docker-compose invalid for GCR images

[RRcwhiting]

Description

Trying to deploy Rekor and Fulcio using gcr images.

image: gcr.io/projectsigstore/rekor-server -- unknown flag --redis_server.password

etc, etc, - setting things up with those two compose files is becoming... interesting. Is the compose setup in rekor or the one in fulcio preferred as far as the certificate transparency mysql setup?

[haydentherapper]

Rekor and CT are two different implementations of transparency logs. CT is specifically for certificates, Rekor records signatures/signing events.

Are you using https://github.com/sigstore/rekor/blob/main/docker-compose.yml? Also check out https://github.com/sigstore/helm-charts.

[RRcwhiting]

I also combined it with https://github.com/sigstore/fulcio/blob/main/docker-compose.yml

I basically ended up with the following:

host 1: search, rekor, CT,

#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

version: '3.4'
services:
  search:
    build:
      context: search
    ports:
      - 80
  caddy:
    image: caddy:2.7.5
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./site:/srv
      - caddy_data:/data
      - caddy_config:/config
    links:
      - rekor-server
      - trillian-log-server
      - ct_server
      - search
  mariadb:
    image: mariadb:11.2.2-jammy
    environment:
      - MARIADB_ROOT_PASSWORD=zaphod
      - MARIADB_DATABASE=test
      - MARIADB_USER=test
      - MARIADB_PASSWORD=zaphod
    ports:
      - 127.0.0.1:3306:3306
    volumes:
      - ./mariadb:/var/lib/mysql:Z
  #mysql:
  #  platform: linux/amd64
  #  image: gcr.io/trillian-opensource-ci/db_server:v1.4.0
  #  environment:
  #    - MYSQL_ROOT_PASSWORD=zaphod
  #    - MYSQL_DATABASE=test
  #    - MYSQL_USER=test
  #    - MYSQL_PASSWORD=zaphod
  #  restart: always # keep the MySQL server running
  #  healthcheck:
  #    test: ["CMD", "/etc/init.d/mysql", "status"]
  #    interval: 30s
  #    timeout: 3s
  #    retries: 3
  #    start_period: 10s
  redis-server:
    image: docker.io/redis:6.2
    command: [
      "--bind",
      "0.0.0.0",
      "--appendonly",
      "yes",
      "--requirepass",
      "test"
    ]
    ports:
      - "6379:6379"
    restart: always # keep the redis server running
    healthcheck:
      test: ["CMD", "redis-cli", "-a", "test", "ping"]
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 5s
  ctfe_init:
    build:
      context: .
      dockerfile: Dockerfile.ctfe_init
    depends_on:
      - trillian-log-server
    volumes:
      - ./ctfeConfig:/etc/config/:rw
  ct_server:
    image: gcr.io/trillian-opensource-ci/ctfe
    volumes:
      - ./ctfeConfig:/etc/config/:ro
    command: [
        "--log_config" ,"/etc/config/ct_server.cfg",
        "--log_rpc_server", "trillian-log-server:8090", #8096
        "--http_endpoint", "0.0.0.0:6961",
        "--alsologtostderr",
        "-v","2"
    ]
    restart: always # retry while ctfe_init is running
    depends_on:
      - trillian-log-server
      - trillian-log-signer
     # - ctfe_init
    ports:
      - "6961:6961"
  trillian-log-server:
    image: gcr.io/projectsigstore/trillian_log_server@sha256:f850a0defd089ea844822030c67ae05bc93c91168a7dd4aceb0b6648c39f696b
    command: [
      "--quota_system=noop",
      "--storage_system=mysql",
      "--mysql_uri=test:zaphod@tcp(mariadb:3306)/test",
      "--rpc_endpoint=0.0.0.0:8090",
      "--http_endpoint=0.0.0.0:8091",
      "--alsologtostderr",
    ]
    restart: always # retry while mysql is starting up
    ports:
      - "8090:8090"
      - "8091:8091"
    depends_on:
      #- mysql
      - mariadb
  trillian-log-signer:
    image: gcr.io/projectsigstore/trillian_log_signer@sha256:fe90d523f6617974f70878918e4b31d49b2b46a86024bb2d6b01d2bbfed8edbf
    command: [
      "--quota_system=noop",
      "--storage_system=mysql",
      "--mysql_uri=test:zaphod@tcp(mariadb:3306)/test",
      "--rpc_endpoint=0.0.0.0:8090",
      "--http_endpoint=0.0.0.0:8091",
      "--force_master",
      "--alsologtostderr",
    ]
    restart: always # retry while mysql is starting up
    ports:
      - "8092:8091"
    depends_on:
      - mariadb
  rekor-server:
    image: gcr.io/projectsigstore/rekor-server:v1.3.3
    #image: gcr.io/projectsigstore/rekor/ci/rekor/rekor-server:latest
    environment:
      - TMPDIR=/var/run/attestations # workaround for https://github.com/google/go-cloud/issues/3294
    command: [
      "serve",
      "--trillian_log_server.address=trillian-log-server",
      "--trillian_log_server.port=8090",
      "--redis_server.address=redis-server",
      "--redis_server.password=test",
      "--redis_server.port=6379",
      "--rekor_server.address=0.0.0.0",
      "--rekor_server.signer=memory",
      "--enable_attestation_storage",
      "--attestation_storage_bucket=file:///var/run/attestations",
      "--enable_stable_checkpoint",
      "--search_index.storage_provider=redis",
      # "--log_type=prod",
      ]
    volumes:
    - "/var/run/attestations:/var/run/attestations:z"
    restart: always # keep the server running
    ports:
      - "3000:3000"
      - "2112:2112"
    depends_on:
      - mariadb
      - redis-server
      - trillian-log-server
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/ping"]
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 5s
volumes:
  caddy_data:
  caddy_config:

host 2: fulcio, dex, (eventually TUF)

version: '3.2'
services:
  caddy:
    image: caddy:2.7.4
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./site:/srv
      - caddy_data:/data
      - caddy_config:/config
    links:
      - fulcio-server
      - dex-idp
  fulcio-server:
    image: gcr.io/projectsigstore/fulcio:v1.4.3
    command: [
      "serve",
      "--host=0.0.0.0",
      "--port=5555",
      "--grpc-port=5554",
      "--ca=ephemeralca",
      --ct-log-url=https://ctl.example.com/test
      # "--log_type=prod",
      ]
    restart: always # keep the server running
    ports:
      - "5555:5555"
      - "5554:5554"
      - "2112:2112"
    volumes:
      - ./config/config.jsn:/etc/fulcio-config/config.json #:z
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:5555/ping"]
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 5s
    depends_on:
      - dex-idp
    read_only: true
  dex-idp:
    image: dexidp/dex:v2.30.0
    user: root
    command: [
      "dex",
      "serve",
      "/etc/config/dex-config.yaml",
      ]
    restart: always # keep the server running
    ports:
      - "8888:8888"
    volumes:
      - ./config/dex:/etc/config/:ro
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8888/auth/healthz"]
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 5s
volumes:
  caddy_data:
  caddy_config:

search Dockerfile:

FROM node:latest as builder
RUN apt install git
RUN git clone https://github.com/sigstore/rekor-search-ui /search # yours would probably just COPY .
WORKDIR /search
RUN npm install
ARG SEARCH_DOMAIN
ARG REKOR_DOMAIN
RUN echo "$SEARCH_DOMAIN" > CNAME
RUN echo "NEXT_PUBLIC_REKOR_DEFAULT_DOMAIN=https://$REKOR_DOMAIN" > .env.local
COPY next.config.js /search/next.config.js
RUN npm run build
RUN ls /search/out
#RUN ls /search/.next/static
#RUN npx --no-install next export
FROM nginx:latest
COPY --from=builder /search/out /usr/share/nginx/html
RUN ls /usr/share/nginx/html