From 8f985e48b018dedf247ce4da3bf75e25027650ce Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Thu, 28 Jan 2021 21:37:19 -0600
Subject: [PATCH] feat(notary): enables notary support

This patch set initializes the notary key and places it into the harbor
notary server which can be used to sign images. A follow on patch set
will update the ansible to utilize this key.

Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I7ef9239518dbb1e45bd4de965a43524e1c8fc93d
---
 tools/gate/deploy-k8s.sh                      |  3 +-
 tools/gate/jarvis/050-setup-development-ca.sh |  3 ++
 tools/gate/jarvis/400-deploy-harbor.sh        | 44 ++++++++++++++++---
 3 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/tools/gate/deploy-k8s.sh b/tools/gate/deploy-k8s.sh
index fc140edd..9b1090c6 100755
--- a/tools/gate/deploy-k8s.sh
+++ b/tools/gate/deploy-k8s.sh
@@ -115,7 +115,8 @@ sudo -E apt-get install -y \
   ipvsadm \
   make \
   bc \
-  git-review
+  git-review \
+  notary
 
 # Prepare tmpfs for etcd
 sudo mkdir -p /var/lib/minikube/etcd
diff --git a/tools/gate/jarvis/050-setup-development-ca.sh b/tools/gate/jarvis/050-setup-development-ca.sh
index 52b8a7a4..d5fb0928 100755
--- a/tools/gate/jarvis/050-setup-development-ca.sh
+++ b/tools/gate/jarvis/050-setup-development-ca.sh
@@ -80,3 +80,6 @@ check_cert_and_key ${jarvis_ca_root}/ca.pem ${jarvis_ca_root}/ca-key.pem
 
 sudo cp -v ${jarvis_ca_root}/ca.pem /usr/local/share/ca-certificates/insecure-jarvis-development-ephemeral-ca.crt
 sudo update-ca-certificates
+
+sudo mkdir -p $HOME/.docker/tls/harbor-core.jarvis.local
+sudo cp -v ${jarvis_ca_root}/ca.pem $HOME/.docker/tls/harbor-core.jarvis.local/ca.crt
diff --git a/tools/gate/jarvis/400-deploy-harbor.sh b/tools/gate/jarvis/400-deploy-harbor.sh
index a0723989..4d4932c8 100755
--- a/tools/gate/jarvis/400-deploy-harbor.sh
+++ b/tools/gate/jarvis/400-deploy-harbor.sh
@@ -31,14 +31,48 @@ function validate() {
     chart_dir="$(mktemp -d)"
     helm pull jarvis-harbor/library/chartmuseum --destination "${chart_dir}"
     # Tests that we can upload an image
+    sudo -E docker pull quay.io/crio/busybox:latest
     sudo -E docker login harbor-core.jarvis.local --username admin --password Harbor12345
-    sudo -E docker pull debian:buster-slim
-    sudo -E docker tag debian:buster-slim harbor-core.jarvis.local/library/debian:buster-slim
-    sudo -E docker push harbor-core.jarvis.local/library/debian:buster-slim
+    sudo -E docker tag quay.io/crio/busybox:latest harbor-core.jarvis.local/library/busybox:latest
+
+    # Perform a trust inspect on the image that was pulled down. This returns a $? of 1,
+    # as there is no trust signature attached.
+    set +e
+    sudo -E docker trust inspect --pretty harbor-core.jarvis.local/library/busybox:latest
+    set -e
+
+    sudo mkdir -p ~/.notary
+    sudo -E tee ~/.notary/config.json <<EOF
+{
+  "trust_dir" : "~/.docker/trust",
+  "remote_server": {
+    "url": "https://harbor-notary.jarvis.local",
+    "root_ca": "/etc/jarvis/certs/ca/ca.pem"
+  }
+}
+EOF
+
+    export NOTARY_ROOT_PASSPHRASE=passphrase
+    export NOTARY_TARGETS_PASSPHRASE=passphrase
+    export NOTARY_SNAPSHOT_PASSPHRASE=passphrase
+    export NOTARY_DELEGATION_PASSPHRASE=passphrase
+
+    LDAPUSERNAME=$(grep ldap_username ./charts/harbor/values.yaml | awk '{print $2}')
+    LDAPPASSWORD=$(grep ldap_password ./charts/harbor/values.yaml | awk '{print $2}')
+    export NOTARY_AUTH=$(echo "$LDAPUSERNAME:$LDAPPASSWORD" | base64)
+
+    export DOCKER_CONTENT_TRUST=1
+    export DOCKER_CONTENT_TRUST_SERVER=https://harbor-notary.jarvis.local:443
+    export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=passphrase
+    export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=passphrase
+
+    sudo -E notary init -p harbor-core.jarvis.local/library/busybox
+    sudo -E docker push harbor-core.jarvis.local/library/busybox:latest
 
     # Test that we can download an image
-    sudo -E docker rmi harbor-core.jarvis.local/library/debian:buster-slim
-    sudo -E docker pull harbor-core.jarvis.local/library/debian:buster-slim
+    sudo -E docker rmi harbor-core.jarvis.local/library/busybox:latest
+    sudo -E docker pull harbor-core.jarvis.local/library/busybox:latest
+    sudo -E docker trust inspect --pretty harbor-core.jarvis.local/library/busybox:latest
 }
 
 validate