From d728b60dd95a1e17508a9ebbbf3c356e3656478a Mon Sep 17 00:00:00 2001 From: git-hyagi <45576767+git-hyagi@users.noreply.github.com> Date: Tue, 3 Sep 2024 09:34:11 -0300 Subject: [PATCH] draft --- CHANGES/1346.feature | 1 + controllers/deployment.go | 6 ++- controllers/repo_manager/job.go | 49 ++++++++++++++++++------- controllers/settings/jobs.go | 2 + controllers/utils.go | 6 +++ docs/configuring/metadata_signing.md | 55 +++++++++++++++++++++++++++- main.go | 2 +- 7 files changed, 103 insertions(+), 18 deletions(-) create mode 100644 CHANGES/1346.feature diff --git a/CHANGES/1346.feature b/CHANGES/1346.feature new file mode 100644 index 000000000..c480b3ccc --- /dev/null +++ b/CHANGES/1346.feature @@ -0,0 +1 @@ +Added support to APT signing service. diff --git a/controllers/deployment.go b/controllers/deployment.go index 59fce85b2..4e8b476fe 100644 --- a/controllers/deployment.go +++ b/controllers/deployment.go @@ -553,6 +553,10 @@ func signingMetadataVolumes(resources any, storageType []string, volumes []corev item := corev1.KeyToPath{Key: settings.ContainerSigningScriptName, Path: settings.ContainerSigningScriptName} secretItems = append(secretItems, item) } + if DeployAptSign(*secret) { + item := corev1.KeyToPath{Key: settings.AptSigningScriptName, Path: settings.AptSigningScriptName} + secretItems = append(secretItems, item) + } volumePermissions := int32(0755) signingSecretVolume := []corev1.Volume{ { @@ -653,7 +657,7 @@ func (d *CommonDeployment) setVolumeMounts(pulp repomanagerpulpprojectorgv1beta2 for _, script := range volume.VolumeSource.Secret.Items { signingSecretMount := corev1.VolumeMount{ Name: pulp.Name + "-signing-scripts", - MountPath: "/var/lib/pulp/scripts/" + script.Key, + MountPath: settings.SigningScriptPath + script.Key, SubPath: script.Key, ReadOnly: true, } diff --git a/controllers/repo_manager/job.go b/controllers/repo_manager/job.go index b581cd3d1..a7b0f8bfa 100644 --- a/controllers/repo_manager/job.go +++ b/controllers/repo_manager/job.go @@ -350,18 +350,6 @@ func signingScriptContainer(pulp *repomanagerpulpprojectorgv1beta2.Pulp, scripts // volume mounts volumeMounts := pulpcoreVolumeMounts(pulp) signingSecretMount := []corev1.VolumeMount{ - { - Name: pulp.Name + "-signing-scripts", - MountPath: "/var/lib/pulp/scripts/" + settings.CollectionSigningScriptName, - SubPath: settings.CollectionSigningScriptName, - ReadOnly: true, - }, - { - Name: pulp.Name + "-signing-scripts", - MountPath: "/var/lib/pulp/scripts/" + settings.ContainerSigningScriptName, - SubPath: settings.ContainerSigningScriptName, - ReadOnly: true, - }, { Name: "gpg-keys", MountPath: "/etc/pulp/keys/signing_service.gpg", @@ -373,6 +361,30 @@ func signingScriptContainer(pulp *repomanagerpulpprojectorgv1beta2.Pulp, scripts MountPath: "/var/lib/pulp/.gnupg", }, } + if controllers.DeployCollectionSign(scriptsSecret) { + signingSecretMount = append(signingSecretMount, corev1.VolumeMount{ + Name: pulp.Name + "-signing-scripts", + MountPath: settings.SigningScriptPath + settings.CollectionSigningScriptName, + SubPath: settings.CollectionSigningScriptName, + ReadOnly: true, + }) + } + if controllers.DeployContainerSign(scriptsSecret) { + signingSecretMount = append(signingSecretMount, corev1.VolumeMount{ + Name: pulp.Name + "-signing-scripts", + MountPath: settings.SigningScriptPath + settings.ContainerSigningScriptName, + SubPath: settings.ContainerSigningScriptName, + ReadOnly: true, + }) + } + if controllers.DeployAptSign(scriptsSecret) { + signingSecretMount = append(signingSecretMount, corev1.VolumeMount{ + Name: pulp.Name + "-signing-scripts", + MountPath: settings.SigningScriptPath + settings.AptSigningScriptName, + SubPath: settings.AptSigningScriptName, + ReadOnly: true, + }) + } volumeMounts = append(volumeMounts, signingSecretMount...) // resource requirements @@ -393,14 +405,19 @@ echo "${PULP_SIGNING_KEY_FINGERPRINT}:6" | gpg --import-ownertrust } if controllers.DeployCollectionSign(scriptsSecret) { args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service collection-signing-service\n" - args[0] += "/usr/local/bin/pulpcore-manager add-signing-service collection-signing-service /var/lib/pulp/scripts/" + settings.CollectionSigningScriptName + " " + fingerprint + "\n" + args[0] += "/usr/local/bin/pulpcore-manager add-signing-service collection-signing-service " + settings.SigningScriptPath + settings.CollectionSigningScriptName + " " + fingerprint + "\n" envVars = append(envVars, corev1.EnvVar{Name: "COLLECTION_SIGNING_SERVICE", Value: "collection-signing-service"}) } if controllers.DeployContainerSign(scriptsSecret) { args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service container-signing-service --class container:ManifestSigningService\n" - args[0] += "/usr/local/bin/pulpcore-manager add-signing-service container-signing-service /var/lib/pulp/scripts/" + settings.ContainerSigningScriptName + " " + fingerprint + " --class container:ManifestSigningService" + args[0] += "/usr/local/bin/pulpcore-manager add-signing-service container-signing-service " + settings.SigningScriptPath + settings.ContainerSigningScriptName + " " + fingerprint + " --class container:ManifestSigningService \n" envVars = append(envVars, corev1.EnvVar{Name: "CONTAINER_SIGNING_SERVICE", Value: "container-signing-service"}) } + if controllers.DeployAptSign(scriptsSecret) { + args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service apt-signing-service --class deb:AptReleaseSigningService\n" + args[0] += "/usr/local/bin/pulpcore-manager add-signing-service --class deb:AptReleaseSigningService apt-signing-service " + settings.SigningScriptPath + settings.AptSigningScriptName + " " + fingerprint + envVars = append(envVars, corev1.EnvVar{Name: "APT_SIGNING_SERVICE", Value: "apt-signing-service"}) + } return corev1.Container{ Name: "signing-metadata", @@ -426,6 +443,10 @@ func signingScriptJobVolumes(pulp *repomanagerpulpprojectorgv1beta2.Pulp, secret item := corev1.KeyToPath{Key: settings.ContainerSigningScriptName, Path: settings.ContainerSigningScriptName} secretItems = append(secretItems, item) } + if controllers.DeployAptSign(secret) { + item := corev1.KeyToPath{Key: settings.AptSigningScriptName, Path: settings.AptSigningScriptName} + secretItems = append(secretItems, item) + } volumes := pulpcoreVolumes(pulp, "") volumePermissions := int32(0755) diff --git a/controllers/settings/jobs.go b/controllers/settings/jobs.go index ba6bb9090..be955402a 100644 --- a/controllers/settings/jobs.go +++ b/controllers/settings/jobs.go @@ -13,8 +13,10 @@ const ( resetAdminPwdJob = "reset-admin-password-" updateChecksumsJob = "update-content-checksums-" signingScriptJob = "signing-metadata-" + SigningScriptPath = "/var/lib/pulp/scripts/" ContainerSigningScriptName = "container_script.sh" CollectionSigningScriptName = "collection_script.sh" + AptSigningScriptName = "apt_script.sh" ) func MigrationJob(pulpName string) string { diff --git a/controllers/utils.go b/controllers/utils.go index dd0e5e175..ae9b12dcf 100644 --- a/controllers/utils.go +++ b/controllers/utils.go @@ -903,6 +903,12 @@ func DeployContainerSign(secret corev1.Secret) bool { return contains } +// DeployAptSign returns true if signingScript secret is defined with an apt script +func DeployAptSign(secret corev1.Secret) bool { + _, contains := secret.Data[settings.AptSigningScriptName] + return contains +} + // SetDefaultSecurityContext defines the container security configuration to be in compliance with PodSecurity "restricted:v1.24" func SetDefaultSecurityContext() *corev1.SecurityContext { allowPrivilegeEscalation, runAsNonRoot := false, true diff --git a/docs/configuring/metadata_signing.md b/docs/configuring/metadata_signing.md index 000c2c36f..1e136ee2e 100644 --- a/docs/configuring/metadata_signing.md +++ b/docs/configuring/metadata_signing.md @@ -52,6 +52,9 @@ See the GnuPG official documentation for more information on how to generate a n ## Creating a Secret with the gpg key +!!! WARNING + Make sure to set `signing_service.gpg` as the key name for the `Secret` + ```bash $ gpg --export-secret-keys -a pulp@example.com > /tmp/gpg_private_key.gpg $ kubectl create secret generic signing-secret --from-file=signing_service.gpg=/tmp/gpg_private_key.gpg @@ -115,11 +118,48 @@ fi EOF ``` +* example of an APT signing script +```bash +$ SIGNING_SCRIPT_PATH=/tmp +$ APT_SIGNING_SCRIPT=apt_script.sh +$ cat< "$SIGNING_SCRIPT_PATH/$APT_SIGNING_SCRIPT" +#!/bin/bash + +set -e + +RELEASE_FILE="\$(/usr/bin/readlink -f \$1)" +OUTPUT_DIR="\$(/usr/bin/mktemp -d)" +DETACHED_SIGNATURE_PATH="\${OUTPUT_DIR}/Release.gpg" +INLINE_SIGNATURE_PATH="\${OUTPUT_DIR}/InRelease" +COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256 --default-key \$PULP_SIGNING_KEY_FINGERPRINT" + +# Create a detached signature +/usr/bin/gpg \${COMMON_GPG_OPTS} \ + --detach-sign \ + --output "\${DETACHED_SIGNATURE_PATH}" \ + "\${RELEASE_FILE}" + +# Create an inline signature +/usr/bin/gpg \${COMMON_GPG_OPTS} \ + --clearsign \ + --output "\${INLINE_SIGNATURE_PATH}" \ + "\${RELEASE_FILE}" + +echo { \ + \"signatures\": { \ + \"inline\": \"\${INLINE_SIGNATURE_PATH}\", \ + \"detached\": \"\${DETACHED_SIGNATURE_PATH}\" \ + } \ + } + +EOF +``` + !!! WARNING - Make sure to set `collection_script.sh` and/or `container_script.sh` as key names (using different names would fail operator's execution) + Make sure to set `collection_script.sh`, `container_script.sh`, and/or `apt_script.sh` as key names (using different names would fail operator's execution) ```bash -$ kubectl create secret generic signing-scripts --from-file=collection_script.sh=/tmp/collection_script.sh --from-file=container_script.sh=/tmp/container_script.sh +$ kubectl create secret generic signing-scripts --from-file=collection_script.sh=/tmp/collection_script.sh --from-file=container_script.sh=/tmp/container_script.sh --from-file=apt_script.sh=/tmp/apt_script.sh ``` ## Configuring Pulp CR @@ -147,6 +187,8 @@ Signing service 'collection-signing-service' has been successfully removed. Successfully added signing service collection-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1. Signing service 'container-signing-service' has been successfully removed. Successfully added signing service container-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1. +Signing service 'apt-signing-service' has been successfully removed. +Successfully added signing service apt-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1. ``` double-checking if the signing services are stored in the database: @@ -158,6 +200,15 @@ $ kubectl exec deployment/pulp-api -- curl -suadmin:$PULP_PWD localhost:24817/pu "next": null, "previous": null, "results": [ + { + "pulp_href": "/pulp/api/v3/signing-services/0191e929-31f4-77d1-841e-2b545cf45da3/", + "pulp_created": "2024-09-13T02:14:36.846612Z", + "pulp_last_updated": "2024-09-13T02:14:36.846627Z", + "name": "apt-signing-service", + "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQGiBGbjgnIRBACc7VbJTNbDRja...", + "pubkey_fingerprint": "66BBFE010CF70CC92826D9AB71684D7912B09BC1", + "script": "/var/lib/pulp/scripts/apt_script.sh" + }, { "pulp_href": "/pulp/api/v3/signing-services/018c0126-1f0c-7803-868d-1a1ee7210db1/", "pulp_created": "2023-11-22T11:45:25.042451Z", diff --git a/main.go b/main.go index 37882c144..d6f889290 100644 --- a/main.go +++ b/main.go @@ -177,7 +177,7 @@ func main() { os.Exit(1) } - setupLog.Info("pulp-operator version: 1.0.3-beta.5") + setupLog.Info("pulp-operator version: 1.0.4-beta.5") setupLog.Info("starting manager") if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { setupLog.Error(err, "problem running manager")