Generate preshared key on boot

boot.py

@@ -13,20 +13,20 @@ from data.database import ServiceKeyApprovalType
 from data.model.release import set_region_release
 from data.model.service_keys import generate_service_key, approve_service_key
 from util.config.database import sync_database_with_config
+from util.generatepresharedkey import generate_key
 
 
 def create_quay_service_key(seconds_until_expiration):
-  expiration = timedelta(seconds=seconds_until_expiration)
-  private_key, service_key = generate_service_key('quay', datetime.now()+expiration)
-  approve_service_key(service_key.kid, None, ServiceKeyApprovalType.SUPERUSER)
-  jwk = RSAKey(key=private_key).serialize(private=True)
+  quay_key, key_id = generate_key(None, 'quay', 'quay')
 
-  with open('/conf/quay.jwk', mode='w') as f:
+  with open('/conf/quay.pem', mode='w') as f:
     f.truncate(0)
-    f.write(json.dumps(jwk))
+    f.write(quay_key.exportKey())
+
+  return key_id
 
 
-def create_jwtproxy_conf():
+def create_jwtproxy_conf(quay_key_id):
   audience = urlunparse((
     app.config.get('PREFERRED_URL_SCHEME'),
     app.config.get('SERVER_HOSTNAME'), '', '', '', ''))
@@ -37,7 +37,8 @@ def create_jwtproxy_conf():
     template = Template(f.read())
     rendered = template.render(
       audience=audience,
-      registry=registry
+      registry=registry,
+      key_id=quay_key_id
     )
 
   with open('/conf/jwtproxy_conf.yaml', 'w') as f:
@@ -45,11 +46,10 @@ def create_jwtproxy_conf():
 
 
 def main():
-  create_jwtproxy_conf()
-
   if app.config.get('SETUP_COMPLETE', False):
     sync_database_with_config(app.config)
-    create_quay_service_key(app.config.get('QUAY_SERVICE_KEY_EXPIRATION', 500))
+    quay_key_id = create_quay_service_key(app.config.get('QUAY_SERVICE_KEY_EXPIRATION', 500))
+    create_jwtproxy_conf(quay_key_id)
 
   # Record deploy
   if release.REGION and release.GIT_HEAD:

conf/jwtproxy_conf.yaml.jnj

@@ -10,13 +10,10 @@ jwtproxy:
       expiration_time: 5m
       max_skew: 1m
       private_key:
-        type: autogenerated
+        type: preshared
         options:
-          key_folder: /conf
-          key_server:
-            type: keyregistry
-            options:
-              registry: {{ registry }}
+          key_id: {{ key_id }}
+          private_key_path: /conf/quay.pem 
   verifier_proxy:
     enabled: true
     listen_addr: unix:/tmp/jwtproxy_secscan.sock

util/generatepresharedkey.py

@@ -31,7 +31,7 @@ def generate_key(approver, service, name, expiration_date=None, notes=None):
 
   log_action('service_key_create', None, metadata=key_log_metadata)
   log_action('service_key_approve', None, metadata=key_log_metadata)
-  return private_key
+  return private_key, key.kid
 
 
 if __name__ == '__main__':
@@ -45,5 +45,5 @@ if __name__ == '__main__':
 
   args = parser.parse_args()
   approver_user = model.user.get_user(args.approver)
-  generated = generate_key(approver_user, args.service, args.name, args.expiration, args.notes)
+  generated, _ = generate_key(approver_user, args.service, args.name, args.expiration, args.notes)
   print generated.exportKey('PEM')