From a927ce3e0f4640dd1bf8c9c767b678f0c8ec6aee Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Fri, 10 Nov 2017 14:56:12 -0500 Subject: [PATCH] Have boot.py verify that the existing instance's service key is valid and regenerate if it is not This prevents the scenario where a container is restarted after an outage and therefore runs with a bad key --- boot.py | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/boot.py b/boot.py index 545db0ed4..f494b7a88 100755 --- a/boot.py +++ b/boot.py @@ -10,7 +10,9 @@ import release import os.path from app import app +from data.model import ServiceKeyDoesNotExist from data.model.release import set_region_release +from data.model.service_keys import get_service_key from util.config.database import sync_database_with_config from util.generatepresharedkey import generate_key from _init import CONF_DIR @@ -44,8 +46,21 @@ def setup_jwt_proxy(): Creates a service key for quay to use in the jwtproxy and generates the JWT proxy configuration. """ if os.path.exists(os.path.join(CONF_DIR, 'jwtproxy_conf.yaml')): - # Proxy is already setup. - return + # Proxy is already setup. Make sure the service key is still valid. + try: + with open(app.config['INSTANCE_SERVICE_KEY_KID_LOCATION']) as f: + quay_key_id = f.read() + + try: + get_service_key(quay_key_id, approved_only=False) + except ServiceKeyDoesNotExist: + logger.exception('Could not find non-expired existing service key %s; creating a new one', + quay_key_id) + + # Found a valid service key, so exiting. + return + except IOError: + logger.exception('Could not load existing service key; creating a new one') # Generate the key for this Quay instance to use. minutes_until_expiration = app.config.get('INSTANCE_SERVICE_KEY_EXPIRATION', 120)