Skip to content

Commit 2af1cc8

Browse files
committed
ci init
1 parent 9067b22 commit 2af1cc8

20 files changed

Lines changed: 552 additions & 13 deletions

.fpm

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
-s dir -t deb
2+
-p pkg/newrelic-infra-public-keys-VERSION-any.deb
3+
--name newrelic-infra-public-keys
4+
--license "Copyright (c) 2008-2022 New Relic, Inc. All rights reserved."
5+
--version 0.0.0
6+
--architecture all
7+
--depends bash
8+
--description "Adds New Relic current and next apt public keys to the system"
9+
--url "https://github.com/newrelic/infrastructure-agent/tree/master/tools/newrelic-infra-public-keys"
10+
--maintainer "caos-team@newrelic.com"
11+
--after-install newrelic-infra-public-keys

.github/workflows/prerelease.yml

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
name: Pre-Release
2+
3+
on:
4+
release:
5+
types:
6+
- prereleased
7+
tags:
8+
- '*'
9+
10+
env:
11+
TAG: ${{ github.event.release.tag_name }}
12+
PGK_VERSION: ${{ github.event.release.tag_name }}
13+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
14+
SCHEMA_BRANCH: "ci/init"
15+
16+
jobs:
17+
packaging:
18+
name: Build newrelic infra public keys package
19+
runs-on: ubuntu-latest
20+
21+
steps:
22+
- uses: actions/checkout@v2
23+
24+
- name: Login to DockerHub
25+
uses: docker/login-action@v1
26+
with:
27+
username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
28+
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
29+
30+
- name: Preparing linux packages
31+
run: make build
32+
33+
- name: (TBD) Sign package
34+
run: make ci/sign
35+
env:
36+
GPG_MAIL: 'infrastructure-eng@newrelic.com'
37+
GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
38+
GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
39+
40+
- name: Generate checksum files
41+
uses: newrelic/infrastructure-agent/.github/actions/generate-checksums@master
42+
with:
43+
files_regex: '.*\(deb\)'
44+
files_path: 'pkg'
45+
run_sudo: true
46+
47+
- name: Upload artifacts to release assets
48+
run: bash upload_artifacts_gh.sh
49+
50+
publish:
51+
name: Publish linux artifacts into s3 staging bucket
52+
runs-on: ubuntu-20.04
53+
54+
steps:
55+
- name: Login to DockerHub
56+
uses: docker/login-action@v1
57+
with:
58+
username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
59+
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
60+
- name: Publish ${{ matrix.assetsType }} to S3 action
61+
uses: newrelic/infrastructure-publish-action@v1
62+
with:
63+
tag: ${{ github.event.release.tag_name }}
64+
app_name: "newrelic-infra-public-keys"
65+
repo_name: "newrelic/infrastructure-public-keys"
66+
schema: "custom"
67+
schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-public-keys/${{ env.SCHEMA_BRANCH }}/upload-schema-linux-deb.yml"
68+
aws_access_key_id: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_STAGING }}
69+
aws_secret_access_key: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_STAGING }}
70+
aws_s3_bucket_name: "nr-downloads-ohai-staging"
71+
aws_s3_lock_bucket_name: "onhost-ci-lock-staging"
72+
access_point_host: "staging"
73+
run_id: ${{ github.run_id }}
74+
aws_region: "us-east-1"
75+
aws_role_session_name: ${{ secrets.OHAI_AWS_ROLE_SESSION_NAME_STAGING }}
76+
aws_role_arn: ${{ secrets.OHAI_AWS_ROLE_ARN_STAGING }}
77+
disable_lock: false
78+
# used for signing package stuff
79+
gpg_passphrase: ${{ secrets.OHAI_GPG_PASSPHRASE }}
80+
gpg_private_key_base64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }}

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
*.deb
2+
pkg/.gitkeep
3+
!.gitkeep

Dockerfile

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
FROM ruby:3-alpine3.15
2+
3+
RUN apk add --update ruby-dev gcc make musl-dev libffi-dev xz-dev tar && \
4+
gem install fpm
5+
6+
7+
RUN mkdir -p /fpm/opt/newrelic-infra-public-keys/keys
8+
COPY .fpm /fpm
9+
COPY keys /fpm/opt/newrelic-infra-public-keys/keys
10+
COPY newrelic-infra-public-keys /fpm/newrelic-infra-public-keys
11+
12+
WORKDIR /fpm
13+
14+
ENTRYPOINT ["fpm"]
15+
CMD ["."]

Makefile

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
IMAGE_VERSION ?= dev
2+
IMAGE_NAME = newrelic-infra-public-keys
3+
PKG_VERSION ?= 0.0.0
4+
BUILDER_IMG_TAG = infrastructure-public-keys-builder
5+
6+
.PHONY: clean
7+
clean:
8+
@rm -f pkg/*.deb
9+
10+
.PHONY: build-container
11+
build-container:
12+
@docker build -t $(IMAGE_NAME):$(IMAGE_VERSION) .
13+
14+
15+
.PHONY: build
16+
build: clean build-container
17+
@docker run -v $(CURDIR)/pkg:/fpm/pkg $(IMAGE_NAME):$(IMAGE_VERSION) --version $(PKG_VERSION) .
18+
19+
.PHONY: ci/deps
20+
ci/deps:
21+
@docker build -t $(BUILDER_IMG_TAG) -f $(CURDIR)/build/Dockerfile $(CURDIR)
22+
23+
.PHONY : ci/sign
24+
ci/sign: ci/deps
25+
@docker run --rm -t \
26+
--name "infrastructure-public-keys" \
27+
-v $(CURDIR):/home/newrelic/infrastructure-public-keys \
28+
-w /home/newrelic/infrastructure-public-keys \
29+
-e GPG_MAIL \
30+
-e GPG_PASSPHRASE \
31+
-e GPG_PRIVATE_KEY_BASE64 \
32+
$(BUILDER_IMG_TAG) ./sign.sh

README.md

Lines changed: 34 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,16 @@
11
[![Community Project header](https://github.com/newrelic/opensource-website/raw/master/src/images/categories/Community_Project.png)](https://opensource.newrelic.com/oss-category/#community-project)
22

3-
# [Name of Project] [build badges go here when available]
3+
# New Relic Infrastructure Public Keys
44

55
>[Brief description - what is the project and value does it provide? How often should users expect to get releases? How is versioning set up? Where does this project want to go?]
66
77
## Installation
88

99
> [Include a step-by-step procedure on how to get your code installed. Be sure to include any third-party dependencies that need to be installed separately]
1010
11-
## Getting Started
12-
>[Simple steps to start working with the software similar to a "Hello World"]
13-
1411
## Usage
1512
>[**Optional** - Include more thorough instructions on how to use the software. This section might not be needed if the Getting Started section is enough. Remove this section if it's not needed.]
1613
17-
18-
## Building
19-
20-
>[**Optional** - Include this section if users will need to follow specific instructions to build the software from source. Be sure to include any third party build dependencies that need to be installed separately. Remove this section if it's not needed.]
21-
22-
## Testing
23-
24-
>[**Optional** - Include instructions on how to run tests if we include tests with the codebase. Remove this section if it's not needed.]
25-
2614
## Support
2715

2816
New Relic hosts and moderates an online forum where customers can interact with New Relic employees as well as other customers to get help and share best practices. Like all official New Relic open source projects, there's a related Community topic in the New Relic Explorers Hub. You can find this project's topic/threads here:
@@ -48,3 +36,36 @@ To all contributors, we thank you! Without your contribution, this project woul
4836
## License
4937
[Project Name] is licensed under the [Apache 2.0](http://apache.org/licenses/LICENSE-2.0.txt) License.
5038
>[If applicable: The [project name] also uses source code from third-party libraries. You can find full details on which libraries are used and the terms under which they are licensed in the third-party notices document.]
39+
40+
41+
---
42+
43+
# New Relic Public Keys
44+
This project consists on building a debian package, `newrelic-infra-public-keys`, which contains the public key for both the
45+
key that is currently be used for signing (“current key”), and the key that will be used after the rotation takes place
46+
(“future key”). The future key is generated in advance, but not used to sign packages until a reasonable time
47+
(“update window”) passes.
48+
49+
`newrelic-infra-public-keys` would be a dependency of all New Relic core packages. As users upgrade packages, they will get the
50+
latest version of newrelic-infra-public-keys, which adds to their system’s truststore the future key. After the update window
51+
passes, New Relic will start to sign packages and repository metadata with the future key, effectively making it the
52+
current key. The previous current key ("old key") is removed from the newrelic-infra-public-keys package, and a new future
53+
key is generated and added to the package.
54+
55+
The following diagram illustrates the process. In State 1, 0xAAAA is the current key, and 0xBBBB the future key. All NR
56+
packages are signed with 0xAAAA, but the newrelic-infra-public-keys package is already deploying 0xBBBB as a valid key. After
57+
some time passes, State 2 is reached when 0xBBBB becomes the current key and packages start to get signed with it. A new
58+
key, 0xCCCC is generated and its public counterpart deployed, and the process restarts with 0xBBBB being the current key
59+
and 0xCCCC the future key.
60+
61+
![Signing Key Diagram](./doc/signing_key_diagram.png "Signing Key Diagram")
62+
63+
## Requirements
64+
* Docker
65+
66+
## Build
67+
68+
Current command will leave the generated deb package under `./pkg` folder
69+
```shell
70+
PGK_VERSION=1.2.3 make build
71+
```

build/Dockerfile

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
FROM golang:1.19.0-buster
2+
3+
RUN apt-get update \
4+
&& apt-get -y install \
5+
gnupg2 \
6+
gpg-agent \
7+
debsigs

doc/signing_key_diagram.png

180 KB
Loading
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
-----BEGIN PGP PUBLIC KEY BLOCK-----
2+
Version: GnuPG v1
3+
4+
mQINBFgQ8NoBEADT59GnSBJ2Pj9AMj59JNJ7davbPrqgl5zb0JO9yfw+yU+3rCUk
5+
xLfdwSz8U+J7MOQ8cF3mkyIDDBfD3T1DKbAGl0Zp6cZuySSadZZJ+gMnzKiMi+5S
6+
nsOxzfH2q+hJ2zPEKqWgmRIDFdKoGDFp6WRLb9ce8Crg1FJ0nx/heuRiPfilwN//
7+
B6MLif3TjqSnD5Cyb1VN/b3UYHBfwvk3BPdIGC8w8VkrmeaXQQ+oIdxGAjbWuSdb
8+
yd+a0uiV1vOBgz2A7P+XCwfX5qvag87z1kMNNyAJWRSrCn8j8OdHvmLc0NsZ+Hft
9+
GtuieqcmD6WydaW/2rAyrlJPv+DeWV1t+YnwRLK45jstK9dCKrDMZyl/eBGnmWoa
10+
L7pdgQQ4AcvEbv7F7xsWM0tlJyDgzsEhubO8Ue0r/tp51JoTXiuVAS+EcVLFCuhT
11+
6XbGv/Gc/VLM613xi8WZGHumgtfFQvDrmYlVY3GBs4HPCyibJi6ZMtLYmRYzJYZJ
12+
n31c5SwN9iuNEWLxySrNGJFYnJt00JcIjvrWZF44uN8U7Byzz4RQkWCBe6sEd5L2
13+
TJcn/0aVQTCFn4sETzRN6GylhGuoL+eI3N0T2MRZMHKV5zBE2zwUZNV0DxqbdWWh
14+
mIv/QUiYfmIaPHLHhbevXKeTbMOHQyUioKZsh0l7FyArqosMOWv8hkh9kwARAQAB
15+
tDRpbmZyYXN0cnVjdHVyZS1lbmcgPGluZnJhc3RydWN0dXJlLWVuZ0BuZXdyZWxp
16+
Yy5jb20+iQI4BBMBAgAiBQJYEPDaAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
17+
gAAKCRC7Ke4DjszofMYvEACA4mZw4QGn44o9OjtoRXWry0PwxZyDb7LRFSqV/i0P
18+
yBo86zth3MP4+TxduxSDdoaLxB6A2fOZX25XOTcd5ILaWgVsfcIb9SiRCBmJA9aQ
19+
i5gNT/KzmCJeRyH52J+j1DPpz0JbadKxBfDLGmkeKBdIx3MCLIvchT8Wc+F+SaLT
20+
8DGj6W3m5fWKeCV62OCZqu5Lq5DjU/L1AqbbgsWI3SpeFTgTy7XnOM/ecGkrjC3M
21+
W+jkkhA9mU49TctWmdyFUMNQOwvdjz4BcayKZQO5ubShuYSF/J9NQnhtA9HNdLey
22+
CMaru6DSUHZ2DA161joNUm7eoMyXgU6tioFBPUsNG9KIL7/9o4tR3rujCehrC1ZB
23+
F3E5TySmucpueYg7C3HVjjyLDXy9hlu2DUr+8S7Sg1RT6gBHpp5BBxOrm9MxrNry
24+
QM72Pw6aVPmPeaTP5RCB7orlqfYaBsrZVww22kaQB4K9jSeCaai2NIMXWEd2i3pb
25+
18mFsKHrpTolzqmLvdehxtNWsE6XBJoVl0FGmtvpXwcQU/jwXvqWuOPD6Re1AvyH
26+
tCrWpr7AFU0T38AXszhRdnKuqFihfWVaTlWjzqOY05xLSGBrxddAz6dJF4qCopPu
27+
RxizNGC6dUJxuQlJfVLPJKN3EDSphCe/+FLa5PMt0U1NrLfuMdtZLWH5a9fbDwxw
28+
TQ==
29+
=uCVl
30+
-----END PGP PUBLIC KEY BLOCK-----
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
-----BEGIN PGP PUBLIC KEY BLOCK-----
2+
Version: GnuPG v1
3+
4+
mQINBFgQ8NoBEADT59GnSBJ2Pj9AMj59JNJ7davbPrqgl5zb0JO9yfw+yU+3rCUk
5+
xLfdwSz8U+J7MOQ8cF3mkyIDDBfD3T1DKbAGl0Zp6cZuySSadZZJ+gMnzKiMi+5S
6+
nsOxzfH2q+hJ2zPEKqWgmRIDFdKoGDFp6WRLb9ce8Crg1FJ0nx/heuRiPfilwN//
7+
B6MLif3TjqSnD5Cyb1VN/b3UYHBfwvk3BPdIGC8w8VkrmeaXQQ+oIdxGAjbWuSdb
8+
yd+a0uiV1vOBgz2A7P+XCwfX5qvag87z1kMNNyAJWRSrCn8j8OdHvmLc0NsZ+Hft
9+
GtuieqcmD6WydaW/2rAyrlJPv+DeWV1t+YnwRLK45jstK9dCKrDMZyl/eBGnmWoa
10+
L7pdgQQ4AcvEbv7F7xsWM0tlJyDgzsEhubO8Ue0r/tp51JoTXiuVAS+EcVLFCuhT
11+
6XbGv/Gc/VLM613xi8WZGHumgtfFQvDrmYlVY3GBs4HPCyibJi6ZMtLYmRYzJYZJ
12+
n31c5SwN9iuNEWLxySrNGJFYnJt00JcIjvrWZF44uN8U7Byzz4RQkWCBe6sEd5L2
13+
TJcn/0aVQTCFn4sETzRN6GylhGuoL+eI3N0T2MRZMHKV5zBE2zwUZNV0DxqbdWWh
14+
mIv/QUiYfmIaPHLHhbevXKeTbMOHQyUioKZsh0l7FyArqosMOWv8hkh9kwARAQAB
15+
tDRpbmZyYXN0cnVjdHVyZS1lbmcgPGluZnJhc3RydWN0dXJlLWVuZ0BuZXdyZWxp
16+
Yy5jb20+iQI4BBMBAgAiBQJYEPDaAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
17+
gAAKCRC7Ke4DjszofMYvEACA4mZw4QGn44o9OjtoRXWry0PwxZyDb7LRFSqV/i0P
18+
yBo86zth3MP4+TxduxSDdoaLxB6A2fOZX25XOTcd5ILaWgVsfcIb9SiRCBmJA9aQ
19+
i5gNT/KzmCJeRyH52J+j1DPpz0JbadKxBfDLGmkeKBdIx3MCLIvchT8Wc+F+SaLT
20+
8DGj6W3m5fWKeCV62OCZqu5Lq5DjU/L1AqbbgsWI3SpeFTgTy7XnOM/ecGkrjC3M
21+
W+jkkhA9mU49TctWmdyFUMNQOwvdjz4BcayKZQO5ubShuYSF/J9NQnhtA9HNdLey
22+
CMaru6DSUHZ2DA161joNUm7eoMyXgU6tioFBPUsNG9KIL7/9o4tR3rujCehrC1ZB
23+
F3E5TySmucpueYg7C3HVjjyLDXy9hlu2DUr+8S7Sg1RT6gBHpp5BBxOrm9MxrNry
24+
QM72Pw6aVPmPeaTP5RCB7orlqfYaBsrZVww22kaQB4K9jSeCaai2NIMXWEd2i3pb
25+
18mFsKHrpTolzqmLvdehxtNWsE6XBJoVl0FGmtvpXwcQU/jwXvqWuOPD6Re1AvyH
26+
tCrWpr7AFU0T38AXszhRdnKuqFihfWVaTlWjzqOY05xLSGBrxddAz6dJF4qCopPu
27+
RxizNGC6dUJxuQlJfVLPJKN3EDSphCe/+FLa5PMt0U1NrLfuMdtZLWH5a9fbDwxw
28+
TQ==
29+
=uCVl
30+
-----END PGP PUBLIC KEY BLOCK-----

0 commit comments

Comments
 (0)