chore: prepare demo

.vscode/launch.json

@@ -10,8 +10,8 @@
             "request": "launch",
             "mode": "auto",
             "program": "cmd/nacp/nacp.go",
-            "args": ["-config=otel.conf.hcl"],
-            "cwd": "${workspaceFolder}/example/otel",
+            "args": ["-config=nacp.conf.hcl"],
+            "cwd": "${workspaceFolder}/misc/hashitalk_secure2024",
         }
     ]
 }

example/notation/delete_test_certs.sh

@@ -1,7 +1,11 @@
 #!/bin/sh
 # https://notaryproject.dev/docs/user-guides/installation/uninstall/#remove-the-test-key-and-self-signed-certificate
 echo "Deleting test certs on macOS"
+# default name or take first argument
 NAME="wabbit-networks.io"
+if [ -n "$1" ]; then
+  NAME=$1
+fi
 
 
 notation key delete $NAME

misc/hashitalk_secure2024/Dockerfile

@@ -0,0 +1,7 @@
+FROM alpine:3.19
+
+ENTRYPOINT [ "sh", "-c", \
+    "echo 'Hello HashiTalk Secure Friends!' && sleep 3600" \
+]
+
+# localhost:5000/my-app:v1

misc/hashitalk_secure2024/delete_test_certs.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+# https://notaryproject.dev/docs/user-guides/installation/uninstall/#remove-the-test-key-and-self-signed-certificate
+echo "Deleting test certs on macOS"
+# default name or take first argument
+NAME="nacp-demo"
+if [ -n "$1" ]; then
+  NAME=$1
+fi
+
+
+notation key delete $NAME
+notation cert delete -y --type ca --store ${NAME} ${NAME}.crt
+
+#echo "rm \"${NOTATION_DIR}/localkeys/${NAME}.key\""
+
+
+rm "${HOME}/Library/Application Support/notation/localkeys/${NAME}.key"
+rm "${HOME}/Library/Application Support/notation/localkeys/${NAME}.crt"

misc/hashitalk_secure2024/demo.nomad

@@ -0,0 +1,11 @@
+job "demo" {
+  datacenters = ["dc1"]
+  group "demo" {
+    task "demo" {
+      driver = "docker"
+      config {
+        image = "localhost:5000/my-app:v1"
+      }
+    }
+  }
+}

misc/hashitalk_secure2024/nacp.conf.hcl

@@ -0,0 +1,29 @@
+validator "opa" "enforce_digest" {
+
+  opa_rule {
+    query    = <<EOH
+
+        errors = data.digest.errors
+        EOH
+
+    filename = "digest/digest.rego"
+  }
+}
+/*
+validator "opa" "verify_image" {
+
+  opa_rule {
+    query    = <<EOH
+
+        errors = data.image_verification.errors
+        EOH
+
+    filename = "notation/notation.rego"
+  }
+  notation {
+    repo_plain_http   = true
+    trust_store_dir   = "/Users/max/Library/Application Support/notation"
+    trust_policy_file = "/Users/max/Library/Application Support/notation/trustpolicy.json"
+  }
+}
+*/

misc/hashitalk_secure2024/notation/notation.rego

@@ -0,0 +1,14 @@
+package image_verification
+
+import rego.v1
+
+errors contains msg if {
+	some g, t
+	input.TaskGroups[g].Tasks[t].Driver == "docker"
+	image := input.TaskGroups[g].Tasks[t].Config.image
+
+	# check if image is verified
+	not notation_verify_image(image)
+
+	msg := sprintf("TaskGroup %d Task %d image cannot be verified (image %s)", [g, t, image])
+}

misc/hashitalk_secure2024/purge.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+nomad stop -purge registry
+
+docker rmi -f localhost:5000/my-app:v1
+
+./delete_test_data.sh

misc/hashitalk_secure2024/registry.nomad

@@ -0,0 +1,27 @@
+job "registry" {
+
+  type = "service"
+
+  group "registry" {
+
+    network {
+      port "registry" {
+        static = 5000
+        to     = 5000
+      }
+    }
+
+    task "registry" {
+
+      driver = "docker"
+
+      config {
+        image = "registry:2"
+        ports = ["registry"]
+      }
+      env {
+        REGISTRY_STORAGE_DELETE_ENABLED = "true"
+      }
+    }
+  }
+}