edb6c7c0f7
Local terraform repos already spoke the network mirror protocol, which needs
per-consumer .terraformrc config. This adds the provider registry protocol so
`terraform init` installs from a bare source address
(artifactapi.k8s.../{repo}/{type}) with no client setup.
- serve /.well-known/terraform.json service discovery and the providers.v1
versions/download endpoints under /terraform/v1/providers
- map the Terraform namespace to the artifactapi repo name and locate the
provider by type; download_url points back at the existing local file path
- generate SHA256SUMS per version and sign it with a GPG key loaded from
TF_SIGNING_KEY_PATH; advertise the public key + key id in the download
response. No key configured -> registry stays disabled (endpoints 404)
- new internal/tfsign (key loading + detached signing) and
internal/api/terraform (registry handler); export ParseProviderZip for reuse
- add TF_SIGNING_KEY_PATH/PASSPHRASE and TF_PROVIDER_PROTOCOLS config
- unit test signing + verification; dockerised test of the full flow incl.
signature verification against the advertised key
Also anchor the terraform/ gitignore to the repo root so it stops swallowing
internal/api/terraform and internal/provider/terraform test files (the latter
had gone silently untracked).
227 lines
6.8 KiB
Go
227 lines
6.8 KiB
Go
package server
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"log/slog"
|
|
"net"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/go-chi/chi/v5/middleware"
|
|
|
|
tfregistry "git.unkin.net/unkin/artifactapi/internal/api/terraform"
|
|
v1 "git.unkin.net/unkin/artifactapi/internal/api/v1"
|
|
v2 "git.unkin.net/unkin/artifactapi/internal/api/v2"
|
|
"git.unkin.net/unkin/artifactapi/internal/cache"
|
|
"git.unkin.net/unkin/artifactapi/internal/config"
|
|
"git.unkin.net/unkin/artifactapi/internal/database"
|
|
"git.unkin.net/unkin/artifactapi/internal/gc"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/alpine"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/docker"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/generic"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/goproxy"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/helm"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/npm"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/puppet"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/pypi"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/rpm"
|
|
_ "git.unkin.net/unkin/artifactapi/internal/provider/terraform"
|
|
"git.unkin.net/unkin/artifactapi/internal/proxy"
|
|
"git.unkin.net/unkin/artifactapi/internal/storage"
|
|
"git.unkin.net/unkin/artifactapi/internal/tfsign"
|
|
"git.unkin.net/unkin/artifactapi/internal/virtual"
|
|
)
|
|
|
|
type Server struct {
|
|
cfg *config.Config
|
|
version string
|
|
router chi.Router
|
|
db *database.DB
|
|
cache *cache.Redis
|
|
store *storage.S3
|
|
engine *proxy.Engine
|
|
virtEngine *virtual.Engine
|
|
localHandler *v2.LocalHandler
|
|
tfRegistry *tfregistry.Handler
|
|
gc *gc.Collector
|
|
}
|
|
|
|
func New(cfg *config.Config, version string) (*Server, error) {
|
|
db, err := database.New(cfg.DatabaseDSN())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("database: %w", err)
|
|
}
|
|
|
|
redis, err := cache.NewRedis(cfg.RedisURL)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("redis: %w", err)
|
|
}
|
|
|
|
s3, err := storage.NewS3(cfg.S3Endpoint, cfg.S3AccessKey, cfg.S3SecretKey, cfg.S3Bucket, cfg.S3Secure, cfg.S3Region)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("s3: %w", err)
|
|
}
|
|
|
|
engine := proxy.NewEngine(db, redis, s3)
|
|
localHandler := v2.NewLocalHandler(db, s3)
|
|
virtEngine := virtual.NewEngine(db, engine)
|
|
collector := gc.New(db, s3, 1*time.Hour)
|
|
|
|
// A failure to load the signing key must not take the server down: the
|
|
// terraform registry simply stays disabled until a valid key is present.
|
|
signer, err := tfsign.Load(cfg.TFSigningKeyPath, cfg.TFSigningKeyPassphrase)
|
|
if err != nil {
|
|
slog.Warn("terraform provider registry disabled", "error", err)
|
|
}
|
|
tfRegistry := tfregistry.NewHandler(db, signer, cfg.TFProviderProtocols)
|
|
if tfRegistry.Enabled() {
|
|
slog.Info("terraform provider registry enabled", "key_id", signer.KeyID())
|
|
}
|
|
|
|
s := &Server{
|
|
cfg: cfg,
|
|
version: version,
|
|
db: db,
|
|
cache: redis,
|
|
store: s3,
|
|
engine: engine,
|
|
virtEngine: virtEngine,
|
|
localHandler: localHandler,
|
|
tfRegistry: tfRegistry,
|
|
gc: collector,
|
|
}
|
|
|
|
s.router = s.routes()
|
|
return s, nil
|
|
}
|
|
|
|
func (s *Server) routes() chi.Router {
|
|
r := chi.NewRouter()
|
|
|
|
r.Use(middleware.RequestID)
|
|
r.Use(middleware.RealIP)
|
|
r.Use(NewStructuredLogger())
|
|
r.Use(middleware.Recoverer)
|
|
|
|
r.Use(cors)
|
|
|
|
r.Get("/health", s.handleHealth)
|
|
r.Get("/", s.handleRoot)
|
|
r.Get("/version", s.handleVersion)
|
|
|
|
// Terraform provider registry: service discovery at the well-known path,
|
|
// providers.v1 protocol under /terraform/v1/providers.
|
|
r.Get("/.well-known/terraform.json", s.tfRegistry.ServiceDiscovery)
|
|
r.Mount(tfregistry.MountPath, s.tfRegistry.Routes())
|
|
|
|
proxyHandler := v1.NewProxyHandler(s.engine, s.virtEngine, s.db, s.store, s.localHandler)
|
|
r.Mount("/api/v1", proxyHandler.Routes())
|
|
r.Mount("/v2", proxyHandler.DockerV2Routes())
|
|
|
|
remotesHandler := v2.NewRemotesHandler(s.db)
|
|
virtualsHandler := v2.NewVirtualsHandler(s.db)
|
|
healthHandler := v2.NewHealthHandler(s.db, s.cache, s.store)
|
|
statsHandler := v2.NewStatsHandler(s.db)
|
|
eventsHandler := v2.NewEventsHandler()
|
|
probeHandler := v2.NewProbeHandler(s.engine, s.db)
|
|
|
|
r.Route("/api/v2", func(r chi.Router) {
|
|
r.Mount("/remotes", remotesHandler.Routes())
|
|
r.Mount("/virtuals", virtualsHandler.Routes())
|
|
r.Mount("/health", healthHandler.Routes())
|
|
r.Mount("/stats", statsHandler.Routes())
|
|
r.Mount("/events", eventsHandler.Routes())
|
|
r.Mount("/probe", probeHandler.Routes())
|
|
|
|
r.Route("/remotes/{name}/objects", func(r chi.Router) {
|
|
objHandler := v2.NewObjectsHandler(s.db)
|
|
r.Get("/", objHandler.Routes().ServeHTTP)
|
|
r.Delete("/*", objHandler.Routes().ServeHTTP)
|
|
})
|
|
|
|
r.Route("/locals/{name}/objects", func(r chi.Router) {
|
|
objHandler := v2.NewObjectsHandler(s.db)
|
|
r.Get("/", objHandler.LocalRoutes().ServeHTTP)
|
|
r.Delete("/*", objHandler.LocalRoutes().ServeHTTP)
|
|
})
|
|
|
|
r.Route("/remotes/{name}/files", func(r chi.Router) {
|
|
r.Put("/*", s.localHandler.Routes().ServeHTTP)
|
|
r.Get("/*", s.localHandler.Routes().ServeHTTP)
|
|
r.Delete("/*", s.localHandler.Routes().ServeHTTP)
|
|
})
|
|
})
|
|
|
|
return r
|
|
}
|
|
|
|
func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusOK)
|
|
fmt.Fprint(w, `{"status":"ok"}`)
|
|
}
|
|
|
|
// handleRoot sends browsers landing on the bare domain to the web UI, which is
|
|
// served under /ui. The service identity that used to live here is at /version.
|
|
func (s *Server) handleRoot(w http.ResponseWriter, r *http.Request) {
|
|
http.Redirect(w, r, "/ui/", http.StatusFound)
|
|
}
|
|
|
|
func (s *Server) handleVersion(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusOK)
|
|
fmt.Fprintf(w, `{"name":"artifactapi","version":"%s"}`, s.version)
|
|
}
|
|
|
|
func (s *Server) newHTTPServer() *http.Server {
|
|
return &http.Server{
|
|
Addr: s.cfg.ListenAddr,
|
|
Handler: s.router,
|
|
ReadTimeout: 30 * time.Second,
|
|
WriteTimeout: 300 * time.Second,
|
|
IdleTimeout: 120 * time.Second,
|
|
}
|
|
}
|
|
|
|
func (s *Server) Run(ctx context.Context) error {
|
|
go s.gc.Run(ctx)
|
|
|
|
httpServer := s.newHTTPServer()
|
|
|
|
go func() {
|
|
<-ctx.Done()
|
|
slog.Info("shutting down server")
|
|
shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
defer cancel()
|
|
_ = httpServer.Shutdown(shutdownCtx)
|
|
}()
|
|
|
|
slog.Info("starting server", "addr", s.cfg.ListenAddr)
|
|
if err := httpServer.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *Server) RunOnListener(ctx context.Context, ln net.Listener) error {
|
|
go s.gc.Run(ctx)
|
|
|
|
httpServer := s.newHTTPServer()
|
|
|
|
go func() {
|
|
<-ctx.Done()
|
|
shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
defer cancel()
|
|
_ = httpServer.Shutdown(shutdownCtx)
|
|
}()
|
|
|
|
slog.Info("starting server", "addr", ln.Addr().String())
|
|
if err := httpServer.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|