936cf8846a
ci/woodpecker/tag/docker Pipeline was successful
## Why
Local terraform repos already served the Terraform **network mirror** protocol, but consuming that requires every user to add a `provider_installation { network_mirror }` block to `~/.terraformrc`. A `source = "artifactapi.k8s.../ns/type"` address instead triggers the **provider registry** protocol (service discovery at `/.well-known/terraform.json` + GPG-signed SHA256SUMS), which returned 404 — hence *"does not offer a provider registry."*
Local repos are meant to be the real thing, so this makes a terraform local repo a first-class provider registry: `terraform init` installs from a bare source address with no client config.
## What
- Serve `/.well-known/terraform.json` service discovery and the `providers.v1` endpoints under `/terraform/v1/providers`: `versions`, `download/{os}/{arch}`, `sha256sums`, `sha256sums.sig`.
- Map the Terraform **namespace** segment to the artifactapi **repo name**; locate the provider by **type**. `download_url` points back at the existing `/api/v1/local/...` path.
- Generate `SHA256SUMS` per version and sign it with a GPG key loaded from `TF_SIGNING_KEY_PATH` (optional `TF_SIGNING_KEY_PASSPHRASE`); advertise the public key + key id in the download response. **No key → registry stays disabled (endpoints 404)**, so behaviour is unchanged until the signing secret is present.
- New `internal/tfsign` (key load + detached signing, via `x/crypto/openpgp`) and `internal/api/terraform` (registry handler). Export `ParseProviderZip` for reuse.
- `TF_PROVIDER_PROTOCOLS` (default `5.0,6.0`) sets the advertised plugin protocols.
- README section documenting usage.
## Consumer
```hcl
terraform {
required_providers {
artifactapi = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/artifactapi"
version = "0.1.2"
}
}
}
```
## Tests
- `internal/tfsign`: sign + verify round-trip, disabled/missing-key paths.
- `internal/api/terraform`: dockerised full flow (discovery → versions → download → sha256sums → sig), verifying the signature against the advertised public key.
## Follow-ups (separate PRs)
- **argocd-apps**: mount the signing K8s secret into the api deployment + set `TF_SIGNING_KEY_PATH`. The `/` HTTPRoute already routes `/.well-known` and `/terraform` to the API, so no gateway change is needed.
- Image/version bump once tagged.
## Note
Anchored the `terraform/` gitignore to the repo root (`/terraform/`) so it stops matching `internal/*/terraform/`. This surfaced `internal/provider/terraform/terraform_extra_test.go`, which had been silently untracked — now committed.
Reviewed-on: #102
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
171 lines
5.3 KiB
Go
171 lines
5.3 KiB
Go
package database
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/jackc/pgx/v5/pgxpool"
|
|
)
|
|
|
|
type DB struct {
|
|
Pool *pgxpool.Pool
|
|
}
|
|
|
|
func New(dsn string) (*DB, error) {
|
|
pool, err := pgxpool.New(context.Background(), dsn)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("connect to postgres: %w", err)
|
|
}
|
|
|
|
if err := pool.Ping(context.Background()); err != nil {
|
|
pool.Close()
|
|
return nil, fmt.Errorf("ping postgres: %w", err)
|
|
}
|
|
|
|
db := &DB{Pool: pool}
|
|
if err := db.migrate(); err != nil {
|
|
pool.Close()
|
|
return nil, fmt.Errorf("run migrations: %w", err)
|
|
}
|
|
|
|
return db, nil
|
|
}
|
|
|
|
func (db *DB) Close() {
|
|
db.Pool.Close()
|
|
}
|
|
|
|
func (db *DB) migrate() error {
|
|
ctx := context.Background()
|
|
|
|
_, err := db.Pool.Exec(ctx, `
|
|
CREATE TABLE IF NOT EXISTS remotes (
|
|
name TEXT PRIMARY KEY,
|
|
package_type TEXT NOT NULL,
|
|
repo_type TEXT DEFAULT 'remote',
|
|
base_url TEXT NOT NULL DEFAULT '',
|
|
description TEXT DEFAULT '',
|
|
username TEXT DEFAULT '',
|
|
password TEXT DEFAULT '',
|
|
immutable_ttl INTEGER DEFAULT 0,
|
|
mutable_ttl INTEGER DEFAULT 3600,
|
|
check_mutable BOOLEAN DEFAULT TRUE,
|
|
patterns TEXT[] DEFAULT '{}',
|
|
blocklist TEXT[] DEFAULT '{}',
|
|
mutable_patterns TEXT[] DEFAULT '{}',
|
|
immutable_patterns TEXT[] DEFAULT '{}',
|
|
ban_tags_enabled BOOLEAN DEFAULT FALSE,
|
|
ban_tags TEXT[] DEFAULT '{}',
|
|
quarantine_enabled BOOLEAN DEFAULT FALSE,
|
|
quarantine_days INTEGER DEFAULT 3,
|
|
stale_on_error BOOLEAN DEFAULT TRUE,
|
|
releases_remote TEXT DEFAULT '',
|
|
managed_by TEXT DEFAULT '',
|
|
created_at TIMESTAMPTZ DEFAULT NOW(),
|
|
updated_at TIMESTAMPTZ DEFAULT NOW()
|
|
);
|
|
|
|
CREATE TABLE IF NOT EXISTS virtuals (
|
|
name TEXT PRIMARY KEY,
|
|
package_type TEXT NOT NULL,
|
|
description TEXT DEFAULT '',
|
|
members TEXT[] NOT NULL,
|
|
managed_by TEXT DEFAULT '',
|
|
created_at TIMESTAMPTZ DEFAULT NOW(),
|
|
updated_at TIMESTAMPTZ DEFAULT NOW()
|
|
);
|
|
|
|
CREATE TABLE IF NOT EXISTS blobs (
|
|
content_hash TEXT PRIMARY KEY,
|
|
s3_key TEXT NOT NULL,
|
|
size_bytes BIGINT NOT NULL,
|
|
content_type TEXT DEFAULT 'application/octet-stream',
|
|
created_at TIMESTAMPTZ DEFAULT NOW()
|
|
);
|
|
|
|
CREATE TABLE IF NOT EXISTS artifacts (
|
|
id BIGSERIAL PRIMARY KEY,
|
|
remote_name TEXT NOT NULL REFERENCES remotes(name) ON DELETE CASCADE,
|
|
path TEXT NOT NULL,
|
|
content_hash TEXT NOT NULL REFERENCES blobs(content_hash),
|
|
upstream_etag TEXT DEFAULT '',
|
|
upstream_last_modified TIMESTAMPTZ,
|
|
first_seen_at TIMESTAMPTZ DEFAULT NOW(),
|
|
last_fetched_at TIMESTAMPTZ DEFAULT NOW(),
|
|
last_accessed_at TIMESTAMPTZ DEFAULT NOW(),
|
|
fetch_count BIGINT DEFAULT 1,
|
|
access_count BIGINT DEFAULT 1,
|
|
UNIQUE(remote_name, path)
|
|
);
|
|
|
|
CREATE INDEX IF NOT EXISTS idx_artifacts_remote ON artifacts(remote_name);
|
|
CREATE INDEX IF NOT EXISTS idx_artifacts_last_accessed ON artifacts(last_accessed_at);
|
|
|
|
CREATE TABLE IF NOT EXISTS local_files (
|
|
id BIGSERIAL PRIMARY KEY,
|
|
repo_name TEXT NOT NULL,
|
|
file_path TEXT NOT NULL,
|
|
content_hash TEXT NOT NULL REFERENCES blobs(content_hash),
|
|
created_at TIMESTAMPTZ DEFAULT NOW(),
|
|
UNIQUE(repo_name, file_path)
|
|
);
|
|
|
|
CREATE TABLE IF NOT EXISTS access_log (
|
|
id BIGSERIAL PRIMARY KEY,
|
|
remote_name TEXT NOT NULL,
|
|
path TEXT NOT NULL,
|
|
cache_hit BOOLEAN NOT NULL,
|
|
size_bytes BIGINT DEFAULT 0,
|
|
upstream_ms INTEGER DEFAULT 0,
|
|
client_ip TEXT DEFAULT '',
|
|
created_at TIMESTAMPTZ DEFAULT NOW()
|
|
);
|
|
|
|
CREATE INDEX IF NOT EXISTS idx_access_log_remote_time ON access_log(remote_name, created_at);
|
|
|
|
ALTER TABLE remotes ADD COLUMN IF NOT EXISTS repo_type TEXT DEFAULT 'remote';
|
|
ALTER TABLE remotes ADD COLUMN IF NOT EXISTS upstream_dial_timeout INTEGER DEFAULT 0;
|
|
ALTER TABLE remotes ADD COLUMN IF NOT EXISTS upstream_tls_timeout INTEGER DEFAULT 0;
|
|
ALTER TABLE remotes ADD COLUMN IF NOT EXISTS upstream_response_header_timeout INTEGER DEFAULT 0;
|
|
|
|
CREATE TABLE IF NOT EXISTS rpm_metadata (
|
|
id BIGSERIAL PRIMARY KEY,
|
|
repo_name TEXT NOT NULL,
|
|
file_path TEXT NOT NULL,
|
|
content_hash TEXT NOT NULL,
|
|
name TEXT NOT NULL,
|
|
epoch INTEGER DEFAULT 0,
|
|
version TEXT NOT NULL,
|
|
release TEXT NOT NULL,
|
|
arch TEXT NOT NULL,
|
|
summary TEXT DEFAULT '',
|
|
description TEXT DEFAULT '',
|
|
rpm_size BIGINT DEFAULT 0,
|
|
installed_size BIGINT DEFAULT 0,
|
|
license TEXT DEFAULT '',
|
|
vendor TEXT DEFAULT '',
|
|
build_group TEXT DEFAULT '',
|
|
build_host TEXT DEFAULT '',
|
|
source_rpm TEXT DEFAULT '',
|
|
url TEXT DEFAULT '',
|
|
packager TEXT DEFAULT '',
|
|
requires JSONB DEFAULT '[]',
|
|
provides JSONB DEFAULT '[]',
|
|
files JSONB DEFAULT '[]',
|
|
changelogs JSONB DEFAULT '[]',
|
|
created_at TIMESTAMPTZ DEFAULT NOW(),
|
|
UNIQUE(repo_name, file_path)
|
|
);
|
|
|
|
CREATE INDEX IF NOT EXISTS idx_rpm_metadata_repo ON rpm_metadata(repo_name);
|
|
|
|
CREATE TABLE IF NOT EXISTS signing_keys (
|
|
purpose TEXT PRIMARY KEY,
|
|
private_key_armor TEXT NOT NULL,
|
|
key_id TEXT NOT NULL,
|
|
created_at TIMESTAMPTZ DEFAULT NOW()
|
|
);
|
|
`)
|
|
return err
|
|
}
|