Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement client-side APK discovery in apko #1216

Merged
merged 2 commits into from
Jul 24, 2024
Merged

Implement client-side APK discovery in apko #1216

merged 2 commits into from
Jul 24, 2024

Conversation

mattmoor
Copy link
Member

The protocol follows a roughly similar handshake to OIDC discovery, hitting {repository}/apk-configuration, extracting the jwks_uri and then recording each pem-encoded key as /etc/apk/keys/{kid}.rsa.pub.

I have tested this locally with both public and private APK repositories against apk.mattmoor.dev with the changes in: https://github.com/chainguard-dev/mono/pull/18431

Once this lands, I can use this in e2e tests there, but those are somewhat 🐔 & 🥚

@mattmoor
Implement client-side APK discovery in apko
e267097 
The protocol follows a roughly similar handshake to OIDC discovery, hitting `{repository}/apk-configuration`, extracting the `jwks_uri` and then recording each pem-encoded key as `/etc/apk/keys/{kid}.rsa.pub`.

Signed-off-by: Matt Moore <[email protected]>
@mattmoor mattmoor marked this pull request as draft July 23, 2024 21:56
@mattmoor mattmoor marked this pull request as ready for review July 23, 2024 22:17
imjasonh
imjasonh reviewed Jul 23, 2024
View reviewed changes
Copy link
Member

@imjasonh imjasonh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks easier than I thought? Can we get some simple tests? 🙏

pkg/apk/apk/implementation.go Outdated Show resolved Hide resolved
pkg/apk/apk/implementation.go Show resolved Hide resolved
@mattmoor
Copy link
Member Author

@imjasonh I made it do a real key discovery to confirm things work against staging. We can swap this to a prod group once we push.

@mattmoor mattmoor requested a review from imjasonh July 23, 2024 23:01
@imjasonh imjasonh merged commit 82d9f55 into chainguard-dev:main Jul 24, 2024
19 checks passed
@mattmoor mattmoor deleted the apk-key-discovery branch July 24, 2024 03:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

@jonjohnsonjr jonjohnsonjr Awaiting requested review from jonjohnsonjr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mattmoor @imjasonh