILE" "$WORKDIR"/
76-
KEYFILE=$WORKDIR/$(basename "$KEYFILE")
77-
78-
FNAME=$(mktemp --tmpdir="$WORKDIR" fulcio_cert.XXXX.pem)
79-
curl --fail -o "$FNAME" "$FULCIO_URL"/api/v1/rootCert
80-
CMD="$CMD --certificate-chain $FNAME --fulcio-uri $FULCIO_URL"
81-
82-
CMD="$CMD --ctfe-key $KEYFILE"
83-
;;
84-
85-
--rekor-v1-url)
86-
URL="$2"
87-
shift
88-
89-
add_rekor_to_signing_config "$URL" 1
90-
91-
FNAME=$(mktemp --tmpdir="$WORKDIR" rekorv1_pub.XXXX.pem)
92-
curl --fail -o "$FNAME" "$URL"/api/v1/log/publicKey
93-
CMD="$CMD --rekor-key $FNAME --rekor-url $URL"
94-
;;
95-
96-
--rekor-v2)
97-
URL="$2"
98-
KEYFILE="$3"
99-
HOST="$4"
100-
shift
101-
shift
102-
shift
103-
104-
add_rekor_to_signing_config "$URL" 2
105-
106-
# copy to our WORKDIR to be mounted in our cosign container.
107-
cp "$KEYFILE" "$WORKDIR"/
108-
KEYFILE=$WORKDIR/$(basename "$KEYFILE")
109-
110-
CMD="$CMD --rekor-key $KEYFILE,$HOST --rekor-url http://$HOST"
111-
;;
112-
113-
--timestamp-url)
114-
URL="$2"
115-
shift
116-
117-
add_tsa_to_signing_config "$URL"
118-
119-
FNAME=$(mktemp --tmpdir="$WORKDIR" timestamp_certs.XXXX.pem)
120-
curl --fail -o "$FNAME" "$URL"/api/v1/timestamp/certchain
121-
CMD="$CMD --timestamp-certificate-chain $FNAME --timestamp-uri $URL"
122-
;;
123-
124-
--oidc-url)
125-
OIDC_URL="$2"
126-
shift
127-
;;
128-
129-
*) echo "Unknown parameter passed: $1";
130-
exit 1
131-
;;
132-
esac
133-
shift
82+
case $1 in
83+
--fulcio)
84+
FULCIO_URL="$2"
85+
KEYFILE="$3"
86+
shift
87+
shift
88+
89+
add_fulcio_to_signing_config "$FULCIO_URL"
90+
91+
# copy to our WORKDIR to be mounted in our cosign container.
92+
cp "$KEYFILE" "$WORKDIR"/
93+
KEYFILE=$WORKDIR/$(basename "$KEYFILE")
94+
95+
FNAME=$(mktemp --tmpdir="$WORKDIR" fulcio_cert.XXXX.pem)
96+
curl --fail -o "$FNAME" "$FULCIO_URL"/api/v1/rootCert
97+
CMD="$CMD --certificate-chain $FNAME --fulcio-uri $FULCIO_URL"
98+
99+
CMD="$CMD --ctfe-key $KEYFILE"
100+
;;
101+
102+
--rekor-v1-url)
103+
URL="$2"
104+
shift
105+
106+
add_rekor_to_signing_config "$URL" 1
107+
108+
FNAME=$(mktemp --tmpdir="$WORKDIR" rekorv1_pub.XXXX.pem)
109+
curl --fail -o "$FNAME" "$URL"/api/v1/log/publicKey
110+
CMD="$CMD --rekor-key $FNAME --rekor-url $URL"
111+
;;
112+
113+
--rekor-v2)
114+
URL="$2"
115+
KEYFILE="$3"
116+
HOST="$4"
117+
shift
118+
shift
119+
shift
120+
121+
add_rekor_to_signing_config "$URL" 2
122+
123+
# copy to our WORKDIR to be mounted in our cosign container.
124+
cp "$KEYFILE" "$WORKDIR"/
125+
KEYFILE=$WORKDIR/$(basename "$KEYFILE")
126+
127+
CMD="$CMD --rekor-key $KEYFILE,$HOST --rekor-url http://$HOST"
128+
;;
129+
130+
--timestamp-url)
131+
URL="$2"
132+
shift
133+
134+
add_tsa_to_signing_config "$URL"
135+
136+
FNAME=$(mktemp --tmpdir="$WORKDIR" timestamp_certs.XXXX.pem)
137+
curl --fail -o "$FNAME" "$URL"/api/v1/timestamp/certchain
138+
CMD="$CMD --timestamp-certificate-chain $FNAME --timestamp-uri $URL"
139+
;;
140+
141+
--oidc-url)
142+
OIDC_URL="$2"
143+
shift
144+
;;
145+
146+
*) echo "Unknown parameter passed: $1";
147+
exit 1
148+
;;
149+
esac
150+
shift
134151
done
135152

136153
$CMD > trusted_root.json
@@ -140,12 +157,7 @@ cat << EOF > signing_config.json
140157
{
141158
"mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
142159
"caUrls": [
143-
{
144-
"url": "$FULCIO_URL",
145-
"majorApiVersion": 1,
146-
"validFor": { "start": "2025-05-25T00:00:00Z" },
147-
"operator": "scaffolding-setup-sigstore-env"
148-
}
160+
$FULCIO_SIGNING_CONFIGS
149161
],
150162
"oidcUrls": [
151163
{

actions/setup-sigstore-env/run-containers.sh

Lines changed: 54 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,22 @@
1616

1717
# <cmd> || return is so the script can exit early without quitting your shell.
1818

19+
START_FULCIO=true
20+
START_REKOR=true
21+
START_TSA=true
22+
START_REKOR_TILES=true
23+
24+
while [[ "$#" -gt 0 ]]; do
25+
case $1 in
26+
--no-fulcio) START_FULCIO=false; ;;
27+
--no-rekor) START_REKOR=false; ;;
28+
--no-tsa) START_TSA=false; ;;
29+
--no-rekor-tiles) START_REKOR_TILES=false; ;;
30+
*) echo "Unknown parameter passed: $1"; exit 1 ;;
31+
esac
32+
shift
33+
done
34+
1935
CLONE_DIR="${CLONE_DIR:-$(mktemp -d)}"
2036
CWD="$(pwd)"
2137

@@ -43,36 +59,41 @@ popd || return
4359

4460
echo "downloading service repos"
4561
pushd "$CLONE_DIR" || return
46-
FULCIO_REPO="${FULCIO_REPO:-sigstore/fulcio}"
47-
REKOR_REPO="${REKOR_REPO:-sigstore/rekor}"
48-
TIMESTAMP_AUTHORITY_REPO="${TIMESTAMP_AUTHORITY_REPO:-sigstore/timestamp-authority}"
49-
REKOR_TILES_REPO="${REKOR_TILES_REPO:-sigstore/rekor-tiles}"
50-
OWNER_REPOS=(
51-
"$FULCIO_REPO"
52-
"$REKOR_REPO"
53-
"$TIMESTAMP_AUTHORITY_REPO"
54-
"$REKOR_TILES_REPO"
55-
)
62+
OWNER_REPOS=()
63+
if [ "$START_FULCIO" = true ]; then
64+
OWNER_REPOS+=("${FULCIO_REPO:-sigstore/fulcio}")
65+
fi
66+
if [ "$START_REKOR" = true ]; then
67+
OWNER_REPOS+=("${REKOR_REPO:-sigstore/rekor}")
68+
fi
69+
if [ "$START_TSA" = true ]; then
70+
OWNER_REPOS+=("${TIMESTAMP_AUTHORITY_REPO:-sigstore/timestamp-authority}")
71+
fi
72+
if [ "$START_REKOR_TILES" = true ]; then
73+
OWNER_REPOS+=("${REKOR_TILES_REPO:-sigstore/rekor-tiles}")
74+
fi
5675
procs=${#OWNER_REPOS[@]}
5776
for owner_repo in "${OWNER_REPOS[@]}"; do
58-
repo=$(basename "$owner_repo")
59-
if [[ ! -d $repo ]]; then
60-
echo "'git clone https://github.com/${owner_repo}.git'"
61-
else
62-
echo "'cd $repo && git pull'"
63-
fi
77+
repo=$(basename "$owner_repo")
78+
if [[ ! -d $repo ]]; then
79+
echo "'git clone https://github.com/${owner_repo}.git'"
80+
else
81+
echo "'cd $repo && git pull'"
82+
fi
6483
done | xargs -P "$procs" -L1 bash -c
6584
export CT_LOG_KEY="$CLONE_DIR/fulcio/config/ctfe/pubkey.pem"
6685

6786
echo "starting services"
6887
export FULCIO_METRICS_PORT=2113
6988
for owner_repo in "${OWNER_REPOS[@]}"; do
70-
repo=$(basename "$owner_repo")
71-
echo "'cd $repo && docker compose up --wait'"
89+
repo=$(basename "$owner_repo")
90+
echo "'cd $repo && docker compose up --wait'"
7291
done | xargs -P "$procs" -L1 bash -c
7392
# The fakeoidc service is in a separate Docker network. Connect the fakeoidc container to the Fulcio
7493
# network to enable Fulcio to reach it for token verification.
75-
docker network inspect fulcio_default | grep fakeoidc || docker network connect --alias fakeoidc fulcio_default fakeoidc || return
94+
if [ "$START_FULCIO" = true ]; then
95+
docker network inspect fulcio_default | grep fakeoidc || docker network connect --alias fakeoidc fulcio_default fakeoidc || return
96+
fi
7697
export TSA_URL="http://localhost:3004"
7798
popd || return
7899

@@ -98,13 +119,20 @@ stop_services() {
98119

99120
echo "building trusted root"
100121
pushd "$CLONE_DIR" || return
101-
"$CWD"/build-trusted-root.sh \
102-
--fulcio http://localhost:5555 "$CLONE_DIR/fulcio/config/ctfe/pubkey.pem" \
103-
--timestamp-url http://localhost:3004 \
104-
--oidc-url http://localhost:8080 \
105-
--rekor-v1-url http://localhost:3000 \
106-
--rekor-v2 http://localhost:3003 "$CLONE_DIR/rekor-tiles/tests/testdata/pki/ed25519-pub-key.pem" "rekor-local" \
107-
|| return
122+
BUILD_CMD=("$CWD/build-trusted-root.sh" --oidc-url http://localhost:8080)
123+
if [ "$START_FULCIO" = true ]; then
124+
BUILD_CMD+=(--fulcio http://localhost:5555 "$CLONE_DIR/fulcio/config/ctfe/pubkey.pem")
125+
fi
126+
if [ "$START_TSA" = true ]; then
127+
BUILD_CMD+=(--timestamp-url http://localhost:3004)
128+
fi
129+
if [ "$START_REKOR" = true ]; then
130+
BUILD_CMD+=(--rekor-v1-url http://localhost:3000)
131+
fi
132+
if [ "$START_REKOR_TILES" = true ]; then
133+
BUILD_CMD+=(--rekor-v2 http://localhost:3003 "$CLONE_DIR/rekor-tiles/tests/testdata/pki/ed25519-pub-key.pem" "rekor-local")
134+
fi
135+
"${BUILD_CMD[@]}" || return
108136
export TRUSTED_ROOT="$CLONE_DIR/trusted_root.json"
109137
export SIGNING_CONFIG="$CLONE_DIR/signing_config.json"
110138
export TRUST_CONFIG="$CLONE_DIR/trust_config.json"

0 commit comments

Comments
 (0)