Add ability to remove delegations from a given target.

Refactor the webserver to utilize Cobra and Viper for better cli and configuration experience.

Terraform or docker deployment scripting for our cloud environment.

for an existing target we should be able to authorize a delegate public key for the given target.

https://stackoverflow.com/questions/48855122/keycloak-adaptor-for-golang-application

See this blog to have Nginx play nice with react-router.

https://marcofranssen.nl/react-router-and-nginx-over-http2/

Currently the change is a forked submodule

https://goreleaser.com/

The docker trust client needs all the certificates in the tree to be able to sign an image. (notary v2 is resolving the issue of having some certificates remote)
This doesn't mean the client also needs the credentials for those keys as long there is a delegation available for this repository.

For CI/CD processes it should be easy to retrieve the keys required for a given repository using e.g. a simple curl request or a small cli tool which puts the keys in the right place.

The credential for a CI jobs delegation key can be retrieved from vault or could also be integrated in this small tool. Once the credential is retrieved, the CI/CD process can set the following environment variable to make the process non interactive.

DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE

without that env variable set you will be prompted to enter the password for the delegation key or the repository key. For CI/CD it is important this will be set automagically.

We have created a fork org for forks, please move the fork

To have better repeatable tests we need to have a script to prepare the notary-server in the docker sandbox using data that is a aligned with the .notary folder in this repository.

The .notary folder commited contains a local cache of the certificates created and published on the server. Once the timestamp keys expire the tests will now fail, because every server reboot we will loose the notary server data.

Before running the tests we need to run some kind of preseed script that publishes the local data on notary server to have a good initial test setup.

Alternative

We need to modify the tests in some way to not be dependant on this data and use some newly generated certificates to operate the tests.

Or

We need to see how we can make the tests using mocking or in memory kind of approach so we don't depend on the sandbox for this.

https://github.com/docker/cli/blob/ae1618713f83e7da07317d579d0675f578de22fa/cli/command/trust/helpers.go#L41

notary init docker.io/philipssoftware/test
initializes a repo which is compatible with docker trust

E.g.:

$ notary init docker.io/marcofranssen/test
$ notary list docker.io/marcofranssen/test               

No targets present in this repository.
$ docker trust inspect marcofranssen/test --pretty

No signatures for marcofranssen/test


Administrative keys for marcofranssen/test

  Repository Key:       0bac4a4d1aa01ef8825e44ef27ad8e3dc333bc0856c55ded414f942c0f902beb
  Root Key:     e220d072f747ec4a340bd94fc2542f2ab982554e24560668e68dd39044923bdc

Currently dctna-web is only released as docker image.

Include dctna-web as tar.gz release in the releases.

See Release notes of this PR #394

The action now has support for caching built in.

The notary configuration is not read from environment variables.

Reproduce by not having a config file in place.

POST /api/targets

To be able to run the admin interface for multiple registries with their own notary sidecars or shared sidecars it should be possible to define a map of registry and related notary server.

e.g.

repos starting with docker.io should use notary.docker.io
repos starting with myregistry.com should use notary.internal.company.com
etc.

This also means more advanced authentication mechanism needs to be put in place #48.

The form should allow for uploading or copy pasting the public key to be added as a delegation for the given target.

POST /api/targets/ab234bc/delegations

where ab234bc is the id of a target.

Revocation should can only be done if the latest signed image tags are not signed by this key.

Minimum viable:

• return a HTTP error response to inform API consumer there are images signed with this key

Improvement:

• which tags are signed with this key

https://github.com/goreleaser/goreleaser-action#signing

When connecting dctna-server to https://notary.docker.io a 401 response is returned.

In order for this to work we need to add a basic authentication handler so we can connect to the notary server.

An starting point can be found here.
https://github.com/docker/cli/blob/master/cli/trust/trust.go#L173

GitHub Actions is deprecating set-env and add-path commands. Check out this blog post for more details.

This repository has been listed by a scan that it uses one of de deprecated actions. It could be case the commands are directly usages in the build yaml, or indirect via an action. Action runners above version 2.273.5 will warn for usages of these deprecated commands. Expectation is that the commands will be disabled before the end of the year.

Please check your build YAML and action log to ensure your build keep working once the commands are disabled.

Feel free to reach out if you question or any help is needed

Regards, Niek Palm (@npalm)

this issue is generated based on a scan

When adding a delegation for a given target, the created key seems to be incorrect.

It seems a delegation added as marcofranssen ends up as targets/marcofranssen. Causing the key not to be detected as a delegation.

The local keys should be cleaned up when the synchronisation with notary server fails or it should be prevented to create duplicate keys.