feat(cmd/rofl): Add support for custom proxy domains

Author: kostko

build/rofl/artifacts.go

@@ -13,6 +13,6 @@ var LatestContainerArtifacts = ArtifactsConfig{
 	Kernel:   "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/stage1.bin#e5d4d654ca1fa2c388bf64b23fc6e67815893fc7cb8b7cfee253d87963f54973",
 	Stage2:   "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/stage2-podman.tar.bz2#b2ea2a0ca769b6b2d64e3f0c577ee9c08f0bb81a6e33ed5b15b2a7e50ef9a09f",
 	Container: ContainerArtifactsConfig{
-		Runtime: "https://github.com/oasisprotocol/oasis-sdk/releases/download/rofl-containers%2Fv0.7.3/rofl-containers#964fbd8edaea8041fd9c5304bb4631b7126d57d06062cc3922e50313cdeef618",
+		Runtime: "https://github.com/oasisprotocol/oasis-sdk/releases/download/rofl-containers%2Fv0.8.0/rofl-containers#08eb5bbe5df26af276d9a72e9fd7353b3a90b7d27e1cf33e276a82dfd551eec6",
 	},
 }

build/rofl/scheduler/domain.go

@@ -0,0 +1,40 @@
+package scheduler
+
+import (
+	"encoding/base64"
+
+	"github.com/oasisprotocol/oasis-core/go/common/crypto/tuplehash"
+
+	"github.com/oasisprotocol/oasis-sdk/client-sdk/go/modules/rofl"
+	"github.com/oasisprotocol/oasis-sdk/client-sdk/go/modules/roflmarket"
+)
+
+const (
+	/// Domain verification token context.
+	DomainVerificationTokenContext = "rofl-scheduler/proxy: domain verification token" //nolint:gosec
+)
+
+// DomainVerificationToken derives the verification token for a given domain.
+//
+// The token is derived using a cryptographic hash function and is used to verify
+// that the domain is owned by the instance. More specifically, the token is derived
+// as follows:
+//
+//	TupleHash[DOMAIN_VERIFICATION_TOKEN_CONTEXT](
+//	  deployment.app_id,
+//	  instance.provider,
+//	  instance.id,
+//	  domain
+//	)
+//
+// The result is then encoded using base64.
+func DomainVerificationToken(instance *roflmarket.Instance, appID rofl.AppID, domain string) string {
+	h := tuplehash.New256(32, []byte(DomainVerificationTokenContext))
+	_, _ = h.Write(appID[:])
+	_, _ = h.Write(instance.Provider[:])
+	_, _ = h.Write(instance.ID[:])
+	_, _ = h.Write([]byte(domain))
+	output := h.Sum(nil)
+
+	return base64.StdEncoding.EncodeToString(output)
+}

build/rofl/scheduler/metadata.go

@@ -17,4 +17,6 @@ const (
 	// MetadataKeyORCReference is the name of the deployment metadata key that stores the ORC
 	// reference.
 	MetadataKeyORCReference = "net.oasis.deployment.orc.ref"
+	// MetadataKeyProxyCustomDomains is the name of the metadata key that stores the proxy custom domains.
+	MetadataKeyProxyCustomDomains = "net.oasis.proxy.custom_domains"
 )

cmd/rofl/build/build.go

@@ -50,7 +50,7 @@ var (
 
 			if onlyValidate {
 				fmt.Println("Validating app...")
-				err := validateApp(manifest)
+				_, err := ValidateApp(manifest, ValidationOpts{})
 				if err == nil {
 					fmt.Println("App validation passed.")
 					return nil

cmd/rofl/build/container.go

@@ -26,7 +26,7 @@ func tdxBuildContainer(
 
 	// Validate compose file.
 	fmt.Println("Validating compose file...")
-	if err := validateComposeFile(artifacts[artifactContainerCompose], manifest); err != nil {
+	if _, err := validateComposeFile(artifacts[artifactContainerCompose], manifest, ValidationOpts{}); err != nil {
 		common.CheckForceErr(fmt.Errorf("compose file validation failed: %w", err))
 	}
 

cmd/rofl/build/validate.go

@@ -17,12 +17,38 @@ import (
 	buildRofl "github.com/oasisprotocol/cli/build/rofl"
 )
 
-// validateApp validates the ROFL app manifest.
-func validateApp(manifest *buildRofl.Manifest) error {
+// ValidationOpts represents options for the validation process.
+type ValidationOpts struct {
+	// Offline indicates whether the validation should be performed without network access.
+	Offline bool
+}
+
+// AppExtraConfig represents extra configuration for the ROFL app.
+type AppExtraConfig struct {
+	// Ports are the port mappings exposed by the app.
+	Ports []*PortMapping
+}
+
+// PortMapping represents a port mapping.
+type PortMapping struct {
+	// ServiceName is the name of the service.
+	ServiceName string
+	// Port is the port number.
+	Port string
+	// ProxyMode is the proxy mode for the port.
+	ProxyMode string
+	// GenericDomain is the generic domain name.
+	GenericDomain string
+	// CustomDomain is the custom domain name (if any).
+	CustomDomain string
+}
+
+// ValidateApp validates the ROFL app manifest.
+func ValidateApp(manifest *buildRofl.Manifest, opts ValidationOpts) (*AppExtraConfig, error) {
 	switch manifest.TEE {
 	case buildRofl.TEETypeSGX:
 		if manifest.Kind != buildRofl.AppKindRaw {
-			return fmt.Errorf("unsupported app kind for SGX TEE: %s", manifest.Kind)
+			return nil, fmt.Errorf("unsupported app kind for SGX TEE: %s", manifest.Kind)
 		}
 	case buildRofl.TEETypeTDX:
 		switch manifest.Kind {
@@ -38,42 +64,45 @@ func validateApp(manifest *buildRofl.Manifest) error {
 				}
 			}
 			if composeAf == nil {
-				return fmt.Errorf("missing compose.yaml artifact")
+				return nil, fmt.Errorf("missing compose.yaml artifact")
 			}
 
 			// Only fetch the compose.yaml artifact.
 			artifacts := tdxFetchArtifacts([]*artifact{composeAf})
 
 			// Validate compose.yaml.
-			err := validateComposeFile(artifacts[artifactContainerCompose], manifest)
+			appCfg, err := validateComposeFile(artifacts[artifactContainerCompose], manifest, opts)
 			if err != nil {
-				return fmt.Errorf("compose file validation failed: %w", err)
+				return nil, fmt.Errorf("compose file validation failed: %w", err)
 			}
+			return appCfg, nil
 		default:
-			return fmt.Errorf("unsupported app kind for TDX TEE: %s", manifest.Kind)
+			return nil, fmt.Errorf("unsupported app kind for TDX TEE: %s", manifest.Kind)
 		}
 	default:
-		return fmt.Errorf("unsupported TEE kind: %s", manifest.TEE)
+		return nil, fmt.Errorf("unsupported TEE kind: %s", manifest.TEE)
 	}
 
-	return nil
+	return &AppExtraConfig{}, nil
 }
 
 // validateComposeFile validates the Docker compose file.
-func validateComposeFile(composeFile string, manifest *buildRofl.Manifest) error { //nolint: gocyclo
+func validateComposeFile(composeFile string, manifest *buildRofl.Manifest, opts ValidationOpts) (*AppExtraConfig, error) { //nolint: gocyclo
 	// Parse the compose file.
 	options, err := compose.NewProjectOptions([]string{composeFile}, compose.WithInterpolation(false))
 	if err != nil {
-		return fmt.Errorf("failed to set-up compose options: %w", err)
+		return nil, fmt.Errorf("failed to set-up compose options: %w", err)
 	}
 	proj, err := options.LoadProject(context.Background())
 	if err != nil {
-		return fmt.Errorf("parsing: %w", err)
+		return nil, fmt.Errorf("parsing: %w", err)
 	}
 
 	// Keep track of all images encountered, as we will need them in later steps.
 	images := []string{}
+	customDomains := make(map[string]struct{})
 
+	var appCfg AppExtraConfig
 	for serviceName, service := range proj.Services {
 		image := service.Image
 		images = append(images, image)
@@ -83,21 +112,21 @@ func validateComposeFile(composeFile string, manifest *buildRofl.Manifest) error
 		validationFailedErr := fmt.Errorf("image '%s' of service '%s' is not a fully-qualified domain name", image, serviceName)
 
 		if !strings.Contains(image, "/") {
-			return validationFailedErr
+			return nil, validationFailedErr
 		}
 		s := strings.Split(image, "/")
 		if len(s[0]) == 0 || len(s[1]) == 0 {
-			return validationFailedErr
+			return nil, validationFailedErr
 		}
 
 		domain := s[0]
 		if !strings.Contains(domain, ".") {
-			return validationFailedErr
+			return nil, validationFailedErr
 		}
 
 		_, err := idna.Lookup.ToASCII(domain)
 		if err != nil {
-			return validationFailedErr
+			return nil, validationFailedErr
 		}
 
 		// Also, if any volumes are set, make sure that the source of each volume
@@ -132,23 +161,46 @@ func validateComposeFile(composeFile string, manifest *buildRofl.Manifest) error
 				}
 			}
 
-			return fmt.Errorf("volume '%s:%s' of service '%s' has an invalid external source (should be '/run/rofl-appd.sock', '/run/podman.sock' or reside inside '/storage/')", vol.Source, vol.Target, serviceName)
+			return nil, fmt.Errorf("volume '%s:%s' of service '%s' has an invalid external source (should be '/run/rofl-appd.sock', '/run/podman.sock' or reside inside '/storage/')", vol.Source, vol.Target, serviceName)
 		}
 
 		// Validate ports.
 		publishedPorts := make(map[uint64]struct{})
 		for _, port := range service.Ports {
 			if port.Target == 0 {
-				return fmt.Errorf("service '%s' has an invalid zero port defined", serviceName)
+				return nil, fmt.Errorf("service '%s' has an invalid zero port defined", serviceName)
 			}
 			if port.Published == "" || port.Published == "0" {
-				return fmt.Errorf("port '%d' of service '%s' does not have an explicit published port defined", port.Target, serviceName)
+				return nil, fmt.Errorf("port '%d' of service '%s' does not have an explicit published port defined", port.Target, serviceName)
 			}
 			publishedPort, err := strconv.ParseUint(port.Published, 10, 16)
 			if err != nil {
-				return fmt.Errorf("published port '%s' of service '%s' is invalid: %w", port.Published, serviceName, err)
+				return nil, fmt.Errorf("published port '%s' of service '%s' is invalid: %w", port.Published, serviceName, err)
 			}
 			publishedPorts[publishedPort] = struct{}{}
+
+			if port.Protocol != "tcp" {
+				continue
+			}
+			proxyMode := service.Annotations[fmt.Sprintf("net.oasis.proxy.ports.%s.mode", port.Published)]
+			if proxyMode == "ignore" {
+				continue
+			}
+			genericDomain := fmt.Sprintf("p%s", port.Published)
+			customDomain := service.Annotations[fmt.Sprintf("net.oasis.proxy.ports.%s.custom_domain", port.Published)]
+			if customDomain != "" {
+				if _, ok := customDomains[customDomain]; ok {
+					return nil, fmt.Errorf("custom domain '%s' of service '%s' is already in use", customDomain, serviceName)
+				}
+				customDomains[customDomain] = struct{}{}
+			}
+			appCfg.Ports = append(appCfg.Ports, &PortMapping{
+				ServiceName:   serviceName,
+				Port:          port.Published,
+				ProxyMode:     proxyMode,
+				GenericDomain: genericDomain,
+				CustomDomain:  customDomain,
+			})
 		}
 
 		// Validate annotations.
@@ -158,10 +210,10 @@ func validateComposeFile(composeFile string, manifest *buildRofl.Manifest) error
 			case strings.HasPrefix(key, "net.oasis.proxy.ports"):
 				port, err := strconv.ParseUint(keyAtoms[4], 10, 16)
 				if err != nil {
-					return fmt.Errorf("proxy port annotation of service '%s' has an invalid port: %s", serviceName, keyAtoms[4])
+					return nil, fmt.Errorf("proxy port annotation of service '%s' has an invalid port: %s", serviceName, keyAtoms[4])
 				}
 				if _, ok := publishedPorts[port]; !ok {
-					return fmt.Errorf("proxy port annotation of service '%s' references an unpublished port '%d'", serviceName, port)
+					return nil, fmt.Errorf("proxy port annotation of service '%s' references an unpublished port '%d'", serviceName, port)
 				}
 
 				// Validate supported annotations.
@@ -173,8 +225,9 @@ func validateComposeFile(composeFile string, manifest *buildRofl.Manifest) error
 					case "passthrough":
 					case "terminate-tls":
 					default:
-						return fmt.Errorf("proxy port annotation of service '%s', port '%d' has an invalid mode: %s", serviceName, port, value)
+						return nil, fmt.Errorf("proxy port annotation of service '%s', port '%d' has an invalid mode: %s", serviceName, port, value)
 					}
+				case "custom_domain":
 				default:
 				}
 			default:
@@ -184,7 +237,7 @@ func validateComposeFile(composeFile string, manifest *buildRofl.Manifest) error
 
 	// Make sure that we have images.
 	if len(images) == 0 {
-		return fmt.Errorf("no images defined")
+		return nil, fmt.Errorf("no images defined")
 	}
 
 	// Make sure that the total size of images fits into the storage size
@@ -214,25 +267,29 @@ func validateComposeFile(composeFile string, manifest *buildRofl.Manifest) error
 			}
 		}
 
+		if opts.Offline {
+			continue
+		}
+
 		// Fetch manifest from OCI repository.
 		repo, err := remote.NewRepository(image)
 		if err != nil {
-			return err
+			return nil, err
 		}
 		mainDescriptor, mfRaw, err := oras.FetchBytes(context.Background(), repo, tag, oras.DefaultFetchBytesOptions)
 		if err != nil {
-			return fmt.Errorf("unable to fetch manifest for image '%s': %w", imageFull, err)
+			return nil, fmt.Errorf("unable to fetch manifest for image '%s': %w", imageFull, err)
 		}
 		var mf ocispec.Manifest
 		if err = json.Unmarshal(mfRaw, &mf); err != nil {
-			return fmt.Errorf("unable to parse manifest for image '%s': %w", imageFull, err)
+			return nil, fmt.Errorf("unable to parse manifest for image '%s': %w", imageFull, err)
 		}
 
 		// Validate platform if given.
 		for _, platform := range []*ocispec.Platform{mainDescriptor.Platform, mf.Config.Platform} {
 			if platform != nil {
 				if platform.Architecture != "amd64" || platform.OS != "linux" {
-					return fmt.Errorf("image '%s' has incorrect platform (expected linux/amd64, got %s/%s)", imageFull, platform.OS, platform.Architecture)
+					return nil, fmt.Errorf("image '%s' has incorrect platform (expected linux/amd64, got %s/%s)", imageFull, platform.OS, platform.Architecture)
 				}
 			}
 		}
@@ -254,8 +311,8 @@ func validateComposeFile(composeFile string, manifest *buildRofl.Manifest) error
 	// We could terminate early above, but it's more useful to give the user an estimate
 	// of how big the storage should be.
 	if totalSize > maxSize {
-		return fmt.Errorf("estimated total size of images (%d MB) exceeds storage size set in ROFL manifest (%d MB)", totalSize/1024/1024, manifest.Resources.Storage.Size)
+		return nil, fmt.Errorf("estimated total size of images (%d MB) exceeds storage size set in ROFL manifest (%d MB)", totalSize/1024/1024, manifest.Resources.Storage.Size)
 	}
 
-	return nil
+	return &appCfg, nil
 }

cmd/rofl/deploy.go

@@ -30,6 +30,7 @@ import (
 	"github.com/oasisprotocol/cli/build/rofl/provider"
 	"github.com/oasisprotocol/cli/build/rofl/scheduler"
 	"github.com/oasisprotocol/cli/cmd/common"
+	roflCmdBuild "github.com/oasisprotocol/cli/cmd/rofl/build"
 	roflCommon "github.com/oasisprotocol/cli/cmd/rofl/common"
 	cliConfig "github.com/oasisprotocol/cli/config"
 )
@@ -63,6 +64,13 @@ var (
 				cobra.CheckErr(fmt.Sprintf("malformed app id: %s", err))
 			}
 
+			extraCfg, err := roflCmdBuild.ValidateApp(manifest, roflCmdBuild.ValidationOpts{
+				Offline: true,
+			})
+			if err != nil {
+				cobra.CheckErr(fmt.Sprintf("failed to validate app: %s", err))
+			}
+
 			ctx := context.Background()
 			conn, err := connection.Connect(ctx, npa.Network)
 			cobra.CheckErr(err)
@@ -154,6 +162,9 @@ var (
 				}
 				machineDeployment.Metadata[scheduler.MetadataKeyPermissions] = perms
 			}
+			if customDomains := extractCustomDomains(extraCfg); customDomains != "" {
+				machineDeployment.Metadata[scheduler.MetadataKeyProxyCustomDomains] = customDomains
+			}
 
 			obtainMachine := func() (*buildRofl.Machine, *roflmarket.Instance, error) {
 				if deployOffer != "" {
@@ -481,6 +492,21 @@ func resolveAndMarshalPermissions(npa *common.NPASelection, permissions map[stri
 	return scheduler.MarshalPermissions(perms), nil
 }
 
+func extractCustomDomains(extraCfg *roflCmdBuild.AppExtraConfig) string {
+	if extraCfg == nil || len(extraCfg.Ports) == 0 {
+		return ""
+	}
+
+	customDomains := make([]string, 0, len(extraCfg.Ports))
+	for _, p := range extraCfg.Ports {
+		if p.CustomDomain == "" {
+			continue
+		}
+		customDomains = append(customDomains, p.CustomDomain)
+	}
+	return strings.Join(customDomains, " ")
+}
+
 func init() {
 	providerFlags := flag.NewFlagSet("", flag.ContinueOnError)
 	// Default to Testnet playground provider.