Add flags to control service startup

aaronlew02 · aaronlew02 · commit e7fd0c021a5b · 2025-12-02T11:08:35.000-05:00
Signed-off-by: Aaron Lew &lt;64337293+aaronlew02@users.noreply.github.com&gt;
diff --git a/actions/setup-sigstore-env/build-trusted-root.sh b/actions/setup-sigstore-env/build-trusted-root.sh
@@ -33,6 +33,21 @@ docker build ./ -f "$SCRIPT_DIR"/Dockerfile.cosign -t cosign
 COSIGN_CMD="docker run --user=$(id -u):$(id -g) --rm -v $WORKDIR/:$WORKDIR/ cosign"
 CMD="$COSIGN_CMD trusted-root create"
 
+FULCIO_SIGNING_CONFIGS=""
+
+add_fulcio_to_signing_config () {
+  if [ -n "$FULCIO_SIGNING_CONFIGS" ]; then
+    FULCIO_SIGNING_CONFIGS="$FULCIO_SIGNING_CONFIGS,
+    "
+  fi
+  FULCIO_SIGNING_CONFIGS="$FULCIO_SIGNING_CONFIGS{
+      \"url\": \"$1\",
+      \"majorApiVersion\": 1,
+      \"validFor\": { \"start\": \"2025-05-25T00:00:00Z\" },
+      \"operator\": \"scaffolding-setup-sigstore-env\"
+    }"
+}
+
 REKOR_SIGNING_CONFIGS=""
 
 add_rekor_to_signing_config () {
@@ -71,6 +86,8 @@ while [[ "$#" -gt 0 ]]; do
             shift
             shift
 
+            add_fulcio_to_signing_config "$FULCIO_URL"
+
             # copy to our WORKDIR to be mounted in our cosign container.
             cp "$KEYFILE" "$WORKDIR"/
             KEYFILE=$WORKDIR/$(basename "$KEYFILE")
@@ -140,12 +157,7 @@ cat << EOF > signing_config.json
 {
   "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
   "caUrls": [
-    {
-      "url": "$FULCIO_URL",
-      "majorApiVersion": 1,
-      "validFor": { "start": "2025-05-25T00:00:00Z" },
-      "operator": "scaffolding-setup-sigstore-env"
-    }
+    $FULCIO_SIGNING_CONFIGS
   ],
   "oidcUrls": [
     {
diff --git a/actions/setup-sigstore-env/run-containers.sh b/actions/setup-sigstore-env/run-containers.sh
@@ -16,6 +16,22 @@
 
 # <cmd> || return is so the script can exit early without quitting your shell.
 
+START_FULCIO=true
+START_REKOR=true
+START_TSA=true
+START_REKOR_TILES=true
+
+while [[ "$#" -gt 0 ]]; do
+  case $1 in
+    --no-fulcio) START_FULCIO=false; ;;
+    --no-rekor) START_REKOR=false; ;;
+    --no-tsa) START_TSA=false; ;;
+    --no-rekor-tiles) START_REKOR_TILES=false; ;;
+    *) echo "Unknown parameter passed: $1"; exit 1 ;;
+  esac
+  shift
+done
+
 CLONE_DIR="${CLONE_DIR:-$(mktemp -d)}"
 CWD="$(pwd)"
 
@@ -43,16 +59,19 @@ popd || return
 
 echo "downloading service repos"
 pushd "$CLONE_DIR" || return
-FULCIO_REPO="${FULCIO_REPO:-sigstore/fulcio}"
-REKOR_REPO="${REKOR_REPO:-sigstore/rekor}"
-TIMESTAMP_AUTHORITY_REPO="${TIMESTAMP_AUTHORITY_REPO:-sigstore/timestamp-authority}"
-REKOR_TILES_REPO="${REKOR_TILES_REPO:-sigstore/rekor-tiles}"
-OWNER_REPOS=(
-  "$FULCIO_REPO"
-  "$REKOR_REPO"
-  "$TIMESTAMP_AUTHORITY_REPO"
-  "$REKOR_TILES_REPO"
-)
+OWNER_REPOS=()
+if [ "$START_FULCIO" = true ]; then
+    OWNER_REPOS+=("${FULCIO_REPO:-sigstore/fulcio}")
+fi
+if [ "$START_REKOR" = true ]; then
+    OWNER_REPOS+=("${REKOR_REPO:-sigstore/rekor}")
+fi
+if [ "$START_TSA" = true ]; then
+    OWNER_REPOS+=("${TIMESTAMP_AUTHORITY_REPO:-sigstore/timestamp-authority}")
+fi
+if [ "$START_REKOR_TILES" = true ]; then
+    OWNER_REPOS+=("${REKOR_TILES_REPO:-sigstore/rekor-tiles}")
+fi
 procs=${#OWNER_REPOS[@]}
 for owner_repo in "${OWNER_REPOS[@]}"; do
     repo=$(basename "$owner_repo")
@@ -72,7 +91,9 @@ for owner_repo in "${OWNER_REPOS[@]}"; do
 done | xargs -P "$procs" -L1 bash -c
 # The fakeoidc service is in a separate Docker network. Connect the fakeoidc container to the Fulcio
 # network to enable Fulcio to reach it for token verification.
-docker network inspect fulcio_default | grep fakeoidc || docker network connect --alias fakeoidc fulcio_default fakeoidc || return
+if [ "$START_FULCIO" = true ]; then
+    docker network inspect fulcio_default | grep fakeoidc || docker network connect --alias fakeoidc fulcio_default fakeoidc || return
+fi
 export TSA_URL="http://localhost:3004"
 popd || return
 
@@ -98,13 +119,20 @@ stop_services() {
 
 echo "building trusted root"
 pushd "$CLONE_DIR" || return
-"$CWD"/build-trusted-root.sh \
-  --fulcio http://localhost:5555 "$CLONE_DIR/fulcio/config/ctfe/pubkey.pem" \
-  --timestamp-url http://localhost:3004 \
-  --oidc-url http://localhost:8080 \
-  --rekor-v1-url http://localhost:3000 \
-  --rekor-v2 http://localhost:3003 "$CLONE_DIR/rekor-tiles/tests/testdata/pki/ed25519-pub-key.pem" "rekor-local" \
-  || return
+BUILD_CMD=("$CWD/build-trusted-root.sh" --oidc-url http://localhost:8080)
+if [ "$START_FULCIO" = true ]; then
+    BUILD_CMD+=(--fulcio http://localhost:5555 "$CLONE_DIR/fulcio/config/ctfe/pubkey.pem")
+fi
+if [ "$START_TSA" = true ]; then
+    BUILD_CMD+=(--timestamp-url http://localhost:3004)
+fi
+if [ "$START_REKOR" = true ]; then
+    BUILD_CMD+=(--rekor-v1-url http://localhost:3000)
+fi
+if [ "$START_REKOR_TILES" = true ]; then
+    BUILD_CMD+=(--rekor-v2 http://localhost:3003 "$CLONE_DIR/rekor-tiles/tests/testdata/pki/ed25519-pub-key.pem" "rekor-local")
+fi
+"${BUILD_CMD[@]}" || return
 export TRUSTED_ROOT="$CLONE_DIR/trusted_root.json"
 export SIGNING_CONFIG="$CLONE_DIR/signing_config.json"
 export TRUST_CONFIG="$CLONE_DIR/trust_config.json"
