Generate private key on startup

boot.py

@@ -1,15 +1,46 @@
 #!/usr/bin/env python
 
+from datetime import datetime, timedelta
 from urlparse import urlunparse
+import json
 
-import release
+from jwkest.jwk import RSAKey
 from jinja2 import Template
+import release
 
 from app import app
+from data.database import ServiceKeyApprovalType
 from data.model.release import set_region_release
+from data.model.service_keys import generate_service_key, approve_service_key
 from util.config.database import sync_database_with_config
 
 
+def create_quay_service_key(seconds_until_expiration):
+  expiration = timedelta(seconds=seconds_until_expiration)
+  private_key, service_key = generate_service_key('quay', datetime.now()+expiration)
+  approve_service_key(service_key.kid, None, ServiceKeyApprovalType.SUPERUSER)
+
+  private_key_file = {
+    'KeyID': service_key.kid,
+    'PrivateKey': {
+      'N': int(private_key._n),
+      'E': int(private_key._e),
+      'D': int(private_key._d),
+      'Primes': [int(private_key._p), int(private_key._q)],
+      'Precomputed': {
+        'Dp': None,
+        'Dq': None,
+        'Quinv': None,
+        'CRTValues': []
+      }
+    }
+  }
+
+  with open('/conf/quay.jwk', mode='w') as f:
+    f.truncate(0)
+    f.write(json.dumps(private_key_file))
+
+
 def create_jwtproxy_conf():
   audience = urlunparse((
     app.config.get('PREFERRED_URL_SCHEME'),
@@ -33,6 +64,7 @@ def main():
 
   if app.config.get('SETUP_COMPLETE', False):
     sync_database_with_config(app.config)
+    create_quay_service_key(app.config.get('QUAY_SERVICE_KEY_EXPIRATION', 500))
 
   # Record deploy
   if release.REGION and release.GIT_HEAD:

conf/jwtproxy_conf.yaml.jnj

@@ -2,8 +2,8 @@ jwtproxy:
   signer_proxy:
     enabled: true
     listen_addr: :8080
-    ca_key_file: /conf/stack/mitm.key
-    ca_crt_file: /conf/stack/mitm.cert
+    ca_key_file: /conf/mitm.key
+    ca_crt_file: /conf/mitm.cert
 
     signer:
       issuer: quay
@@ -12,6 +12,7 @@ jwtproxy:
       private_key:
         type: autogenerated
         options:
+          key_folder: /conf
           key_server:
             type: keyregistry
             options:

config.py

@@ -312,3 +312,6 @@ class DefaultConfig(object):
   # The ID of the user account in the database to be used for service audit logs. If none, the
   # lowest user in the database will be used.
   SERVICE_LOG_ACCOUNT_ID = None
+
+  # Quay's service key expiration in seconds
+  QUAY_SERVICE_KEY_EXPIRATION = 500

endpoints/api/superuser.py

@@ -142,6 +142,8 @@ def org_view(org):
   }
 
 def user_view(user, password=None):
+  if user is None:
+    return None
   user_data = {
     'kind': 'user',
     'name': user.username,