-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a webhook to validate trust policies (#285)
This is based on Billy's PR, but I've rebased it on #284 and expanded it a bunch based on some experimentation in my dev environment. Draft until we land the base PR. Fixes: #247 Fixes: #46 Co-authored-by: wlynch <billy@chainguard.dev>
- Loading branch information
Showing
12 changed files
with
557 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
// Copyright 2024 Chainguard, Inc. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
package main | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"log" | ||
"log/slog" | ||
"net/http" | ||
"os" | ||
"os/signal" | ||
"strings" | ||
"time" | ||
|
||
kms "cloud.google.com/go/kms/apiv1" | ||
secretmanager "cloud.google.com/go/secretmanager/apiv1" | ||
"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" | ||
"github.com/bradleyfalzon/ghinstallation/v2" | ||
"github.com/chainguard-dev/clog" | ||
metrics "github.com/chainguard-dev/terraform-infra-common/pkg/httpmetrics" | ||
"github.com/kelseyhightower/envconfig" | ||
"github.com/octo-sts/app/pkg/gcpkms" | ||
"github.com/octo-sts/app/pkg/webhook" | ||
) | ||
|
||
type envConfig struct { | ||
Port int `envconfig:"PORT" required:"true" default:"8080"` | ||
KMSKey string `envconfig:"KMS_KEY" required:"true"` | ||
AppID int64 `envconfig:"GITHUB_APP_ID" required:"true"` | ||
WebhookSecret string `envconfig:"GITHUB_WEBHOOK_SECRET" required:"true"` | ||
} | ||
|
||
func main() { | ||
ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt) | ||
defer cancel() | ||
ctx = clog.WithLogger(ctx, clog.New(slog.Default().Handler())) | ||
|
||
go metrics.ServeMetrics() | ||
|
||
// Setup tracing. | ||
defer metrics.SetupTracer(ctx)() | ||
|
||
var env envConfig | ||
if err := envconfig.Process("", &env); err != nil { | ||
log.Panicf("failed to process env var: %s", err) | ||
} | ||
|
||
kms, err := kms.NewKeyManagementClient(ctx) | ||
if err != nil { | ||
log.Panicf("could not create kms client: %v", err) | ||
} | ||
signer, err := gcpkms.New(ctx, kms, env.KMSKey) | ||
if err != nil { | ||
log.Panicf("error creating signer: %v", err) | ||
} | ||
atr, err := ghinstallation.NewAppsTransportWithOptions(http.DefaultTransport, env.AppID, ghinstallation.WithSigner(signer)) | ||
if err != nil { | ||
log.Panicf("error creating GitHub App transport: %v", err) | ||
} | ||
|
||
webhookSecrets := [][]byte{} | ||
secretmanager, err := secretmanager.NewClient(ctx) | ||
if err != nil { | ||
log.Panicf("could not create secret manager client: %v", err) | ||
} | ||
for _, name := range strings.Split(env.WebhookSecret, ",") { | ||
resp, err := secretmanager.AccessSecretVersion(ctx, &secretmanagerpb.AccessSecretVersionRequest{ | ||
Name: name, | ||
}) | ||
if err != nil { | ||
log.Panicf("error fetching webhook secret %s: %v", name, err) | ||
} | ||
webhookSecrets = append(webhookSecrets, resp.GetPayload().GetData()) | ||
} | ||
|
||
mux := http.NewServeMux() | ||
mux.Handle("/", &webhook.Validator{ | ||
Transport: atr, | ||
WebhookSecret: webhookSecrets, | ||
}) | ||
srv := &http.Server{ | ||
Addr: fmt.Sprintf(":%d", env.Port), | ||
ReadHeaderTimeout: 10 * time.Second, | ||
Handler: mux, | ||
} | ||
log.Panic(srv.ListenAndServe()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
output "app" { | ||
depends_on = [module.this] | ||
value = { | ||
name = var.name | ||
} | ||
} | ||
|
||
output "webhook" { | ||
depends_on = [module.webhook] | ||
value = { | ||
name = "${var.name}-webhook" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
// Generate a random webhook secret | ||
resource "random_password" "webhook-secret" { | ||
length = 64 | ||
special = true | ||
override_special = "!#$%&*()-_=+[]{}<>:?" | ||
} | ||
|
||
module "webhook-secret" { | ||
source = "chainguard-dev/common/infra//modules/configmap" | ||
version = "0.6.18" | ||
|
||
project_id = var.project_id | ||
name = "${var.name}-webhook-secret" | ||
data = random_password.webhook-secret.result | ||
|
||
service-account = google_service_account.octo-sts.email | ||
|
||
notification-channels = var.notification_channels | ||
} | ||
|
||
module "webhook" { | ||
source = "chainguard-dev/common/infra//modules/regional-service" | ||
version = "0.6.18" | ||
|
||
project_id = var.project_id | ||
name = "${var.name}-webhook" | ||
regions = var.regions | ||
|
||
// Only accept traffic coming from GCLB. | ||
ingress = "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER" | ||
// This needs to egress in order to talk to Github | ||
egress = "PRIVATE_RANGES_ONLY" | ||
|
||
service_account = google_service_account.octo-sts.email | ||
containers = { | ||
"webhook" = { | ||
image = var.images.webhook | ||
ports = [{ container_port = 8080 }] | ||
env = [ | ||
{ | ||
name = "GITHUB_APP_ID" | ||
value = var.github_app_id | ||
}, | ||
{ | ||
name = "GITHUB_WEBHOOK_SECRET" | ||
value = module.webhook-secret.secret_version_id | ||
}, | ||
{ | ||
name = "KMS_KEY" | ||
value = local.kms_key | ||
} | ||
] | ||
} | ||
} | ||
|
||
notification_channels = var.notification_channels | ||
} |
Oops, something went wrong.