Converge InfraHouse APT repo + signing key from Puppet (development)#278
Merged
Conversation
Add profile::infrahouse_repo (wired into profile::base) so already-running instances pick up a rotated GPG signing key without being reprovisioned. Today cloud-init seeds /etc/apt/keyrings/infrahouse.gpg and /etc/apt/sources.list.d/50-infrahouse.list only at first boot, so a long-lived instance never receives a new key -- when the current noble signing key expires (2026-07-20) apt-get update would fail fleet-wide with EXPKEYSIG. The class converges both artifacts every Puppet run: - Keyring: files/converge-infrahouse-keyring.sh fetches the published (possibly multi-key) bundle over TLS from release-<codename>.infrahouse.com, dearmors it, and installs atomically. A 'check' verb guards the exec so steady state is a no-op; a fetch/dearmor failure leaves the prior keyring intact. - Source list: rendered byte-identical to cloud-init's seed (codename from os.distro.codename fills both host and suite), so Puppet and cloud-init never fight. cloud-init must keep seeding at first boot (ih-secrets has to be installable before Puppet runs), so shared ownership is intentional. - Both notify a single refreshonly 'apt-get update' that fires only on change. Trust is anchored on the TLS channel (no fingerprint pinning), consistent with cloud-init 2.4.0. Validated real-time on jumphost-sincere-crawdad (development): in-sync no-op, source list byte-identical (md5 unchanged), keyring == published bundle, and the rewrite path (staled keyring -> reconverged byte-identical, apt refreshed once). Dev-first; promotes to sandbox then global. Note: the live release-noble bundle is still single-key -- the upstream rotation must publish the new key into the bundle for the fleet to actually converge onto it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
infrahouse8
approved these changes
Jul 4, 2026
This was referenced Jul 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
cloud-init seeds
/etc/apt/keyrings/infrahouse.gpgand/etc/apt/sources.list.d/50-infrahouse.listonly at first boot. A long-lived instance that isn't reprovisioned never receives a rotated signing key — so when the current noble signing key expires (2026-07-20),apt-get updatewould fail fleet-wide withEXPKEYSIG. This is the client-side "long pole" of the InfraHouse APT GPG key rotation.What
New
profile::infrahouse_repo(included fromprofile::base) converges both artifacts every Puppet run:files/converge-infrahouse-keyring.shfetches the published (possibly multi-key) bundle over TLS fromrelease-<codename>.infrahouse.com,gpg --dearmors it, and installs atomically. Acheckverb guards theexecso steady state is a no-op; a fetch/dearmor failure leaves the prior keyring intact.os.distro.codenamefills both hostrelease-<codename>and suite), so Puppet and cloud-init never fight.refreshonlyapt-get updatethat fires only on an actual change.Trust is anchored on the TLS channel (no fingerprint pinning), consistent with cloud-init 2.4.0.
Shared ownership with cloud-init is intentional
cloud-init must keep seeding both files at first boot —
ih-secretshas to be installable before Puppet ever runs (secret names live in user-data, values don't). So this class does not replace the seed; it keeps it converged afterward. That's why the source line is rendered byte-for-byte identical.Validation (real-time on
jumphost-sincere-crawdad, development)627951c5b24fde2de0feb9e93700c0b6before and after (no churn).keyring == published bundleverified (curl … | gpg --dearmor | cmp).apt-get updateclean against the InfraHouse repo (noEXPKEYSIG/NO_PUBKEY).truncate -s 0) →Exec[…::converge]ran,apt_updatetriggered once, reconverged byte-identical to backup. This also covers a drifted first-boot-only node.Scope / rollout
Dev-first (
environments/development/modules/profile); promotes to sandbox then global per the plan in.claude/plans/infrahouse-keyring-convergence.md.🤖 Generated with Claude Code