Configure apt environment based on bootstrap environment choice

[rocodes]

Ready for a look, depends on #1210 [edit: merged!]

Fixes #1058
Fixes #1232
Refs #1053 (can supersede/close with another approach in a followup PR)

Use bootstrap rpm instead of config.json to decide what environment (dev, staging, prod) we're using.

• Build apt .sources file dynamically, from a single j2 template (drop apt_test j2 template).
• Always default to prod
• Remove pubkey and test key from this repo, and source them from the file managed by the bootstrap rpm. (One fewer place to lose track of pubkey)
• (chore) Clean up unused config.json imports in a couple of VM sls files

Test plan

• base branch is feat/sdw-keyring-compat
• Configure dom0 rpm repo settings via boostrap rpm package #1210 is merged
• CI (openqa) passing (clean install)
• visual review

Checklist

This change accounts for:

• any necessary RPM packaging updates (e.g., added/removed files, see MANIFEST.in and rpm-build/SPECS/securedrop-workstation-dom0-config.spec)
• any required documentation

[rocodes]

(triggered openqa, will rebase once #1210 is merged then mark ready for review)

[legoktm]

Overall it looks good, most of my comments are related to the tests.

[legoktm]

Let's turn these into pytest fixtures.

[legoktm]

instead of checking things and raising exceptions, I think we can just use normal pytest assertions

[legoktm]

pytest parameterization?

[legoktm]

Above I suggested using assertions in _read_and_validate_key so then we don't need to catch exception and then immediately fail. Plus if we use parameterization then the test name will also have the VM name.

[legoktm]

I'm wondering if we just leave this called sdvars even though it's different, just to cut down on the number of salt files modified in this PR that are entirely just s/sdvars/apt_config/.

[rocodes]

It's up to you, but I just found sdvars such a confusing/nondescriptive name that it seemed like this would be long-term easier to understand.

[legoktm]

Sorry, this is going over my head. Why can't the step in fpf-apt-repo.sls just read the original apt_config['keyfile']?

[rocodes]

apt_config['keyfile'] is a reference to the signing key in /etc/pki in dom0, and which one it is depends on the keyring package (test key or real release key).

The fpf-apt-repo.sls steps are run on the Debian VMs, but the bootstrap keyring files live in dom0.
The debian vms have access to /srv/salt (as salt://) and to the cache dir but not to dom0 files, so somewhere in a state that's run on dom0 (I just picked this file for simplicity since then we only do it once, at initial provisioning time, and after that the key is managed via the keyring package), we cache the key, and then the VMs can read it.

[legoktm]

Gotcha, appreciate the explanation. How about:

# Debian VMs need access to the signing key for initial provisioning, store it in salt cache since they
# only have access to the cache and `/srv/salt`, not all of dom0.
# Using cp.push or cp.cache_file don't work due to the minion-minion setup.

[legoktm]

Cursed but if it works, it works :)

Could you add an explicit TODO: use sequoia here instead - I think we can do that once we're on 4.3.

[rocodes]

The CI failure shows that the installation is looking for the prod key, when it should be looking for the test key. Here's why: sd-default-config.sls file correctly selects the apt configuration we want when it's run on dom0, but even when it's imported with context in the VM files, it still tries to run the same checks on the vm, as opposed to remembering the configuration we selected.

[rocodes]

The right solution is to use pillars #1053, which is how Saltstack handles configurable data, and what the qubes team uses. It's possible to have dev- or staging- only pillar files that don't ship with the prod rpm (for example, that are installed into place when a developer runs a make target), and that can optionally override prod defaults.

It's possible to use pillars conservatively/only for the dev and staging setups, leaving all prod stuff defined in the sls files in /srv/salt. Then, for example, if a pillar file is available (because devs installed it - it wouldn't be shipped with the prod rpm), the prod repo data could be overridden with apt-test, or as we switch to new Debian versions, the apt-sources file could contain an new testing repo with another distribution, etc. (This is what whonix does with their testing pillar).

It's also possible to move more of our configuration to pillars, eg and ship a file in /etc/salt/minions.d/ configuring our own pillar with default (or empty) values, as the qubes team does.

I'm saying all this because someone else will probably have to pick this up if it's a priority due to the upcoming changes in my schedule. I'm going to reluctantly close this ticket; I think it would take a pretty short amount of time if we were just converting sd-default-config to prod by default plus an optional dev configuration on top, and I'm not thrilled about leaving things in a halfway state, but it's not something I can finish off in the next day or so.