About the Work at ASML

At ASML, everything revolves around precision and reliability, and that includes the software we release. The team we work in is responsible for tooling that ensures software patches are securely generated and signed before they go to production. This is crucial in an environment where software runs on machines worth millions of euros.

Patch Generation Service

We built a new patch generation service using a modern stack: FastAPI for the REST API, MySQL for data storage, and RabbitMQ with Celery for asynchronous processing of heavy tasks. In the future, the service will process hundreds of patch requests daily and needs to be available 24/7. We put a lot of effort into error handling, retry logic, and monitoring to ensure patches are generated reliably.

Artifact Signing Service

We also developed an artifact signing service secured via Okta. This service enables signing of various artifact types: patches, RPMs, and regular files. The service works hash-based, meaning clients send a hash of their artifact and receive a signature back. This keeps the service stateless and prevents us from having to process large files.

RPM Library

For parsing and signing RPMs, we wrote a Python library. This library follows the RPM standards and implements the same logic as the RPM CLI tool. It supports RPM versions 3, 4, and 5. Now other teams can use this library in their own pipelines to read, sign, and embed the signature in RPMs.

DevOps & Deployment

Our team is fully responsible for the entire deployment pipeline up to and including the ACC environment (production is managed by another team). This means we don't just write code, but also build Docker images, manage Kubernetes manifests, configure VMs, and maintain Ansible playbooks. We set up a complete CI/CD pipeline with automated testing, security scanning, and staged deployments.