Use an nginx proxy server in the metadata server

.github/workflows/ci.yaml

@@ -15,7 +15,7 @@ jobs:
       uses: actions/checkout@v2
 
     - name: Setup Go environment
-      uses: actions/setup-go@v2.1.2
+      uses: actions/setup-go@v2
       with:
         go-version: 1.13
 

.github/workflows/pushimage-next.yaml

@@ -28,4 +28,4 @@ jobs:
     - name: Build the registry metadata image
       run: cd oci-devfile-registry-metadata && ./build.sh
     - name: Push the registry metadata image
-      run: cd oci-devfile-registry-metadata  && ./push.sh quay.io/devfile/metadata-server:next
+      run: cd oci-devfile-registry-metadata  && ./push.sh quay.io/devfile/devfile-index-base:next

deploy/kubernetes/registry.yaml

@@ -32,13 +32,13 @@ spec:
             cpu: "250m"
         livenessProbe:
           httpGet:
-            path: /devfiles/index.json
+            path: /
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 3
         readinessProbe:
           httpGet:
-            path: /devfiles/index.json
+            path: /
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 3

oci-devfile-registry-metadata/Dockerfile

@@ -1,44 +1,36 @@
-# Build the registry index generator
-FROM golang:alpine3.11 AS build
-WORKDIR /tools
-COPY generator .
-RUN ./build.sh
-
-FROM docker.io/httpd:2.4.43-alpine AS registry
+FROM nginx:stable-alpine
 
 # Install and configure dependencies
-RUN apk add --no-cache bash git curl && \
-    # Allow htaccess
-    sed -i 's|    AllowOverride None|    AllowOverride All|' /usr/local/apache2/conf/httpd.conf && \
-    sed -i 's|Listen 80|Listen 8080|' /usr/local/apache2/conf/httpd.conf && \
-    mkdir -m 777 /usr/local/apache2/htdocs/devfiles && \
-    mkdir -p /var/www && ln -s /usr/local/apache2/htdocs /var/www/html && \
-    chmod -R g+rwX /usr/local/apache2 && \
-    echo "ServerName localhost" >> /usr/local/apache2/conf/httpd.conf && \
-    apk add --no-cache coreutils
-
-# Install ORAS
+RUN apk add --no-cache bash git curl coreutils
 RUN wget https://github.com/deislabs/oras/releases/download/v0.8.1/oras_0.8.1_linux_amd64.tar.gz && \
   mkdir -p oras-install/ && \
   tar -zxf oras_0.8.1_*.tar.gz -C oras-install/ && \
   mv oras-install/oras /usr/local/bin/ && \
   rm -rf oras_0.8.1_*.tar.gz oras-install/
-
-
-COPY .htaccess /usr/local/apache2/htdocs/
-RUN chgrp -R 0 /usr/local/apache2/htdocs && \
-      chmod -R g=u /usr/local/apache2/htdocs
 
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY entrypoint.sh /
+
+# Create a non-root user to run the nginx server as
+RUN set -x ; \
+  adduser -u 82 -D -S -G root www-data && exit 0 ; exit 1
+
+RUN touch /var/run/nginx.pid
+RUN mkdir -p /www/data
+
+# Modify the permissions on the necessary files to allow the container to properly run as a non-root UID
+RUN chown -R www-data:root /var/run/nginx.pid && \
+  chown -R www-data:root /var/cache/nginx && \
+  chown www-data:root /etc/nginx/conf.d /etc/nginx/nginx.conf
+RUN chmod g+rwx /var/run/nginx.pid && \
+  chmod -R g+rwx /var/cache/nginx && chmod -R g+rwx /etc/nginx && chmod -R g+rwx /www/data
 
-COPY entrypoint.sh /scripts/entrypoint.sh
+USER www-data
 
-# Git clone the devfiles
-# ToDo: Switch to github.com/devfile/catalog/
-RUN git clone https://github.com/devfile/registry /registry
-COPY --from=build /tools/index-generator /registry/index-generator
-RUN chgrp -R 0 /registry && \
-    chmod -R g=u /registry
+# Set env vars for the locations of the devfile stacks and index.json
+ENV DEVFILE_STACKS /stacks
+ENV DEVFILE_INDEX /index.json
 
-# Load the devfiles into the registry
-ENTRYPOINT ["/scripts/entrypoint.sh"]
-CMD ["httpd-foreground"]
+EXPOSE 8080
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["nginx", "-g", "daemon off;"]

oci-devfile-registry-metadata/build.sh

@@ -3,4 +3,4 @@
 # Build the metadata container for the registry
 buildfolder="$(basename "$(dirname "$0")")"
 cp -rf $buildfolder/../index/generator $buildfolder
-docker build -t devfile-registry-metadata:latest $buildfolder
+docker build -t devfile-index-base:latest $buildfolder

oci-devfile-registry-metadata/entrypoint.sh

@@ -1,22 +1,25 @@
 #!/bin/sh
 
 ## Simple proof of concept bootstrap script to load devfiles into an oci registry
-DEVFILES=/registry/stacks
 
-# Generate the index.json from the devfiles
-cd /registry
-./index-generator $DEVFILES /usr/local/apache2/htdocs/devfiles/index.json
-
-# Push the devfiles to the registry
-cd $DEVFILES
+if [ ! -d "$DEVFILE_STACKS" ]; then
+    echo "The container does not contain any devfile stacks in $DEVFILE_STACKS. Exiting..."
+    exit 1
+fi
+if [ ! -e "$DEVFILE_INDEX" ]; then
+    echo "The container does not contain an index.json at $DEVFILE_INDEX. Exiting..."
+    exit 1
+fi
 
 # Wait for the registry to start
 until $(curl --output /dev/null --silent --head --fail http://localhost:5000); do
     printf 'Waiting for the registry at localhost:5000 to start\n'
     sleep 0.5
 done
 
-for devfileDir in "$DEVFILES"/*
+# Push the devfiles to the registry
+cd $DEVFILE_STACKS
+for devfileDir in "$DEVFILE_STACKS"/*
 do
   devfile="$devfileDir/devfile.yaml"
   stackName=`basename $devfileDir`
@@ -31,9 +34,11 @@ do
   echo "Pushing $stackName to $REGISTRY_HOST"
   cd $stackName
   oras push localhost:5000/devfile-catalog/$stackName:latest --manifest-config /dev/null:application/vnd.devfileio.devfile.config.v2+json ./devfile.yaml:application/vnd.devfileio.devfile.layer.v1 --plain-http
-  cd $DEVFILES
+  cd $DEVFILE_STACKS
 done
 
-# Launch the server hosting the index.json
-echo $REGISTRY_HOST
-exec "${@}"
+# Copy the index.json over to /www/data
+cp $DEVFILE_INDEX /www/data/
+
+# Start the nginx server
+exec "$@"

oci-devfile-registry-metadata/nginx.conf

@@ -0,0 +1,62 @@
+events {
+    worker_connections  1024;
+}
+
+http {
+
+  upstream docker-registry {
+    server localhost:5000;
+  }
+
+  ## Set a variable to help us decide if we need to add the
+  ## 'Docker-Distribution-Api-Version' header.
+  ## The registry always sets this header.
+  ## In the case of nginx performing auth, the header is unset
+  ## since nginx is auth-ing before proxying.
+  map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+    '' 'registry/2.0';
+  }
+
+  server {
+    listen 8080;
+
+    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+    chunked_transfer_encoding on;
+
+    location / {
+        # Temporary until the new metadata server has been delivered
+        # ToDo: Update to point to the new server when ready
+        default_type application/json;
+        root /www/data;
+        index index.json;
+    }
+
+    location /v2 {      
+      # Only allow HEAD (implicit) and GET requests on the V2 api
+      limit_except GET {
+        # block does not inherit the access limitations from above
+        deny all;
+      }
+
+      ## If $docker_distribution_api_version is empty, the header is not added.
+      ## See the map directive above where this variable is defined.
+      add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
+
+      proxy_pass                          http://docker-registry;
+      proxy_set_header  Host              $http_host;   # required for docker client's sake
+      proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+      proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Proto $scheme;
+      proxy_read_timeout                  900;
+    }
+  }
+}

oci-devfile-registry-metadata/push.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 IMAGE_TAG=$1
-docker tag devfile-registry-metadata:latest $IMAGE_TAG
+docker tag devfile-index-base:latest $IMAGE_TAG
 docker push $1