Have boot.py verify that the existing instance's service key is valid and regenerate if it is not
This prevents the scenario where a container is restarted after an outage and therefore runs with a bad key
This commit is contained in:
parent
c1cc52f58b
commit
a927ce3e0f
1 changed files with 17 additions and 2 deletions
19
boot.py
19
boot.py
|
@ -10,7 +10,9 @@ import release
|
|||
import os.path
|
||||
|
||||
from app import app
|
||||
from data.model import ServiceKeyDoesNotExist
|
||||
from data.model.release import set_region_release
|
||||
from data.model.service_keys import get_service_key
|
||||
from util.config.database import sync_database_with_config
|
||||
from util.generatepresharedkey import generate_key
|
||||
from _init import CONF_DIR
|
||||
|
@ -44,8 +46,21 @@ def setup_jwt_proxy():
|
|||
Creates a service key for quay to use in the jwtproxy and generates the JWT proxy configuration.
|
||||
"""
|
||||
if os.path.exists(os.path.join(CONF_DIR, 'jwtproxy_conf.yaml')):
|
||||
# Proxy is already setup.
|
||||
return
|
||||
# Proxy is already setup. Make sure the service key is still valid.
|
||||
try:
|
||||
with open(app.config['INSTANCE_SERVICE_KEY_KID_LOCATION']) as f:
|
||||
quay_key_id = f.read()
|
||||
|
||||
try:
|
||||
get_service_key(quay_key_id, approved_only=False)
|
||||
except ServiceKeyDoesNotExist:
|
||||
logger.exception('Could not find non-expired existing service key %s; creating a new one',
|
||||
quay_key_id)
|
||||
|
||||
# Found a valid service key, so exiting.
|
||||
return
|
||||
except IOError:
|
||||
logger.exception('Could not load existing service key; creating a new one')
|
||||
|
||||
# Generate the key for this Quay instance to use.
|
||||
minutes_until_expiration = app.config.get('INSTANCE_SERVICE_KEY_EXPIRATION', 120)
|
||||
|
|
Reference in a new issue