Fix signing services

fixes: #939

.ci/assets/kubernetes/signing_scripts.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: signing-scripts
+stringData:
+  collection_script.sh: |-
+      #!/usr/bin/env bash
+      set -u
+      FILE_PATH=$1
+      SIGNATURE_PATH="$1.asc"
+
+      ADMIN_ID="$PULP_SIGNING_KEY_FINGERPRINT"
+      PASSWORD="password"
+
+      # Create a detached signature
+      gpg --quiet --batch --yes --passphrase \
+          $PASSWORD --homedir ~/.gnupg/ --detach-sign --default-key $ADMIN_ID \
+          --armor --output $SIGNATURE_PATH $FILE_PATH
+
+      # Check the exit status
+      STATUS=$?
+      if [ $STATUS -eq 0 ]; then
+          echo {\"file\": \"$FILE_PATH\", \"signature\": \"$SIGNATURE_PATH\"}
+      else
+          exit $STATUS
+      fi
+  container_script.sh: |-
+    #!/usr/bin/env bash
+    set -u
+    # This GPG_TTY variable might be needed on a container image that is not running as root.
+    #export GPG_TTY=$(tty)
+    # Create a file with passphrase only if the key is password protected.
+    # echo "Galaxy2022" > /tmp/key_password.txt
+    # pulp_container SigningService will pass the next 3 variables to the script.
+    MANIFEST_PATH=$1
+    IMAGE_REFERENCE="$REFERENCE"
+    SIGNATURE_PATH="$SIG_PATH"
+    # Create container signature using skopeo
+    # Include --passphrase-file option if the key is password protected.
+    skopeo standalone-sign \
+    $MANIFEST_PATH \
+    $IMAGE_REFERENCE \
+    $PULP_SIGNING_KEY_FINGERPRINT \
+    --output $SIGNATURE_PATH
+    # Check the exit status
+    STATUS=$?
+    if [ $STATUS -eq 0 ]; then
+    echo {\"signature_path\": \"$SIGNATURE_PATH\"}
+    else
+    exit $STATUS
+    fi

.github/workflows/ci.yml

@@ -546,7 +546,7 @@ jobs:
           kubectl config set-context --current --namespace=pulp-operator-system
           kubectl apply -f .ci/assets/kubernetes/pulp-admin-password.secret.yaml
           kubectl apply -f .ci/assets/kubernetes/galaxy_sign.secret.yaml
-          kubectl apply -f .ci/assets/kubernetes/signing_scripts.configmap.yaml
+          kubectl apply -f .ci/assets/kubernetes/signing_scripts.yaml
           if [[ "$CI_TEST_STORAGE" == "azure" ]]; then
             kubectl apply -f .ci/assets/kubernetes/pulp-object-storage.azure.secret.yaml
             kubectl apply -f config/samples/galaxy.azure.ci.yaml

CHANGES/939.bugfix

@@ -0,0 +1 @@
+Fixed the signing services issues.

apis/repo-manager.pulpproject.org/v1beta2/pulp_types.go

@@ -82,18 +82,23 @@ type PulpSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret","urn:alm:descriptor:com.tectonic.ui:advanced"}
 	DBFieldsEncryptionSecret string `json:"db_fields_encryption_secret,omitempty"`
 
-	// Secret where the signing certificates are stored.
-	// Default: <operators's name>-"-signing-scripts"
+	// Name of the Secret where the gpg key is stored.
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret","urn:alm:descriptor:com.tectonic.ui:advanced"}
 	SigningSecret string `json:"signing_secret,omitempty"`
 
-	// ConfigMap where the signing scripts are stored.
-	// Default: <operators's name>-"-signing-scripts"
+	// [DEPRECATED] ConfigMap where the signing scripts are stored.
+	// This field is deprecated and will be removed in the future, use the
+	// signing_scripts field instead.
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:ConfigMap","urn:alm:descriptor:com.tectonic.ui:advanced"}
 	SigningScriptsConfigmap string `json:"signing_scripts_configmap,omitempty"`
 
+	// Name of the Secret where the signing scripts are stored.
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret","urn:alm:descriptor:com.tectonic.ui:advanced"}
+	SigningScripts string `json:"signing_scripts,omitempty"`
+
 	// The ingress type to use to reach the deployed instance.
 	// Default: none (will not expose the service)
 	// +kubebuilder:validation:Optional
@@ -342,6 +347,9 @@ type PulpSpec struct {
 	// Job to run django migrations
 	MigrationJob PulpJob `json:"migration_job,omitempty"`
 
+	// Job to store signing metadata scripts
+	SigningJob PulpJob `json:"signing_job,omitempty"`
+
 	// Disable database migrations. Useful for situations in which we don't want
 	// to automatically run the database migrations, for example, during restore.
 	// +kubebuilder:validation:Optional

bundle/manifests/pulp-operator.clusterserviceversion.yaml

@@ -109,7 +109,7 @@ metadata:
               },
               "token_server": "http://nodeport.local:30000/token/"
             },
-            "signing_scripts_configmap": "signing-scripts",
+            "signing_scripts": "signing-scripts",
             "signing_secret": "signing-galaxy",
             "web": {
               "replicas": 1,
@@ -168,7 +168,7 @@ metadata:
     capabilities: Full Lifecycle
     categories: Integration & Delivery
     containerImage: quay.io/pulp/pulp-operator:devel
-    createdAt: "2023-11-03T14:34:39Z"
+    createdAt: "2023-11-22T17:16:19Z"
     description: Pulp is a platform for managing repositories of software packages
       and making them available to a large number of consumers.
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
@@ -965,15 +965,34 @@ spec:
         path: sa_labels
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - description: 'ConfigMap where the signing scripts are stored. Default: <operators''s
-          name>-"-signing-scripts"'
+      - description: 'The image name for the container. By default, if not provided,
+          it will use the same image from .Spec.Image. WARN: defining a different
+          image than the one used by API pods can cause unexpected behaviors!'
+        displayName: Image
+        path: signing_job.container.image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: Resource requirements for pulpcore aux container.
+        displayName: Resource Requirements
+        path: signing_job.container.resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: Name of the Secret where the signing scripts are stored.
+        displayName: Signing Scripts
+        path: signing_scripts
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: '[DEPRECATED] ConfigMap where the signing scripts are stored.
+          This field is deprecated and will be removed in the future, use the signing_scripts
+          field instead.'
         displayName: Signing Scripts Configmap
         path: signing_scripts_configmap
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:ConfigMap
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - description: 'Secret where the signing certificates are stored. Default: <operators''s
-          name>-"-signing-scripts"'
+      - description: Name of the Secret where the gpg key is stored.
         displayName: Signing Secret
         path: signing_secret
         x-descriptors:

bundle/manifests/repo-manager.pulpproject.org_pulps.yaml

@@ -6385,13 +6385,80 @@ spec:
                 description: ServiceAccount.metadata.labels that will be used in Pulp
                   pods.
                 type: object
+              signing_job:
+                description: Job to store signing metadata scripts
+                properties:
+                  container:
+                    description: PulpContainer defines configuration of the "auxiliary"
+                      containers that run in pulpcore pods
+                    properties:
+                      image:
+                        description: 'The image name for the container. By default,
+                          if not provided, it will use the same image from .Spec.Image.
+                          WARN: defining a different image than the one used by API
+                          pods can cause unexpected behaviors!'
+                        type: string
+                      resource_requirements:
+                        description: Resource requirements for pulpcore aux container.
+                        properties:
+                          claims:
+                            description: "Claims lists the names of resources, defined
+                              in spec.resourceClaims, that are used by this container.
+                              \n This is an alpha field and requires enabling the
+                              DynamicResourceAllocation feature gate. \n This field
+                              is immutable. It can only be set for containers."
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: Name must match the name of one entry
+                                    in pod.spec.resourceClaims of the Pod where this
+                                    field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: 'Limits describes the maximum amount of compute
+                              resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: 'Requests describes the minimum amount of
+                              compute resources required. If Requests is omitted for
+                              a container, it defaults to Limits if that is explicitly
+                              specified, otherwise to an implementation-defined value.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                            type: object
+                        type: object
+                    type: object
+                type: object
+              signing_scripts:
+                description: Name of the Secret where the signing scripts are stored.
+                type: string
               signing_scripts_configmap:
-                description: 'ConfigMap where the signing scripts are stored. Default:
-                  <operators''s name>-"-signing-scripts"'
+                description: '[DEPRECATED] ConfigMap where the signing scripts are
+                  stored. This field is deprecated and will be removed in the future,
+                  use the signing_scripts field instead.'
                 type: string
               signing_secret:
-                description: 'Secret where the signing certificates are stored. Default:
-                  <operators''s name>-"-signing-scripts"'
+                description: Name of the Secret where the gpg key is stored.
                 type: string
               sso_secret:
                 description: Secret where Single Sign-on configuration can be found

config/crd/bases/repo-manager.pulpproject.org_pulps.yaml

@@ -6386,13 +6386,80 @@ spec:
                 description: ServiceAccount.metadata.labels that will be used in Pulp
                   pods.
                 type: object
+              signing_job:
+                description: Job to store signing metadata scripts
+                properties:
+                  container:
+                    description: PulpContainer defines configuration of the "auxiliary"
+                      containers that run in pulpcore pods
+                    properties:
+                      image:
+                        description: 'The image name for the container. By default,
+                          if not provided, it will use the same image from .Spec.Image.
+                          WARN: defining a different image than the one used by API
+                          pods can cause unexpected behaviors!'
+                        type: string
+                      resource_requirements:
+                        description: Resource requirements for pulpcore aux container.
+                        properties:
+                          claims:
+                            description: "Claims lists the names of resources, defined
+                              in spec.resourceClaims, that are used by this container.
+                              \n This is an alpha field and requires enabling the
+                              DynamicResourceAllocation feature gate. \n This field
+                              is immutable. It can only be set for containers."
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: Name must match the name of one entry
+                                    in pod.spec.resourceClaims of the Pod where this
+                                    field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: 'Limits describes the maximum amount of compute
+                              resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: 'Requests describes the minimum amount of
+                              compute resources required. If Requests is omitted for
+                              a container, it defaults to Limits if that is explicitly
+                              specified, otherwise to an implementation-defined value.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                            type: object
+                        type: object
+                    type: object
+                type: object
+              signing_scripts:
+                description: Name of the Secret where the signing scripts are stored.
+                type: string
               signing_scripts_configmap:
-                description: 'ConfigMap where the signing scripts are stored. Default:
-                  <operators''s name>-"-signing-scripts"'
+                description: '[DEPRECATED] ConfigMap where the signing scripts are
+                  stored. This field is deprecated and will be removed in the future,
+                  use the signing_scripts field instead.'
                 type: string
               signing_secret:
-                description: 'Secret where the signing certificates are stored. Default:
-                  <operators''s name>-"-signing-scripts"'
+                description: Name of the Secret where the gpg key is stored.
                 type: string
               sso_secret:
                 description: Secret where Single Sign-on configuration can be found

config/manifests/bases/pulp-operator.clusterserviceversion.yaml

@@ -961,15 +961,34 @@ spec:
         path: sa_labels
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - description: 'ConfigMap where the signing scripts are stored. Default: <operators''s
-          name>-"-signing-scripts"'
+      - description: 'The image name for the container. By default, if not provided,
+          it will use the same image from .Spec.Image. WARN: defining a different
+          image than the one used by API pods can cause unexpected behaviors!'
+        displayName: Image
+        path: signing_job.container.image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: Resource requirements for pulpcore aux container.
+        displayName: Resource Requirements
+        path: signing_job.container.resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: Name of the Secret where the signing scripts are stored.
+        displayName: Signing Scripts
+        path: signing_scripts
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: '[DEPRECATED] ConfigMap where the signing scripts are stored.
+          This field is deprecated and will be removed in the future, use the signing_scripts
+          field instead.'
         displayName: Signing Scripts Configmap
         path: signing_scripts_configmap
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:ConfigMap
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - description: 'Secret where the signing certificates are stored. Default: <operators''s
-          name>-"-signing-scripts"'
+      - description: Name of the Secret where the gpg key is stored.
         displayName: Signing Secret
         path: signing_secret
         x-descriptors:

config/samples/galaxy.azure.ci.yaml

@@ -10,7 +10,7 @@ spec:
   image_web_version: 4.6.3
   admin_password_secret: "example-pulp-admin-password"
   signing_secret: "signing-galaxy"
-  signing_scripts_configmap: "signing-scripts"
+  signing_scripts: "signing-scripts"
   ingress_type: nodeport
   nodeport_port: 30000
   object_storage_azure_secret: example-pulp-object-storage