diff --git a/Makefile b/Makefile index b6231b5d7f05..ce764f0ed373 100644 --- a/Makefile +++ b/Makefile @@ -101,6 +101,8 @@ initdb: .state/docker-build-base docker compose run --rm web psql -h db -d postgres -U postgres -c "SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname ='warehouse';" docker compose run --rm web psql -h db -d postgres -U postgres -c "DROP DATABASE IF EXISTS warehouse" docker compose run --rm web psql -h db -d postgres -U postgres -c "CREATE DATABASE warehouse ENCODING 'UTF8'" + docker compose run --rm web psql -h db -d postgres -U postgres -c "DROP DATABASE IF EXISTS rstuf" + docker compose run --rm web psql -h db -d postgres -U postgres -c "CREATE DATABASE rstuf ENCODING 'UTF8'" docker compose run --rm web bash -c "xz -d -f -k dev/$(DB).sql.xz --stdout | psql -h db -d warehouse -U postgres -v ON_ERROR_STOP=1 -1 -f -" docker compose run --rm web psql -h db -d warehouse -U postgres -c "UPDATE users SET name='Ee Durbin' WHERE username='ewdurbin'" $(MAKE) runmigrations diff --git a/dev/environment b/dev/environment index 66bd218fd5e5..81be81df0db3 100644 --- a/dev/environment +++ b/dev/environment @@ -58,9 +58,6 @@ TOKEN_REMEMBER_DEVICE_SECRET="an insecure remember device auth secret key" WAREHOUSE_LEGACY_DOMAIN=pypi.python.org -VAULT_URL="http://vault:8200" -VAULT_TOKEN="an insecure vault access token" - GITHUB_TOKEN_SCANNING_META_API_URL="http://notgithub:8000/meta/public_keys/token_scanning" TWOFACTORREQUIREMENT_ENABLED=true TWOFACTORMANDATE_AVAILABLE=true diff --git a/dev/vault/config.hcl b/dev/vault/config.hcl deleted file mode 100644 index aa17b9b8c9a6..000000000000 --- a/dev/vault/config.hcl +++ /dev/null @@ -1,3 +0,0 @@ -storage "file" { - path = "/vault/file" -} diff --git a/dev/vault/entry.sh b/dev/vault/entry.sh deleted file mode 100644 index ad2ca55ad5af..000000000000 --- a/dev/vault/entry.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh - -# entry.sh: spawn vault -# taken and cleaned up from cabotage @ 6e7eafc: -# https://github.com/cabotage/cabotage-app/blob/6e7eafce737726a04bd6ce0896845f6cf2f7bd29/docker-compose/vault/entry.sh - -export VAULT_ADDR=http://127.0.0.1:8200 -if [ -f /vault/file/unseal ]; then - echo "starting vault!" - vault server \ - -dev -dev-skip-init -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS}" \ - -dev-root-token-id="${VAULT_DEV_ROOT_TOKEN_ID}" -config /etc/vault/config.hcl & - echo "unsealing!" - while true; do - vault status >/dev/null 2>&1 - if [ $? = 2 ]; then - echo "we good" - break - fi - echo "vault not up yet..." - sleep .5 - done - UNSEAL_TOKEN=$(cat /vault/file/unseal) - export UNSEAL_TOKEN - vault operator unseal "${UNSEAL_TOKEN}" - wait -else - echo "starting vault!" - vault server \ - -dev -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS}" \ - -dev-root-token-id="${VAULT_DEV_ROOT_TOKEN_ID}" -config /etc/vault/config.hcl 2>&1 \ - | tee "${HOME}/logfile" & - while true; do - if vault status >/dev/null 2>&1; then - echo "we good" - break - fi - echo "vault not up and initialized yet..." - sleep .5 - done - echo -n \ - "$(grep 'Unseal Key: ' "${HOME}/logfile" \ - | awk '{print $NF}' \ - | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" \ - )" > /vault/file/unseal - - echo "bootstrapping our transit key" - VAULT_TOKEN=${VAULT_DEV_ROOT_TOKEN_ID} \ - vault secrets enable transit - - wait -fi diff --git a/docker-compose.yml b/docker-compose.yml index 83da1d3796f7..39c16c65e2b7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,28 +6,10 @@ volumes: packages-archive: sponsorlogos: policies: - vault: caches: + rstuf-metadata: services: - vault: - # NOTE: pinned for consistency with whats available in our deployment - image: vault:1.12.3 - restart: on-failure - entrypoint: /bin/sh - command: /etc/vault/entry.sh - stop_signal: SIGINT - environment: - VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200 - VAULT_DEV_ROOT_TOKEN_ID: "an insecure vault access token" - ports: - - "8200:8200" - cap_add: - - IPC_LOCK - volumes: - - vault:/vault/file - - ./dev/vault:/etc/vault - db: image: postgres:14.4 ports: @@ -160,6 +142,32 @@ services: ARCHIVE_FILES_BACKEND: "warehouse.packaging.services.LocalArchiveFileStorage path=/var/opt/warehouse/packages-archive/ url=http://files:9001/packages-archive/{path}" SIMPLE_BACKEND: "warehouse.packaging.services.LocalSimpleStorage path=/var/opt/warehouse/simple/ url=http://files:9001/simple/{path}" + rstuf-api: + image: ghcr.io/repository-service-tuf/repository-service-tuf-api:v0.9.0b1 + ports: + - 8001:80 + environment: + - RSTUF_BROKER_SERVER=redis://redis/1 + - RSTUF_REDIS_SERVER=redis://redis + - RSTUF_REDIS_SERVER_DB_RESULT=1 + - RSTUF_REDIS_SERVER_DB_REPO_SETTINGS=2 + + rstuf-worker: + image: ghcr.io/repository-service-tuf/repository-service-tuf-worker:v0.11.0b1 + volumes: + - rstuf-metadata:/var/opt/repository-service-tuf/storage + environment: + - RSTUF_STORAGE_BACKEND=LocalStorage + - RSTUF_LOCAL_STORAGE_BACKEND_PATH=/var/opt/repository-service-tuf/storage + - RSTUF_BROKER_SERVER=redis://redis/1 + - RSTUF_REDIS_SERVER=redis://redis + - RSTUF_REDIS_SERVER_DB_RESULT=1 + - RSTUF_REDIS_SERVER_DB_REPO_SETTINGS=2 + - RSTUF_SQL_SERVER=postgresql://postgres@db:5432/rstuf + depends_on: + db: + condition: service_healthy + static: build: context: .