Open RRcwhiting opened 11 months ago
haydentherapper
commented
11 months ago Rekor and CT are two different implementations of transparency logs. CT is specifically for certificates, Rekor records signatures/signing events.
Are you using https://github.com/sigstore/rekor/blob/main/docker-compose.yml? Also check out https://github.com/sigstore/helm-charts.
RRcwhiting
commented
11 months ago I also combined it with https://github.com/sigstore/fulcio/blob/main/docker-compose.yml
I basically ended up with the following:
host 1: search, rekor, CT,
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
version: '3.4'
services:
search:
build:
context: search
ports:
- 80
caddy:
image: caddy:2.7.5
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./site:/srv
- caddy_data:/data
- caddy_config:/config
links:
- rekor-server
- trillian-log-server
- ct_server
- search
mariadb:
image: mariadb:11.2.2-jammy
environment:
- MARIADB_ROOT_PASSWORD=zaphod
- MARIADB_DATABASE=test
- MARIADB_USER=test
- MARIADB_PASSWORD=zaphod
ports:
- 127.0.0.1:3306:3306
volumes:
- ./mariadb:/var/lib/mysql:Z
#mysql:
# platform: linux/amd64
# image: gcr.io/trillian-opensource-ci/db_server:v1.4.0
# environment:
# - MYSQL_ROOT_PASSWORD=zaphod
# - MYSQL_DATABASE=test
# - MYSQL_USER=test
# - MYSQL_PASSWORD=zaphod
# restart: always # keep the MySQL server running
# healthcheck:
# test: ["CMD", "/etc/init.d/mysql", "status"]
# interval: 30s
# timeout: 3s
# retries: 3
# start_period: 10s
redis-server:
image: docker.io/redis:6.2
command: [
"--bind",
"0.0.0.0",
"--appendonly",
"yes",
"--requirepass",
"test"
]
ports:
- "6379:6379"
restart: always # keep the redis server running
healthcheck:
test: ["CMD", "redis-cli", "-a", "test", "ping"]
interval: 10s
timeout: 3s
retries: 3
start_period: 5s
ctfe_init:
build:
context: .
dockerfile: Dockerfile.ctfe_init
depends_on:
- trillian-log-server
volumes:
- ./ctfeConfig:/etc/config/:rw
ct_server:
image: gcr.io/trillian-opensource-ci/ctfe
volumes:
- ./ctfeConfig:/etc/config/:ro
command: [
"--log_config" ,"/etc/config/ct_server.cfg",
"--log_rpc_server", "trillian-log-server:8090", #8096
"--http_endpoint", "0.0.0.0:6961",
"--alsologtostderr",
"-v","2"
]
restart: always # retry while ctfe_init is running
depends_on:
- trillian-log-server
- trillian-log-signer
# - ctfe_init
ports:
- "6961:6961"
trillian-log-server:
image: gcr.io/projectsigstore/trillian_log_server@sha256:f850a0defd089ea844822030c67ae05bc93c91168a7dd4aceb0b6648c39f696b
command: [
"--quota_system=noop",
"--storage_system=mysql",
"--mysql_uri=test:zaphod@tcp(mariadb:3306)/test",
"--rpc_endpoint=0.0.0.0:8090",
"--http_endpoint=0.0.0.0:8091",
"--alsologtostderr",
]
restart: always # retry while mysql is starting up
ports:
- "8090:8090"
- "8091:8091"
depends_on:
#- mysql
- mariadb
trillian-log-signer:
image: gcr.io/projectsigstore/trillian_log_signer@sha256:fe90d523f6617974f70878918e4b31d49b2b46a86024bb2d6b01d2bbfed8edbf
command: [
"--quota_system=noop",
"--storage_system=mysql",
"--mysql_uri=test:zaphod@tcp(mariadb:3306)/test",
"--rpc_endpoint=0.0.0.0:8090",
"--http_endpoint=0.0.0.0:8091",
"--force_master",
"--alsologtostderr",
]
restart: always # retry while mysql is starting up
ports:
- "8092:8091"
depends_on:
- mariadb
rekor-server:
image: gcr.io/projectsigstore/rekor-server:v1.3.3
#image: gcr.io/projectsigstore/rekor/ci/rekor/rekor-server:latest
environment:
- TMPDIR=/var/run/attestations # workaround for https://github.com/google/go-cloud/issues/3294
command: [
"serve",
"--trillian_log_server.address=trillian-log-server",
"--trillian_log_server.port=8090",
"--redis_server.address=redis-server",
"--redis_server.password=test",
"--redis_server.port=6379",
"--rekor_server.address=0.0.0.0",
"--rekor_server.signer=memory",
"--enable_attestation_storage",
"--attestation_storage_bucket=file:///var/run/attestations",
"--enable_stable_checkpoint",
"--search_index.storage_provider=redis",
# "--log_type=prod",
]
volumes:
- "/var/run/attestations:/var/run/attestations:z"
restart: always # keep the server running
ports:
- "3000:3000"
- "2112:2112"
depends_on:
- mariadb
- redis-server
- trillian-log-server
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/ping"]
interval: 10s
timeout: 3s
retries: 3
start_period: 5s
volumes:
caddy_data:
caddy_config:host 2: fulcio, dex, (eventually TUF)
version: '3.2'
services:
caddy:
image: caddy:2.7.4
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./site:/srv
- caddy_data:/data
- caddy_config:/config
links:
- fulcio-server
- dex-idp
fulcio-server:
image: gcr.io/projectsigstore/fulcio:v1.4.3
command: [
"serve",
"--host=0.0.0.0",
"--port=5555",
"--grpc-port=5554",
"--ca=ephemeralca",
--ct-log-url=https://ctl.example.com/test
# "--log_type=prod",
]
restart: always # keep the server running
ports:
- "5555:5555"
- "5554:5554"
- "2112:2112"
volumes:
- ./config/config.jsn:/etc/fulcio-config/config.json #:z
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:5555/ping"]
interval: 10s
timeout: 3s
retries: 3
start_period: 5s
depends_on:
- dex-idp
read_only: true
dex-idp:
image: dexidp/dex:v2.30.0
user: root
command: [
"dex",
"serve",
"/etc/config/dex-config.yaml",
]
restart: always # keep the server running
ports:
- "8888:8888"
volumes:
- ./config/dex:/etc/config/:ro
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8888/auth/healthz"]
interval: 10s
timeout: 3s
retries: 3
start_period: 5s
volumes:
caddy_data:
caddy_config:search Dockerfile:
FROM node:latest as builder
RUN apt install git
RUN git clone https://github.com/sigstore/rekor-search-ui /search # yours would probably just COPY .
WORKDIR /search
RUN npm install
ARG SEARCH_DOMAIN
ARG REKOR_DOMAIN
RUN echo "$SEARCH_DOMAIN" > CNAME
RUN echo "NEXT_PUBLIC_REKOR_DEFAULT_DOMAIN=https://$REKOR_DOMAIN" > .env.local
COPY next.config.js /search/next.config.js
RUN npm run build
RUN ls /search/out
#RUN ls /search/.next/static
#RUN npx --no-install next export
FROM nginx:latest
COPY --from=builder /search/out /usr/share/nginx/html
RUN ls /usr/share/nginx/html
Description
Trying to deploy Rekor and Fulcio using gcr images.
image: gcr.io/projectsigstore/rekor-server -- unknown flag --redis_server.password
etc, etc, - setting things up with those two compose files is becoming... interesting. Is the compose setup in rekor or the one in fulcio preferred as far as the certificate transparency mysql setup?