WIP: Client API implementation

[endophage]

Huge feature list here and apologies for the PR bomb.

• New Interface type defined for client interaction with a repository (client/interface.go)
• GRPC implementation of the new interface (client_api/api/*)
• CLI integration with GRPC API if configured (cmd/notary/repo_factory.go and other necessary knock on changes in the cmd/notary package)
• JWT token auth for the GRPC API consistent with Notary Server and Docker Registry (auth/*). Some of this is to be upstreamed into docker/distribution when I get the chance.
  • If enabled "push" and "pull" actions will always be requested to guarantee the Client API can communicate with the upstream Notary Server to read repos and publish updates. The server configuration will also accept a map of GRPC Endpoint Name : [permissions] (documentation to be written) that allows users to arbitrarily configure in more permissions per GRPC API. Users would need their token server to issue those permissions as appropriate to their users.

Still needed:

• more tests
• documentation

Shout out to @n4ss for all the hard work on this. Go get some sleep!

cc @ecordell @lewiada

[ecordell]

This mostly is looking really good! I left some comments from my first pass, I plan to do a more in-depth review soon.

[ecordell]

Should these take an optional list of roles to sign with? I know the default is to sign with all available, but that might not be the desired behavior when we get to thresholding

[ecordell]

don't know that this comment is adding much :)

[ecordell]

👍 this really cleans things up

[ecordell]

👍 for a dependency removed

[endophage]

I'm actually going to try and upstream these auth pieces back into distribution. I don't particularly want a forked version I have to keep up to date if somebody changes something. The version in docker/distribution is basically the canonical version for Docker but it was too tightly coupled with net/http and I needed to make progress.

[ecordell]

I think the naming here could be confusing, because RepoBuilder already exists. Maybe more explicitly clientRepoFactory? (same for filename as well)

[endophage]

I have some stuff to discuss at our maintainers meeting at DockerCon that may obsolete RepoBuilder :-)

[ecordell]

these comments should be cleaned up

[ecordell]

if this is unused it should be removed

[ecordell]

remove these? can't think of a reason there would need to be a lock here.

[endophage]

There was a token cache (map[something]something) I removed that this was locking.

[ecordell]

Should the responsibility to publish be pushed back to the "clientapi client" instead of in the "clientapi server"?

IIRC this mirrors the current cli behavior, just wondering if there's a good reason to keep them coupled together.

[endophage]

In the case where somebody horizontally scales Client API's (I'm just using that as the name for this new service), there's no guarantee you'll hit the same instance again. I think it's a lot cleaner and easier to implement if every operation is a one shot that publishes (where appropriate, we intend to support things like letting clients add keys, which would still require some kind of synchronization between instances).

[ecordell]

Can these be factored out? Maybe something like NewTargetWithRole(Target) and NewTargetWithRoles([]Target)

They only really need to be serialized here so I understand not separating it out, but if they were separate it would be very clear that all this server does is proxy commands to a repo object and then serialize the results.

(Same comment for all of the other serialization happening in this file)

[endophage]

Superseded by #1139