Add an initContainer to register the gpg keys

fixes: #1001
pulp · Jul 10, 2023 · 6ec02e7 · 6ec02e7
1 parent 66e6d1b
commit 6ec02e7
Show file tree

Hide file tree

Showing 8 changed files with 140 additions and 49 deletions.
diff --git a/.ci/scripts/signing_metadata.sh b/.ci/scripts/signing_metadata.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -xe
+
+# get pulp admin password
+PULP_ADM_PWD=$(kubectl get secret/example-pulp-admin-password -ojsonpath='{.data.password}'|base64 -d)
+
+# verify the list of signing services (keeping it in a different variable to make troubleshooting/debug easier)
+SIGNING_SVC=$(kubectl exec deployment/example-pulp-api -- curl  -u admin:$PULP_ADM_PWD -sL localhost:24817/pulp/api/v3/signing-services/)
+
+# get only the count of services found
+SVC_COUNT=$(echo $SIGNING_SVC | jq .count)
+
+# check if the 2 services were found
+if [[ $SVC_COUNT != 2 ]] ; then
+  echo "Could not find all signing services!"
+  exit 1
+fi
+
+# check if the the gpg key is in the api's keyring
+kubectl exec deployment/example-pulp-api -- gpg -k joe@foo.bar 2>/dev/null
+
+# check if the the gpg key is in the worker's keyring
+kubectl exec deployment/example-pulp-worker -- gpg -k joe@foo.bar 2>/dev/null
+
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -227,6 +227,11 @@ jobs:
           sudo chmod +x /usr/local/bin/popeye
           echo ::endgroup::
           sudo popeye --kubeconfig ~/.kube/config || true
+      - name: Check signing metadata
+        run: |
+          # ignoring the tests for now because of some galaxy container image issues
+          #.ci/scripts/signing_metadata.sh
+        shell: bash
       - name: Test
         run: sudo -E .ci/scripts/galaxy_ng-tests.sh -m
         shell: bash

diff --git a/CHANGES/1001.bugfix b/CHANGES/1001.bugfix
@@ -0,0 +1 @@
+Fixed a bug where the gpg keys were not available in all API and worker pods.
diff --git a/roles/pulp-api/defaults/main.yml b/roles/pulp-api/defaults/main.yml
@@ -95,6 +95,7 @@ keycloak_port_available: false
 keycloak_realm_available: false
 
 __pulp_gpg_inspect_command: "gpg --import-options show-only --import --with-fingerprint"
+__gpg_init_container_image: "quay.io/centos/centos:stream9"
 
 gunicorn_timeout: 90
 gunicorn_api_workers: 2
diff --git a/roles/pulp-api/tasks/main.yml b/roles/pulp-api/tasks/main.yml
@@ -282,52 +282,3 @@
         reason: ApiTasksFinished
         status: "True"
         lastTransitionTime: "{{ lookup('pipe', 'date --iso-8601=seconds') }}"
-
-- block:
-  - name: Get an API pod to run the commands
-    register: __api_pod
-    k8s_info:
-      kind: Pod
-      namespace: "{{ ansible_operator_meta.namespace }}"
-      label_selectors:
-      - app.kubernetes.io/component=api
-      - app.kubernetes.io/managed-by=pulp-operator
-    until:
-    - __api_pod.resources[0].status.podIP is defined
-
-  - name: Import galaxy signing service GPG key file
-    register: result
-    k8s_exec:
-      namespace: "{{ ansible_operator_meta.namespace }}"
-      pod: "{{ __api_pod.resources[0].metadata.name }}"
-      command: sh -c "gpg --batch --import /etc/pulp/keys/signing_service.gpg"
-    # Imported successfully: rc 0
-    # Already imported: rc 2
-    # If you try to import multiple keys but only some need to be imported: rc 2
-    changed_when: result.stderr is search("imported:")
-    failed_when: result.rc not in [0,2]
-
-  - name: Trust the galaxy signing service GPG key
-    register: result
-    k8s_exec:
-      namespace: "{{ ansible_operator_meta.namespace }}"
-      pod: "{{ __api_pod.resources[0].metadata.name }}"
-      command: sh -c "echo {{ signing_key.stdout }}:6 | gpg --import-ownertrust"
-    # changed messages can be either:
-    # gpg: inserting ownertrust of 6
-    # gpg: changing ownertrust from 3 to 6
-    changed_when: "'ownertrust' in result.stderr"
-
-  - name: Register signing scripts
-    register: result
-    k8s_exec:
-      namespace: "{{ ansible_operator_meta.namespace }}"
-      pod: "{{ __api_pod.resources[0].metadata.name }}"
-      command: sh -c "/usr/local/bin/pulpcore-manager add-signing-service {{ item.service_name }} {{ item.service_script }} {{ item.fingerprint }} {{ item.args }}"
-    failed_when: result.rc not in [0,1]
-    changed_when: result.stdout is search("Successfully added signing service")
-    with_items:
-    - {service_name: '${COLLECTION_SIGNING_SERVICE}', service_script: "/var/lib/pulp/scripts/collection_sign.sh", fingerprint: '${PULP_SIGNING_KEY_FINGERPRINT}', args: ''}
-    - {service_name: '${CONTAINER_SIGNING_SERVICE}', service_script: "/var/lib/pulp/scripts/container_sign.sh", fingerprint: '${PULP_SIGNING_KEY_FINGERPRINT}', args: '--class container:ManifestSigningService'}
-
-  when: signing_secret is defined
diff --git a/roles/pulp-api/tasks/signing_service.yml b/roles/pulp-api/tasks/signing_service.yml
@@ -11,6 +11,12 @@
         status: "False"
         lastTransitionTime: "{{ lookup('pipe', 'date --iso-8601=seconds') }}"
 
+- name: Set GPG initContainer image
+  set_fact:
+    gpg_init_container_image: >-
+      {{ lookup('env', 'GPG_INIT_CONTAINER_IMAGE') |
+         default(__gpg_init_container_image,true) }}
+
 - name: Check for signing keys
   k8s_info:
     kind: Secret

diff --git a/roles/pulp-api/templates/pulp-api.deployment.yaml.j2 b/roles/pulp-api/templates/pulp-api.deployment.yaml.j2
@@ -42,6 +42,10 @@ spec:
         app.kubernetes.io/component: api
         app.kubernetes.io/part-of: '{{ deployment_type }}'
         app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+{% if signing_secret is defined %}
+      annotations:
+        kubectl.kubernetes.io/default-container: api
+{% endif %}
     spec:
 {% if _node_affinity is defined %}
       affinity:
@@ -88,6 +92,10 @@ spec:
           emptyDir: {}
         - name: assets-file-storage
           emptyDir: {}
+{% if signing_secret is defined %}
+        - name: gpg-file-storage
+          emptyDir: {}
+{% endif %}
 {% endif %}
 {% if signing_secret is defined %}
         - name: {{ ansible_operator_meta.name }}-signing-scripts
@@ -195,6 +203,10 @@ spec:
               mountPath: "/var/lib/pulp/tmp"
             - name: assets-file-storage
               mountPath: "/var/lib/pulp/assets"
+{% if signing_secret is defined %}
+            - name: gpg-file-storage
+              mountPath: "/var/lib/pulp/.gnupg"
+{% endif %}
 {% endif %}
 {% if signing_secret is defined %}
             - name: {{ ansible_operator_meta.name }}-signing-scripts
@@ -224,3 +236,41 @@ spec:
               subPath: container_auth_public_key.pem
               readOnly: true
 {% endif %}
+{% if signing_secret is defined %}
+      initContainers:
+        - name: gpg-importer
+          image: "{{ gpg_init_container_image }}"
+          imagePullPolicy: "{{ image_pull_policy }}"
+          command:
+            - /bin/sh
+            - -c
+            - |
+              gpg --batch --import /etc/pulp/keys/signing_service.gpg
+              echo "${PULP_SIGNING_KEY_FINGERPRINT}:6" | gpg --import-ownertrust
+          env:
+            - name: PULP_SIGNING_KEY_FINGERPRINT
+              value: "{{ signing_key_fingerprint }}"
+            - name: COLLECTION_SIGNING_SERVICE
+              value: "{{ pulp_combined_settings.galaxy_collection_signing_service }}"
+            - name: CONTAINER_SIGNING_SERVICE
+              value: "{{ pulp_combined_settings.galaxy_container_signing_service }}"
+            - name: HOME
+              value: "/var/lib/pulp"
+          volumeMounts:
+{% if is_file_storage %}
+            - name: file-storage
+              readOnly: false
+              mountPath: "/var/lib/pulp"
+{% else %}
+            - name: gpg-file-storage
+              mountPath: "/var/lib/pulp/.gnupg"
+{% endif %}
+            - name: {{ ansible_operator_meta.name }}-signing-galaxy
+              mountPath: "/etc/pulp/keys/signing_service.gpg"
+              subPath: signing_service.gpg
+              readOnly: true
+            - name: {{ ansible_operator_meta.name }}-signing-galaxy
+              mountPath: "/etc/pulp/keys/signing_service.asc"
+              subPath: signing_service.asc
+              readOnly: true
+{% endif %}
diff --git a/roles/pulp-worker/templates/pulp-worker.deployment.yaml.j2 b/roles/pulp-worker/templates/pulp-worker.deployment.yaml.j2
@@ -43,6 +43,10 @@ spec:
         app.kubernetes.io/component: worker
         app.kubernetes.io/part-of: '{{ deployment_type }}'
         app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+{% if signing_secret is defined %}
+      annotations:
+        kubectl.kubernetes.io/default-container: worker
+{% endif %}
     spec:
 {% if _node_affinity is defined %}
       affinity:
@@ -75,6 +79,10 @@ spec:
               - path: database_fields.symmetric.key
                 key: database_fields.symmetric.key
 {% if signing_secret is defined %}
+{% if not is_file_storage %}
+        - name: gpg-file-storage
+          emptyDir: {}
+{% endif %}
         - name: {{ ansible_operator_meta.name }}-signing-scripts
           configMap:
             name: {{ signing_scripts_configmap }}
@@ -123,6 +131,8 @@ spec:
 {% if signing_secret is defined %}
             - name: PULP_SIGNING_KEY_FINGERPRINT
               value: "{{ signing_key_fingerprint }}"
+            - name: HOME
+              value: "/var/lib/pulp"
 {% endif %}
           readinessProbe:
             exec:
@@ -168,7 +178,49 @@ spec:
 {% else %}
             - name: tmp-file-storage
               mountPath: "/var/lib/pulp/tmp"
+{% if signing_secret is defined %}
+            - name: gpg-file-storage
+              mountPath: "/var/lib/pulp/.gnupg"
+{% endif %}
 {% endif %}
 {% if worker.resource_requirements is defined %}
           resources: {{ worker.resource_requirements }}
 {% endif %}
+{% if signing_secret is defined %}
+      initContainers:
+        - name: gpg-importer
+          image: "{{ gpg_init_container_image }}"
+          imagePullPolicy: "{{ image_pull_policy }}"
+          command:
+            - /bin/sh
+            - -c
+            - |
+              gpg --batch --import /etc/pulp/keys/signing_service.gpg
+              echo "${PULP_SIGNING_KEY_FINGERPRINT}:6" | gpg --import-ownertrust
+          env:
+            - name: PULP_SIGNING_KEY_FINGERPRINT
+              value: "{{ signing_key_fingerprint }}"
+            - name: COLLECTION_SIGNING_SERVICE
+              value: "{{ pulp_combined_settings.galaxy_collection_signing_service }}"
+            - name: CONTAINER_SIGNING_SERVICE
+              value: "{{ pulp_combined_settings.galaxy_container_signing_service }}"
+            - name: HOME
+              value: "/var/lib/pulp"
+          volumeMounts:
+{% if is_file_storage %}
+            - name: file-storage
+              readOnly: false
+              mountPath: "/var/lib/pulp"
+{% else %}
+            - name: gpg-file-storage
+              mountPath: "/var/lib/pulp/.gnupg"
+{% endif %}
+            - name: {{ ansible_operator_meta.name }}-signing-galaxy
+              mountPath: "/etc/pulp/keys/signing_service.gpg"
+              subPath: signing_service.gpg
+              readOnly: true
+            - name: {{ ansible_operator_meta.name }}-signing-galaxy
+              mountPath: "/etc/pulp/keys/signing_service.asc"
+              subPath: signing_service.asc
+              readOnly: true
+{% endif %}