Add support to apt signing service

CHANGES/1346.feature

@@ -0,0 +1 @@
+Added support to APT signing service.

controllers/deployment.go

@@ -553,6 +553,10 @@ func signingMetadataVolumes(resources any, storageType []string, volumes []corev
 			item := corev1.KeyToPath{Key: settings.ContainerSigningScriptName, Path: settings.ContainerSigningScriptName}
 			secretItems = append(secretItems, item)
 		}
+		if DeployAptSign(*secret) {
+			item := corev1.KeyToPath{Key: settings.AptSigningScriptName, Path: settings.AptSigningScriptName}
+			secretItems = append(secretItems, item)
+		}
 		volumePermissions := int32(0755)
 		signingSecretVolume := []corev1.Volume{
 			{
@@ -653,7 +657,7 @@ func (d *CommonDeployment) setVolumeMounts(pulp repomanagerpulpprojectorgv1beta2
 				for _, script := range volume.VolumeSource.Secret.Items {
 					signingSecretMount := corev1.VolumeMount{
 						Name:      pulp.Name + "-signing-scripts",
-						MountPath: "/var/lib/pulp/scripts/" + script.Key,
+						MountPath: settings.SigningScriptPath + script.Key,
 						SubPath:   script.Key,
 						ReadOnly:  true,
 					}

controllers/repo_manager/job.go

@@ -350,18 +350,6 @@ func signingScriptContainer(pulp *repomanagerpulpprojectorgv1beta2.Pulp, scripts
 	// volume mounts
 	volumeMounts := pulpcoreVolumeMounts(pulp)
 	signingSecretMount := []corev1.VolumeMount{
-		{
-			Name:      pulp.Name + "-signing-scripts",
-			MountPath: "/var/lib/pulp/scripts/" + settings.CollectionSigningScriptName,
-			SubPath:   settings.CollectionSigningScriptName,
-			ReadOnly:  true,
-		},
-		{
-			Name:      pulp.Name + "-signing-scripts",
-			MountPath: "/var/lib/pulp/scripts/" + settings.ContainerSigningScriptName,
-			SubPath:   settings.ContainerSigningScriptName,
-			ReadOnly:  true,
-		},
 		{
 			Name:      "gpg-keys",
 			MountPath: "/etc/pulp/keys/signing_service.gpg",
@@ -373,6 +361,30 @@ func signingScriptContainer(pulp *repomanagerpulpprojectorgv1beta2.Pulp, scripts
 			MountPath: "/var/lib/pulp/.gnupg",
 		},
 	}
+	if controllers.DeployCollectionSign(scriptsSecret) {
+		signingSecretMount = append(signingSecretMount, corev1.VolumeMount{
+			Name:      pulp.Name + "-signing-scripts",
+			MountPath: settings.SigningScriptPath + settings.CollectionSigningScriptName,
+			SubPath:   settings.CollectionSigningScriptName,
+			ReadOnly:  true,
+		})
+	}
+	if controllers.DeployContainerSign(scriptsSecret) {
+		signingSecretMount = append(signingSecretMount, corev1.VolumeMount{
+			Name:      pulp.Name + "-signing-scripts",
+			MountPath: settings.SigningScriptPath + settings.ContainerSigningScriptName,
+			SubPath:   settings.ContainerSigningScriptName,
+			ReadOnly:  true,
+		})
+	}
+	if controllers.DeployAptSign(scriptsSecret) {
+		signingSecretMount = append(signingSecretMount, corev1.VolumeMount{
+			Name:      pulp.Name + "-signing-scripts",
+			MountPath: settings.SigningScriptPath + settings.AptSigningScriptName,
+			SubPath:   settings.AptSigningScriptName,
+			ReadOnly:  true,
+		})
+	}
 	volumeMounts = append(volumeMounts, signingSecretMount...)
 
 	// resource requirements
@@ -393,14 +405,19 @@ echo "${PULP_SIGNING_KEY_FINGERPRINT}:6" | gpg --import-ownertrust
 	}
 	if controllers.DeployCollectionSign(scriptsSecret) {
 		args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service collection-signing-service\n"
-		args[0] += "/usr/local/bin/pulpcore-manager add-signing-service collection-signing-service /var/lib/pulp/scripts/" + settings.CollectionSigningScriptName + " " + fingerprint + "\n"
+		args[0] += "/usr/local/bin/pulpcore-manager add-signing-service collection-signing-service " + settings.SigningScriptPath + settings.CollectionSigningScriptName + " " + fingerprint + "\n"
 		envVars = append(envVars, corev1.EnvVar{Name: "COLLECTION_SIGNING_SERVICE", Value: "collection-signing-service"})
 	}
 	if controllers.DeployContainerSign(scriptsSecret) {
 		args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service container-signing-service --class container:ManifestSigningService\n"
-		args[0] += "/usr/local/bin/pulpcore-manager add-signing-service container-signing-service /var/lib/pulp/scripts/" + settings.ContainerSigningScriptName + " " + fingerprint + " --class container:ManifestSigningService"
+		args[0] += "/usr/local/bin/pulpcore-manager add-signing-service container-signing-service " + settings.SigningScriptPath + settings.ContainerSigningScriptName + " " + fingerprint + " --class container:ManifestSigningService \n"
 		envVars = append(envVars, corev1.EnvVar{Name: "CONTAINER_SIGNING_SERVICE", Value: "container-signing-service"})
 	}
+	if controllers.DeployAptSign(scriptsSecret) {
+		args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service apt-signing-service --class deb:AptReleaseSigningService\n"
+		args[0] += "/usr/local/bin/pulpcore-manager add-signing-service --class deb:AptReleaseSigningService apt-signing-service " + settings.SigningScriptPath + settings.AptSigningScriptName + " " + fingerprint
+		envVars = append(envVars, corev1.EnvVar{Name: "APT_SIGNING_SERVICE", Value: "apt-signing-service"})
+	}
 
 	return corev1.Container{
 		Name:            "signing-metadata",
@@ -426,6 +443,10 @@ func signingScriptJobVolumes(pulp *repomanagerpulpprojectorgv1beta2.Pulp, secret
 		item := corev1.KeyToPath{Key: settings.ContainerSigningScriptName, Path: settings.ContainerSigningScriptName}
 		secretItems = append(secretItems, item)
 	}
+	if controllers.DeployAptSign(secret) {
+		item := corev1.KeyToPath{Key: settings.AptSigningScriptName, Path: settings.AptSigningScriptName}
+		secretItems = append(secretItems, item)
+	}
 
 	volumes := pulpcoreVolumes(pulp, "")
 	volumePermissions := int32(0755)

controllers/settings/jobs.go

@@ -13,8 +13,10 @@ const (
 	resetAdminPwdJob            = "reset-admin-password-"
 	updateChecksumsJob          = "update-content-checksums-"
 	signingScriptJob            = "signing-metadata-"
+	SigningScriptPath           = "/var/lib/pulp/scripts/"
 	ContainerSigningScriptName  = "container_script.sh"
 	CollectionSigningScriptName = "collection_script.sh"
+	AptSigningScriptName        = "apt_script.sh"
 )
 
 func MigrationJob(pulpName string) string {

controllers/utils.go

@@ -903,6 +903,12 @@ func DeployContainerSign(secret corev1.Secret) bool {
 	return contains
 }
 
+// DeployAptSign returns true if signingScript secret is defined with an apt script
+func DeployAptSign(secret corev1.Secret) bool {
+	_, contains := secret.Data[settings.AptSigningScriptName]
+	return contains
+}
+
 // SetDefaultSecurityContext defines the container security configuration to be in compliance with PodSecurity "restricted:v1.24"
 func SetDefaultSecurityContext() *corev1.SecurityContext {
 	allowPrivilegeEscalation, runAsNonRoot := false, true

docs/configuring/metadata_signing.md

@@ -52,6 +52,9 @@ See the GnuPG official documentation for more information on how to generate a n
 
 ## Creating a Secret with the gpg key
 
+!!! WARNING
+    Make sure to set `signing_service.gpg` as the key name for the `Secret` (using a different name will fail operator's execution)
+
 ```bash
 $ gpg --export-secret-keys -a pulp@example.com  > /tmp/gpg_private_key.gpg
 $ kubectl create secret generic signing-secret --from-file=signing_service.gpg=/tmp/gpg_private_key.gpg
@@ -115,11 +118,48 @@ fi
 EOF
 ```
 
+* example of an APT signing script
+```bash
+$ SIGNING_SCRIPT_PATH=/tmp
+$ APT_SIGNING_SCRIPT=apt_script.sh
+$ cat<<EOF> "$SIGNING_SCRIPT_PATH/$APT_SIGNING_SCRIPT"
+#!/bin/bash
+
+set -e
+
+RELEASE_FILE="\$(/usr/bin/readlink -f \$1)"
+OUTPUT_DIR="\$(/usr/bin/mktemp -d)"
+DETACHED_SIGNATURE_PATH="\${OUTPUT_DIR}/Release.gpg"
+INLINE_SIGNATURE_PATH="\${OUTPUT_DIR}/InRelease"
+COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256 --default-key \$PULP_SIGNING_KEY_FINGERPRINT"
+
+# Create a detached signature
+/usr/bin/gpg \${COMMON_GPG_OPTS} \
+  --detach-sign \
+  --output "\${DETACHED_SIGNATURE_PATH}" \
+  "\${RELEASE_FILE}"
+
+# Create an inline signature
+/usr/bin/gpg \${COMMON_GPG_OPTS} \
+  --clearsign \
+  --output "\${INLINE_SIGNATURE_PATH}" \
+  "\${RELEASE_FILE}"
+
+echo { \
+       \"signatures\": { \
+         \"inline\": \"\${INLINE_SIGNATURE_PATH}\", \
+         \"detached\": \"\${DETACHED_SIGNATURE_PATH}\" \
+       } \
+     }
+
+EOF
+```
+
 !!! WARNING
-    Make sure to set `collection_script.sh` and/or `container_script.sh` as key names (using different names would fail operator's execution)
+    Make sure to set `collection_script.sh`, `container_script.sh`, and/or `apt_script.sh` as key names (using different names would fail operator's execution)
 
 ```bash
-$ kubectl create secret generic signing-scripts --from-file=collection_script.sh=/tmp/collection_script.sh --from-file=container_script.sh=/tmp/container_script.sh
+$ kubectl create secret generic signing-scripts --from-file=collection_script.sh=/tmp/collection_script.sh --from-file=container_script.sh=/tmp/container_script.sh --from-file=apt_script.sh=/tmp/apt_script.sh
 ```
 
 ## Configuring Pulp CR
@@ -147,6 +187,8 @@ Signing service 'collection-signing-service' has been successfully removed.
 Successfully added signing service collection-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1.
 Signing service 'container-signing-service' has been successfully removed.
 Successfully added signing service container-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1.
+Signing service 'apt-signing-service' has been successfully removed.
+Successfully added signing service apt-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1.
 ```
 
 double-checking if the signing services are stored in the database:
@@ -158,6 +200,15 @@ $ kubectl exec deployment/pulp-api -- curl -suadmin:$PULP_PWD localhost:24817/pu
   "next": null,
   "previous": null,
   "results": [
+    {
+      "pulp_href": "/pulp/api/v3/signing-services/0191e929-31f4-77d1-841e-2b545cf45da3/",
+      "pulp_created": "2024-09-13T02:14:36.846612Z",
+      "pulp_last_updated": "2024-09-13T02:14:36.846627Z",
+      "name": "apt-signing-service",
+      "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQGiBGbjgnIRBACc7VbJTNbDRja...",
+      "pubkey_fingerprint": "66BBFE010CF70CC92826D9AB71684D7912B09BC1",
+      "script": "/var/lib/pulp/scripts/apt_script.sh"
+    },
     {
       "pulp_href": "/pulp/api/v3/signing-services/018c0126-1f0c-7803-868d-1a1ee7210db1/",
       "pulp_created": "2023-11-22T11:45:25.042451Z",

main.go

@@ -177,7 +177,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	setupLog.Info("pulp-operator version: 1.0.3-beta.5")
+	setupLog.Info("pulp-operator version: 1.0.4-beta.5")
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")