Pulp Repository Metadata Signing Keys
Pulp supports two different types of GPG signatures: packages and repository metadata.
This document covers Pulp-specific implementation details for managing repository metadata signing keys. For the generic process, see manage repository metadata signing keys. For package signing, see manage package signing keys.
Overview
Section titled “Overview”Pulp signs repository metadata using a private key that is generated externally and configured in the app. This is a security feature that gives our users certainty that the repository metadata was generated by us.
We manage the key externally by providing the private key to Pulp using a Kubernetes secret. This secret is synced from Vault, which is ultimately where the key lives and where any changes need to take place.
Key Location
Section titled “Key Location”The private key lives in Vault under the path k8s/<env>-gitlab-gke/pulp/gpg:
- Production environment:
k8s/ops-gitlab-gke/pulp/gpg - Test environment:
k8s/pre-gitlab-gke/pulp/gpg
Pulp-Specific Process
Section titled “Pulp-Specific Process”This process should be carried out by a member of the Distribution team.
See manage repository metadata signing keys for the generic process steps. The following are Pulp-specific implementation details:
1. Request Access
Section titled “1. Request Access”- System(s): Okta Group Membership
- System Name:
Okta Group: Team - Distribution - Pulp Repository Metadata Signing Key - Justification: Temporary group membership required to update the Pulp repository metadata signing key in Vault.
2. Generate or Extend GPG Key
Section titled “2. Generate or Extend GPG Key”If extending an existing key, you can obtain the current private key from https://vault.gitlab.net by navigating to k8s/<env>-gitlab-gke/pulp/gpg. If you see an access denied message, reach out to #it_help to confirm you were added to the correct group.
Pulp Deployment Steps
Section titled “Pulp Deployment Steps”After completing the generic steps 1-2, follow these Pulp-specific deployment steps:
3. Update Key in System
Section titled “3. Update Key in System”Update Vault Secret
Section titled “Update Vault Secret”- Open https://vault.gitlab.net and sign-in using Okta.
- Navigate to the path:
k8s/<env>-gitlab-gke/pulp/gpg. - Click on Create new version.
- Update the value of
private_keywith the contents of your exported private key. - Click Save.
- Take note of the
versionnumber (displayed next to Create new version). You’ll need this for the next step.
Update gitlab-helmfiles
Section titled “Update gitlab-helmfiles”Update the gitlab-helmfiles repository with the new secret version:
- Update the version number to the new version from the previous step in
releases/pulp/values-secrets/<env>.yaml.gotmpl - Update
secretNameto match inreleases/pulp/<env>.yaml.gotmpl - File an MR with the above changes and have someone in
#infrastructure-loungereview/approve/merge it.
Publish the public key:
- Export the public key
- Upload the public key to the
pulp-static-filesrepository:- Go to
environments/<env>/gpg-keys(note that, theopsenvironment is the production instance) - Upload the public key with the name
gpgkey
- Go to
4. Validate Deployment
Section titled “4. Validate Deployment”Once the gitlab-helmfiles CI pipeline has finished, validate the deployment by accessing the Pulp instance and verifying the GPG key is correctly configured.
Complete the Generic Process
Section titled “Complete the Generic Process”After validation, continue with the remaining steps in the generic runbook: