Launchpad Mojo Specs

Merge ~cjwatson/launchpad-mojo-specs:lp-separate-signing-keys into launchpad-mojo-specs:master

  1. Git
  2. lp:~cjwatson/launchpad-mojo-specs
  3. lp-separate-signing-keys
  4. Merge into master
Proposed by Colin Watson
Status: Merged
Merged at revision: 3c8894d58834cad321fee81aefd53e774d6e4624
Proposed branch: ~cjwatson/launchpad-mojo-specs:lp-separate-signing-keys
Merge into: launchpad-mojo-specs:master
Diff against target: 94 lines (+10/-5)
1 file modified
lp/bundle.yaml (+10/-5)
Reviewer Review Type Date Requested Status
Ines Almeida Approve
Review via email: mp+455427@code.launchpad.net

Commit message

lp: Use separate signing client public keys for each publisher

Description of the change

This was a mistake when converting our legacy deployments to charms: each publisher has always had its own client public key authorizing it to use the signing service, which is important because they have access to different sets of keys held there.

I added signing configuration for the copy archive publisher while I was here.

Deploying this also requires making sure that the corresponding private keys are correct in `deploy-secrets`.

To post a comment you must log in.
Revision history for this message
Ines Almeida (ines-almeida) wrote :

Makes sense

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/lp/bundle.yaml b/lp/bundle.yaml
2index abbd49d..14c41d7 100644
3--- a/lp/bundle.yaml
4+++ b/lp/bundle.yaml
5@@ -66,11 +66,14 @@
6 {%- set launchpad_codehosting_lb_constraints = "" %}
7 {%- set launchpad_codehosting_workers = 1 %}
8 {%- set launchpad_copy_archive_publisher_active = False %}
9+{%- set launchpad_copy_archive_publisher_signing_client_public_key = "" %}
10 {%- set launchpad_ftpmaster_publisher_active = False %}
11+{%- set launchpad_ftpmaster_publisher_signing_client_public_key = "" %}
12 {%- set launchpad_ftpmaster_uploader_active = False %}
13 {%- set launchpad_loggerhead_nagios_check_branch = "" %}
14 {%- set launchpad_loggerhead_num_units = 1 %}
15 {%- set launchpad_ppa_publisher_active = False %}
16+{%- set launchpad_ppa_publisher_signing_client_public_key = "" %}
17 {%- set launchpad_ppa_publisher_storm_cache_size = 10000 %}
18 {%- set launchpad_ppa_uploader_active = False %}
19 {%- set launchpad_scripts_active = False %}
20@@ -105,7 +108,6 @@
21 {%- set process_inbound_email_host = "mail.canonical.com" %}
22 {%- set require_signing_keys = False %}
23 {%- set signing_endpoint = "" %}
24-{%- set signing_client_public_key = "" %}
25 {%- set snap_store_secrets_public_key = "" %}
26 {%- set snap_store_url = "" %}
27 {%- set swift_feed_workers = 1 %}
28@@ -195,6 +197,7 @@
29 {#- On PS5, the separate attached data volume needs to be on fast Ceph. #}
30 {%- set launchpad_copy_archive_publisher_constraints = "cores=4 mem=8G root-disk-source=volume root-disk=50G" %}
31 {%- set launchpad_copy_archive_publisher_database_name = "launchpad_prod_copy_archive_publisher" %}
32+{%- set launchpad_copy_archive_publisher_signing_client_public_key = "iRHBwUIS6QB29fWtwNnNsPlA//o728mnyZqOqwjKWxc=" %}
33 {%- set launchpad_buildd_manager_authentication_timeout = 180 %}
34 {#- On PS5, this needs to be on fast Ceph. #}
35 {%- set launchpad_buildd_manager_constraints = "cores=8 mem=16G root-disk-source=volume root-disk=300G" %}
36@@ -204,6 +207,7 @@
37 {#- On PS5, the separate attached data volume needs to be on fast Ceph. #}
38 {%- set launchpad_ftpmaster_publisher_constraints = "cores=4 mem=16G root-disk-source=volume root-disk=50G" %}
39 {%- set launchpad_ftpmaster_publisher_database_name = "launchpad_prod_ftpmaster_publisher" %}
40+{%- set launchpad_ftpmaster_publisher_signing_client_public_key = "TZ02gE4a0065aTYj6nBNGLytRa5CLfyTjHy0dp1XlmQ=" %}
41 {%- set launchpad_ftpmaster_uploader_constraints = "cores=4 mem=8G root-disk-source=volume root-disk=100G" %}
42 {%- set launchpad_ftpmaster_uploader_database_name = "launchpad_prod_ftpmaster_uploader" %}
43 {#- On PS5, the separate attached data volume needs to be on fast Ceph. #}
44@@ -215,6 +219,7 @@
45 {#- On PS5, the separate attached data volume needs to be on fast Ceph. #}
46 {%- set launchpad_ppa_publisher_constraints = "cores=8 mem=64G root-disk-source=volume root-disk=50G" %}
47 {%- set launchpad_ppa_publisher_database_name = "launchpad_prod_ppa_publisher" %}
48+{%- set launchpad_ppa_publisher_signing_client_public_key = "qmOdkDIIcEV4fYcgBZWHnNJ64mm+83md1DYd6/AOiHs=" %}
49 {%- set launchpad_ppa_publisher_storm_cache_size = 500000 %}
50 {%- set launchpad_ppa_uploader_active = True %}
51 {%- set launchpad_ppa_uploader_constraints = "cores=4 mem=8G root-disk-source=volume root-disk=100G" %}
52@@ -261,7 +266,6 @@
53 {%- set session_cookie_name = "lp" %}
54 {%- set session_database_name = "session_prod" %}
55 {%- set signing_endpoint = "http://signing.lp.internal:8000/" %}
56-{%- set signing_client_public_key = "TZ02gE4a0065aTYj6nBNGLytRa5CLfyTjHy0dp1XlmQ=" %}
57 {%- set snap_store_secrets_public_key = "BFsvdzROlS0oEEvXGMejlCospBdFSoVemKxUd+O8iyI=" %}
58 {%- set snap_store_upload_url = "https://upload.apps.ubuntu.com/" %}
59 {%- set snap_store_url = "https://myapps.developer.ubuntu.com/" %}
60@@ -484,7 +488,6 @@
61 {%- set session_cookie_name = "qastaging" %}
62 {%- set session_database_name = "session_qastaging" %}
63 {%- set signing_endpoint = "http://signing.staging.lp.internal:8000/" %}
64-{%- set signing_client_public_key = "" %}
65 {%- set statsd_environment = "qastaging" %}
66 {%- set uploader_default_recipient = "Launchpad Archiver <lp_archive@drescher.canonical.com>" %}
67 {%- set uploader_default_sender = "Ubuntu Installer <noreply@qastaging.launchpad.net>" %}
68@@ -1050,7 +1053,7 @@ applications:
69 publisher_parts_repository: "lp:ubuntu-archive-publishing"
70 publisher_parts_revision: 125
71 signing_endpoint: "{{ signing_endpoint }}"
72- signing_client_public_key: "{{ signing_client_public_key }}"
73+ signing_client_public_key: "{{ launchpad_ftpmaster_publisher_signing_client_public_key }}"
74 ubuntu_dists_hosts_allow: "{{ ubuntu_dists_hosts_allow }}"
75 ubuntu_germinate_hosts_allow: "{{ ubuntu_germinate_hosts_allow }}"
76 webmaster_email: "webmaster@{{ domain }}"
77@@ -1097,6 +1100,8 @@ applications:
78 domain_test_rebuild_aliases: "{{ domain_test_rebuild_aliases }}"
79 publisher_parts_repository: "lp:ubuntu-archive-publishing"
80 publisher_parts_revision: 125
81+ signing_endpoint: "{{ signing_endpoint }}"
82+ signing_client_public_key: "{{ launchpad_copy_archive_publisher_signing_client_public_key }}"
83 frontend-copy-archive-publisher:
84 charm: ch:apache2
85 channel: stable
86@@ -1127,7 +1132,7 @@ applications:
87 oval_data_rsync_endpoint: "{{ oval_data_rsync_endpoint }}"
88 require_signing_keys: {{ require_signing_keys }}
89 signing_endpoint: "{{ signing_endpoint }}"
90- signing_client_public_key: "{{ signing_client_public_key }}"
91+ signing_client_public_key: "{{ launchpad_ppa_publisher_signing_client_public_key }}"
92 storm_cache_size: {{ launchpad_ppa_publisher_storm_cache_size }}
93 launchpad-ppa-uploader:
94 charm: ch:launchpad-ppa-uploader

Subscribers

People subscribed via source and target branches