Skip to content
Runbooks

Pulp Repository Metadata Signing Keys

Pulp supports two different types of GPG signatures: packages and repository metadata.

This document covers Pulp-specific implementation details for managing repository metadata signing keys. For the generic process, see manage repository metadata signing keys. For package signing, see manage package signing keys.

Overview

Section titled “Overview”

Pulp signs repository metadata using a private key that is generated externally and configured in the app. This is a security feature that gives our users certainty that the repository metadata was generated by us.

We manage the key externally by providing the private key to Pulp using a Kubernetes secret. This secret is synced from Vault, which is ultimately where the key lives and where any changes need to take place.

Key Location

Section titled “Key Location”

The private key lives in Vault under the path k8s/<env>-gitlab-gke/pulp/gpg:

  • Production environment: k8s/ops-gitlab-gke/pulp/gpg
  • Test environment: k8s/pre-gitlab-gke/pulp/gpg

Pulp-Specific Process

Section titled “Pulp-Specific Process”

This process should be carried out by a member of the Distribution team.

See manage repository metadata signing keys for the generic process steps. The following are Pulp-specific implementation details:

1. Request Access

Section titled “1. Request Access”
  • System(s): Okta Group Membership
  • System Name: Okta Group: Team - Distribution - Pulp Repository Metadata Signing Key
  • Justification: Temporary group membership required to update the Pulp repository metadata signing key in Vault.

2. Generate or Extend GPG Key

Section titled “2. Generate or Extend GPG Key”

If extending an existing key, you can obtain the current private key from https://vault.gitlab.net by navigating to k8s/<env>-gitlab-gke/pulp/gpg. If you see an access denied message, reach out to #it_help to confirm you were added to the correct group.

Pulp Deployment Steps

Section titled “Pulp Deployment Steps”

After completing the generic steps 1-2, follow these Pulp-specific deployment steps:

3. Update Key in System

Section titled “3. Update Key in System”

Update Vault Secret

Section titled “Update Vault Secret”
  1. Open https://vault.gitlab.net and sign-in using Okta.
  2. Navigate to the path: k8s/<env>-gitlab-gke/pulp/gpg.
  3. Click on Create new version.
  4. Update the value of private_key with the contents of your exported private key.
  5. Click Save.
  6. Take note of the version number (displayed next to Create new version). You’ll need this for the next step.

Update gitlab-helmfiles

Section titled “Update gitlab-helmfiles”

Update the gitlab-helmfiles repository with the new secret version:

  1. Update the version number to the new version from the previous step in releases/pulp/values-secrets/<env>.yaml.gotmpl
  2. Update secretName to match in releases/pulp/<env>.yaml.gotmpl
  3. File an MR with the above changes and have someone in #infrastructure-lounge review/approve/merge it.

Publish the public key:

  1. Export the public key
  2. Upload the public key to the pulp-static-files repository:
    • Go to environments/<env>/gpg-keys (note that, the ops environment is the production instance)
    • Upload the public key with the name gpgkey

4. Validate Deployment

Section titled “4. Validate Deployment”

Once the gitlab-helmfiles CI pipeline has finished, validate the deployment by accessing the Pulp instance and verifying the GPG key is correctly configured.

Complete the Generic Process

Section titled “Complete the Generic Process”

After validation, continue with the remaining steps in the generic runbook: