Share masterkey between EESSI repos and make config package for the entire domain

[bedroge]

During the monthly CVMFS coordination meeting it was mentioned that you can make a client package (without using a cvmfs-config repo) that still allows you to easily add more repos, as long as they are under the same domain and share the masterkey.
The documentation (see https://cvmfs.readthedocs.io/en/stable/cpt-repo.html#master-keys) also says something about this:

Each cvmfs repository uses two sets of keys, one for the individual repository and another called
the “masterkey” which signs the repository key. The pub key that corresponds to the masterkey
is what needs to be distributed to clients to verify the authenticity of the repository.
It is usually most convenient to share the masterkey between all repositories in a domain
so new repositories can be added without updating the client configurations.

We should change this for our repos, as they now have their own masterkeys.

[bedroge]

Related to this, it's recommended to use a yubikey:

That's right, you can actually remove the private master key from the individual publishers
the .cvmfswhitelist file can be signed indepedently on a dedicated signing node and then copied back to the repositories
I'd recommend to use the cvmfs yubikey integration for the signing node

[rptaylor]

From our documentation:

Generally speaking, all repositories that are hosted on the same stratum 0 server, used for a similar purpose (e.g. user-facing production repos), and use the same domain name should use the same .pub file and corresponding .masterkey file. However, the .crt and .key files should be unique. See this documentation: http://cvmfs.readthedocs.io/en/stable/cpt-repo.html#master-keys

To create a new repository which shares the key of an existing repository:
Use the cvmfs_server mkfs command from the Ansible role to create new.computecanada.ca 

sudo cp /etc/cvmfs/keys/existing.computecanada.ca.masterkey /etc/cvmfs/keys/new.computecanada.ca.masterkey
sudo cp /etc/cvmfs/keys/existing.computecanada.ca.pub /etc/cvmfs/keys/new.computecanada.ca.pub
sudo cvmfs_server resign new.computecanada.ca

[rptaylor]

"new repositories can be added without updating the client configurations"
That was probably written before the advent of config repos. The same thing can now be achieved using config repos, but sharing keys still makes sense for some situations.

Nowadays you only need to distribute a single pub key in a config package, for the config repo. Then the config repo can distribute the pub keys for all other repos. Part of the reason for a config repo is to be able to blacklist and rotate signing keys without causing an interruption in repo access, so the config repo and other repos should use different keys.

[bedroge]

Thanks for the clarification, @rptaylor. We do already have a config package, but only one actual repo (pilot) at the moment; I opened the issue to make sure that we re-use the key for new/future repos, especially for cases where sites cannot use the config package (because they already use another one). I also wanted to use that same masterkey for the config repo, but apparently that's not a good idea, good to know.

So, sites can then either use the config package/repo, or manually configure the actual repos by installing the pub key for those repos (+ config files). I guess we could even make another config package for the latter case?

[rptaylor]

Yes, it would be useful to have a way to provide config in the form of just plain files (not via config repo).
We had some discussion touching on this, and the difficulty of interoperability with config repos, at the last CVMFS coordination meeting.

[bedroge]

This is now being done for the production repos, so I'm closing this.