Skip to content

Commit

Permalink
Add support to apt signing service
Browse files Browse the repository at this point in the history
closes: #1346
  • Loading branch information
git-hyagi committed Sep 13, 2024
1 parent a229961 commit 85b0504
Show file tree
Hide file tree
Showing 7 changed files with 103 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGES/1346.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Added support to APT signing service.
6 changes: 5 additions & 1 deletion controllers/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -553,6 +553,10 @@ func signingMetadataVolumes(resources any, storageType []string, volumes []corev
item := corev1.KeyToPath{Key: settings.ContainerSigningScriptName, Path: settings.ContainerSigningScriptName}
secretItems = append(secretItems, item)
}
if DeployAptSign(*secret) {
item := corev1.KeyToPath{Key: settings.AptSigningScriptName, Path: settings.AptSigningScriptName}
secretItems = append(secretItems, item)
}
volumePermissions := int32(0755)
signingSecretVolume := []corev1.Volume{
{
Expand Down Expand Up @@ -653,7 +657,7 @@ func (d *CommonDeployment) setVolumeMounts(pulp repomanagerpulpprojectorgv1beta2
for _, script := range volume.VolumeSource.Secret.Items {
signingSecretMount := corev1.VolumeMount{
Name: pulp.Name + "-signing-scripts",
MountPath: "/var/lib/pulp/scripts/" + script.Key,
MountPath: settings.SigningScriptPath + script.Key,
SubPath: script.Key,
ReadOnly: true,
}
Expand Down
49 changes: 35 additions & 14 deletions controllers/repo_manager/job.go
Original file line number Diff line number Diff line change
Expand Up @@ -350,18 +350,6 @@ func signingScriptContainer(pulp *repomanagerpulpprojectorgv1beta2.Pulp, scripts
// volume mounts
volumeMounts := pulpcoreVolumeMounts(pulp)
signingSecretMount := []corev1.VolumeMount{
{
Name: pulp.Name + "-signing-scripts",
MountPath: "/var/lib/pulp/scripts/" + settings.CollectionSigningScriptName,
SubPath: settings.CollectionSigningScriptName,
ReadOnly: true,
},
{
Name: pulp.Name + "-signing-scripts",
MountPath: "/var/lib/pulp/scripts/" + settings.ContainerSigningScriptName,
SubPath: settings.ContainerSigningScriptName,
ReadOnly: true,
},
{
Name: "gpg-keys",
MountPath: "/etc/pulp/keys/signing_service.gpg",
Expand All @@ -373,6 +361,30 @@ func signingScriptContainer(pulp *repomanagerpulpprojectorgv1beta2.Pulp, scripts
MountPath: "/var/lib/pulp/.gnupg",
},
}
if controllers.DeployCollectionSign(scriptsSecret) {
signingSecretMount = append(signingSecretMount, corev1.VolumeMount{
Name: pulp.Name + "-signing-scripts",
MountPath: settings.SigningScriptPath + settings.CollectionSigningScriptName,
SubPath: settings.CollectionSigningScriptName,
ReadOnly: true,
})
}
if controllers.DeployContainerSign(scriptsSecret) {
signingSecretMount = append(signingSecretMount, corev1.VolumeMount{
Name: pulp.Name + "-signing-scripts",
MountPath: settings.SigningScriptPath + settings.ContainerSigningScriptName,
SubPath: settings.ContainerSigningScriptName,
ReadOnly: true,
})
}
if controllers.DeployAptSign(scriptsSecret) {
signingSecretMount = append(signingSecretMount, corev1.VolumeMount{
Name: pulp.Name + "-signing-scripts",
MountPath: settings.SigningScriptPath + settings.AptSigningScriptName,
SubPath: settings.AptSigningScriptName,
ReadOnly: true,
})
}
volumeMounts = append(volumeMounts, signingSecretMount...)

// resource requirements
Expand All @@ -393,14 +405,19 @@ echo "${PULP_SIGNING_KEY_FINGERPRINT}:6" | gpg --import-ownertrust
}
if controllers.DeployCollectionSign(scriptsSecret) {
args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service collection-signing-service\n"
args[0] += "/usr/local/bin/pulpcore-manager add-signing-service collection-signing-service /var/lib/pulp/scripts/" + settings.CollectionSigningScriptName + " " + fingerprint + "\n"
args[0] += "/usr/local/bin/pulpcore-manager add-signing-service collection-signing-service " + settings.SigningScriptPath + settings.CollectionSigningScriptName + " " + fingerprint + "\n"
envVars = append(envVars, corev1.EnvVar{Name: "COLLECTION_SIGNING_SERVICE", Value: "collection-signing-service"})
}
if controllers.DeployContainerSign(scriptsSecret) {
args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service container-signing-service --class container:ManifestSigningService\n"
args[0] += "/usr/local/bin/pulpcore-manager add-signing-service container-signing-service /var/lib/pulp/scripts/" + settings.ContainerSigningScriptName + " " + fingerprint + " --class container:ManifestSigningService"
args[0] += "/usr/local/bin/pulpcore-manager add-signing-service container-signing-service " + settings.SigningScriptPath + settings.ContainerSigningScriptName + " " + fingerprint + " --class container:ManifestSigningService \n"
envVars = append(envVars, corev1.EnvVar{Name: "CONTAINER_SIGNING_SERVICE", Value: "container-signing-service"})
}
if controllers.DeployAptSign(scriptsSecret) {
args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service apt-signing-service --class deb:AptReleaseSigningService\n"
args[0] += "/usr/local/bin/pulpcore-manager add-signing-service --class deb:AptReleaseSigningService apt-signing-service " + settings.SigningScriptPath + settings.AptSigningScriptName + " " + fingerprint
envVars = append(envVars, corev1.EnvVar{Name: "APT_SIGNING_SERVICE", Value: "apt-signing-service"})
}

return corev1.Container{
Name: "signing-metadata",
Expand All @@ -426,6 +443,10 @@ func signingScriptJobVolumes(pulp *repomanagerpulpprojectorgv1beta2.Pulp, secret
item := corev1.KeyToPath{Key: settings.ContainerSigningScriptName, Path: settings.ContainerSigningScriptName}
secretItems = append(secretItems, item)
}
if controllers.DeployAptSign(secret) {
item := corev1.KeyToPath{Key: settings.AptSigningScriptName, Path: settings.AptSigningScriptName}
secretItems = append(secretItems, item)
}

volumes := pulpcoreVolumes(pulp, "")
volumePermissions := int32(0755)
Expand Down
2 changes: 2 additions & 0 deletions controllers/settings/jobs.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,10 @@ const (
resetAdminPwdJob = "reset-admin-password-"
updateChecksumsJob = "update-content-checksums-"
signingScriptJob = "signing-metadata-"
SigningScriptPath = "/var/lib/pulp/scripts/"
ContainerSigningScriptName = "container_script.sh"
CollectionSigningScriptName = "collection_script.sh"
AptSigningScriptName = "apt_script.sh"
)

func MigrationJob(pulpName string) string {
Expand Down
6 changes: 6 additions & 0 deletions controllers/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -903,6 +903,12 @@ func DeployContainerSign(secret corev1.Secret) bool {
return contains
}

// DeployAptSign returns true if signingScript secret is defined with an apt script
func DeployAptSign(secret corev1.Secret) bool {
_, contains := secret.Data[settings.AptSigningScriptName]
return contains
}

// SetDefaultSecurityContext defines the container security configuration to be in compliance with PodSecurity "restricted:v1.24"
func SetDefaultSecurityContext() *corev1.SecurityContext {
allowPrivilegeEscalation, runAsNonRoot := false, true
Expand Down
55 changes: 53 additions & 2 deletions docs/configuring/metadata_signing.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ See the GnuPG official documentation for more information on how to generate a n

## Creating a Secret with the gpg key

!!! WARNING
Make sure to set `signing_service.gpg` as the key name for the `Secret` (using a different name will fail operator's execution)

```bash
$ gpg --export-secret-keys -a [email protected] > /tmp/gpg_private_key.gpg
$ kubectl create secret generic signing-secret --from-file=signing_service.gpg=/tmp/gpg_private_key.gpg
Expand Down Expand Up @@ -115,11 +118,48 @@ fi
EOF
```
* example of an APT signing script
```bash
$ SIGNING_SCRIPT_PATH=/tmp
$ APT_SIGNING_SCRIPT=apt_script.sh
$ cat<<EOF> "$SIGNING_SCRIPT_PATH/$APT_SIGNING_SCRIPT"
#!/bin/bash
set -e
RELEASE_FILE="\$(/usr/bin/readlink -f \$1)"
OUTPUT_DIR="\$(/usr/bin/mktemp -d)"
DETACHED_SIGNATURE_PATH="\${OUTPUT_DIR}/Release.gpg"
INLINE_SIGNATURE_PATH="\${OUTPUT_DIR}/InRelease"
COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256 --default-key \$PULP_SIGNING_KEY_FINGERPRINT"
# Create a detached signature
/usr/bin/gpg \${COMMON_GPG_OPTS} \
--detach-sign \
--output "\${DETACHED_SIGNATURE_PATH}" \
"\${RELEASE_FILE}"
# Create an inline signature
/usr/bin/gpg \${COMMON_GPG_OPTS} \
--clearsign \
--output "\${INLINE_SIGNATURE_PATH}" \
"\${RELEASE_FILE}"
echo { \
\"signatures\": { \
\"inline\": \"\${INLINE_SIGNATURE_PATH}\", \
\"detached\": \"\${DETACHED_SIGNATURE_PATH}\" \
} \
}
EOF
```
!!! WARNING
Make sure to set `collection_script.sh` and/or `container_script.sh` as key names (using different names would fail operator's execution)
Make sure to set `collection_script.sh`, `container_script.sh`, and/or `apt_script.sh` as key names (using different names would fail operator's execution)
```bash
$ kubectl create secret generic signing-scripts --from-file=collection_script.sh=/tmp/collection_script.sh --from-file=container_script.sh=/tmp/container_script.sh
$ kubectl create secret generic signing-scripts --from-file=collection_script.sh=/tmp/collection_script.sh --from-file=container_script.sh=/tmp/container_script.sh --from-file=apt_script.sh=/tmp/apt_script.sh
```
## Configuring Pulp CR
Expand Down Expand Up @@ -147,6 +187,8 @@ Signing service 'collection-signing-service' has been successfully removed.
Successfully added signing service collection-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1.
Signing service 'container-signing-service' has been successfully removed.
Successfully added signing service container-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1.
Signing service 'apt-signing-service' has been successfully removed.
Successfully added signing service apt-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1.
```
double-checking if the signing services are stored in the database:
Expand All @@ -158,6 +200,15 @@ $ kubectl exec deployment/pulp-api -- curl -suadmin:$PULP_PWD localhost:24817/pu
"next": null,
"previous": null,
"results": [
{
"pulp_href": "/pulp/api/v3/signing-services/0191e929-31f4-77d1-841e-2b545cf45da3/",
"pulp_created": "2024-09-13T02:14:36.846612Z",
"pulp_last_updated": "2024-09-13T02:14:36.846627Z",
"name": "apt-signing-service",
"public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQGiBGbjgnIRBACc7VbJTNbDRja...",
"pubkey_fingerprint": "66BBFE010CF70CC92826D9AB71684D7912B09BC1",
"script": "/var/lib/pulp/scripts/apt_script.sh"
},
{
"pulp_href": "/pulp/api/v3/signing-services/018c0126-1f0c-7803-868d-1a1ee7210db1/",
"pulp_created": "2023-11-22T11:45:25.042451Z",
Expand Down
2 changes: 1 addition & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ func main() {
os.Exit(1)
}

setupLog.Info("pulp-operator version: 1.0.3-beta.5")
setupLog.Info("pulp-operator version: 1.0.4-beta.5")
setupLog.Info("starting manager")
if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
setupLog.Error(err, "problem running manager")
Expand Down

0 comments on commit 85b0504

Please sign in to comment.