Use in-repo GPG keys

We make remote network hits to get the GPG keys which are quite
unreliable, and apt_key does not support using a proxy properly [1]
so this change installs them from files inside the role.

The implementation here is derived from that which was done in the
galera_server role in I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528.

[1] https://github.com/ansible/ansible/issues/31691

Change-Id: Id040de19dbefc820851928c9a3589f20a6b4bd61
Closes-Bug: #1815430
This commit is contained in:
Stuart Grace 2019-02-13 18:27:39 +00:00 committed by Jonathan Rosser
parent 0a724692fd
commit 58be4bd5e3
8 changed files with 166 additions and 51 deletions

28
files/gpg/460f3994 Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: keyserver.ubuntu.com
mQINBFX4hgkBEADLqn6O+UFp+ZuwccNldwvh5PzEwKUPlXKPLjQfXlQRig1flpCHE0HJ5wgG
lCtYd3Ol9f9+qU24kDNzfbs5bud58BeE7zFaZ4s0JMOMuVm7p8JhsvkUC/Lo/7NFh25e4kgJ
pjvnwua7c2YrA44ggRb1QT19ueOZLK5wCQ1mR+0GdrcHRCLr7Sdw1d7aLxMT+5nvqfzsmbDu
llsWOD6RnMdcqhOxZZvpay8OeuK+yb8FVQ4sOIzBFiNi5cNOFFHg+8dZQoDrK3BpwNxYdGHs
YIwU9u6DWWqXybBnB9jd2pve9PlzQUbOeHEa4Z+jPqxY829f4ldaql7ig8e6BaInTfs2wPnH
J+606g2UH86QUmrVAjVzlLCmnqoGymoAPGA4ObHu9X3kO8viMBId9FzooVqR8a9En7ZE0Dm9
O7puzXR7A1f5sHozJdYHnr32I+B8iOixhDUtxIY4GA8biGATNaPd8XR2Ca1hPuZRVuIiGG9H
DqUEtXhVfY5qjTjaThIVKtYgEkWMT+Wet3DPPiWT3ftNOE907e6EWEBCHgsEuuZnAbku1GgD
LBH4/a/yo9bNvGZKRaTUM/1TXhM5XgVKjd07B4cChgKypAVHvef3HKfCG2U/DkyALjteHt/V
807MtSlQyYaXUTGtDCrQPSlMK5TjmqUnDwy6Qdq8dtWN3DtBWQARAQABtCpDZXBoLmNvbSAo
cmVsZWFzZSBrZXkpIDxzZWN1cml0eUBjZXBoLmNvbT6JAjgEEwECACIFAlX4hgkCGwMGCwkI
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOhKwsBGDzmUXdIQAI8YPcZMBWdv489q8CzxlfRI
RZ3Gv/G/8CH+EOExcmkVZ89mVHngCdAPDOYCl8twWXC1lwJuLDBtkUOHXNuR5+Jcl5zFOUyl
dq1Hv8u03vjnGT7lLJkJoqpGl9QD8nBqRvBU7EM+CU7kP8+09b+088pULil+8x46PwgXkvOQ
wfVKSOr740Q4J4nm/nUOyTNtToYntmt2fAVWDTIuyPpAqA6jcqSOC7Xoz9cYxkVWnYMLBUyS
XmSS0uxl3p+wK0lMG0my/gb+alke5PAQjcE5dtXYzCn+8Lj0uSfCk8Gy0ZOK2oiUjaCGYN6D
u72qDRFBnR3jaoFqi03bGBIMnglGuAPyBZiI7LJgzuT9xumjKTJW3kN4YJxMNYu1FzmIyFZp
yvZ7930vB2UpCOiIaRdZiX4Z6ZN2frD3a/vBxBNqiNh/BO+Dex+PDfI4TqwF8zlcjt4XZ2te
Q8nNMR/D8oiYTUW8hwR4laEmDy7ASxe0p5aijmUApWq5UTsF+s/QbwugccU0iR5orksM5u9M
ZH4J/mFGKzOltfGXNLYI6D5Mtwrnyi0BsF5eY0u6vkdivtdqrq2DXY+ftuqLOQ7b+t1Rctbc
MHGPptlxFuN9ufP5TiTWSpfqDwmHCLsTk2vFiMwcHdLpQ1IH8ORVRgPPsiBnBOJ/kIiXG2Sx
PUTjjEGOVgeA
=/Tod
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -0,0 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQINBFKuaIQBEAC1UphXwMqCAarPUH/ZsOFslabeTVO2pDk5YnO96f+rgZB7xArB
OSeQk7B90iqSJ85/c72OAn4OXYvT63gfCeXpJs5M7emXkPsNQWWSju99lW+AqSNm
jYWhmRlLRGl0OO7gIwj776dIXvcMNFlzSPj00N2xAqjMbjlnV2n2abAE5gq6VpqP
vFXVyfrVa/ualogDVmf6h2t4Rdpifq8qTHsHFU3xpCz+T6/dGWKGQ42ZQfTaLnDM
jToAsmY0AyevkIbX6iZVtzGvanYpPcWW4X0RDPcpqfFNZk643xI4lsZ+Y2Er9Yu5
S/8x0ly+tmmIokaE0wwbdUu740YTZjCesroYWiRg5zuQ2xfKxJoV5E+Eh+tYwGDJ
n6HfWhRgnudRRwvuJ45ztYVtKulKw8QQpd2STWrcQQDJaRWmnMooX/PATTjCBExB
9dkz38Druvk7IkHMtsIqlkAOQMdsX1d3Tov6BE2XDjIG0zFxLduJGbVwc/6rIc95
T055j36Ez0HrjxdpTGOOHxRqMK5m9flFbaxxtDnS7w77WqzW7HjFrD0VeTx2vnjj
GqchHEQpfDpFOzb8LTFhgYidyRNUflQY35WLOzLNV+pV3eQ3Jg11UFwelSNLqfQf
uFRGc+zcwkNjHh5yPvm9odR1BIfqJ6sKGPGbtPNXo7ERMRypWyRz0zi0twARAQAB
tChGZWRvcmEgRVBFTCAoNykgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
AgAiBQJSrmiEAhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBqL66iNSxk
5cfGD/4spqpsTjtDM7qpytKLHKruZtvuWiqt5RfvT9ww9GUUFMZ4ZZGX4nUXg49q
ixDLayWR8ddG/s5kyOi3C0uX/6inzaYyRg+Bh70brqKUK14F1BrrPi29eaKfG+Gu
MFtXdBG2a7OtPmw3yuKmq9Epv6B0mP6E5KSdvSRSqJWtGcA6wRS/wDzXJENHp5re
9Ism3CYydpy0GLRA5wo4fPB5uLdUhLEUDvh2KK//fMjja3o0L+SNz8N0aDZyn5Ax
CU9RB3EHcTecFgoy5umRj99BZrebR1NO+4gBrivIfdvD4fJNfNBHXwhSH9ACGCNv
HnXVjHQF9iHWApKkRIeh8Fr2n5dtfJEF7SEX8GbX7FbsWo29kXMrVgNqHNyDnfAB
VoPubgQdtJZJkVZAkaHrMu8AytwT62Q4eNqmJI1aWbZQNI5jWYqc6RKuCK6/F99q
thFT9gJO17+yRuL6Uv2/vgzVR1RGdwVLKwlUjGPAjYflpCQwWMAASxiv9uPyYPHc
ErSrbRG0wjIfAR3vus1OSOx3xZHZpXFfmQTsDP7zVROLzV98R3JwFAxJ4/xqeON4
vCPFU6OsT3lWQ8w7il5ohY95wmujfr6lk89kEzJdOTzcn7DBbUru33CQMGKZ3Evt
RjsC7FDbL017qxS+ZVA/HGkyfiu4cpgV8VUnbql5eAZ+1Ll6Dw==
=hdPa
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -0,0 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFX4hgkBEADLqn6O+UFp+ZuwccNldwvh5PzEwKUPlXKPLjQfXlQRig1flpCH
E0HJ5wgGlCtYd3Ol9f9+qU24kDNzfbs5bud58BeE7zFaZ4s0JMOMuVm7p8JhsvkU
C/Lo/7NFh25e4kgJpjvnwua7c2YrA44ggRb1QT19ueOZLK5wCQ1mR+0GdrcHRCLr
7Sdw1d7aLxMT+5nvqfzsmbDullsWOD6RnMdcqhOxZZvpay8OeuK+yb8FVQ4sOIzB
FiNi5cNOFFHg+8dZQoDrK3BpwNxYdGHsYIwU9u6DWWqXybBnB9jd2pve9PlzQUbO
eHEa4Z+jPqxY829f4ldaql7ig8e6BaInTfs2wPnHJ+606g2UH86QUmrVAjVzlLCm
nqoGymoAPGA4ObHu9X3kO8viMBId9FzooVqR8a9En7ZE0Dm9O7puzXR7A1f5sHoz
JdYHnr32I+B8iOixhDUtxIY4GA8biGATNaPd8XR2Ca1hPuZRVuIiGG9HDqUEtXhV
fY5qjTjaThIVKtYgEkWMT+Wet3DPPiWT3ftNOE907e6EWEBCHgsEuuZnAbku1GgD
LBH4/a/yo9bNvGZKRaTUM/1TXhM5XgVKjd07B4cChgKypAVHvef3HKfCG2U/DkyA
LjteHt/V807MtSlQyYaXUTGtDCrQPSlMK5TjmqUnDwy6Qdq8dtWN3DtBWQARAQAB
tCpDZXBoLmNvbSAocmVsZWFzZSBrZXkpIDxzZWN1cml0eUBjZXBoLmNvbT6JAjgE
EwECACIFAlX4hgkCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOhKwsBG
DzmUXdIQAI8YPcZMBWdv489q8CzxlfRIRZ3Gv/G/8CH+EOExcmkVZ89mVHngCdAP
DOYCl8twWXC1lwJuLDBtkUOHXNuR5+Jcl5zFOUyldq1Hv8u03vjnGT7lLJkJoqpG
l9QD8nBqRvBU7EM+CU7kP8+09b+088pULil+8x46PwgXkvOQwfVKSOr740Q4J4nm
/nUOyTNtToYntmt2fAVWDTIuyPpAqA6jcqSOC7Xoz9cYxkVWnYMLBUySXmSS0uxl
3p+wK0lMG0my/gb+alke5PAQjcE5dtXYzCn+8Lj0uSfCk8Gy0ZOK2oiUjaCGYN6D
u72qDRFBnR3jaoFqi03bGBIMnglGuAPyBZiI7LJgzuT9xumjKTJW3kN4YJxMNYu1
FzmIyFZpyvZ7930vB2UpCOiIaRdZiX4Z6ZN2frD3a/vBxBNqiNh/BO+Dex+PDfI4
TqwF8zlcjt4XZ2teQ8nNMR/D8oiYTUW8hwR4laEmDy7ASxe0p5aijmUApWq5UTsF
+s/QbwugccU0iR5orksM5u9MZH4J/mFGKzOltfGXNLYI6D5Mtwrnyi0BsF5eY0u6
vkdivtdqrq2DXY+ftuqLOQ7b+t1RctbcMHGPptlxFuN9ufP5TiTWSpfqDwmHCLsT
k2vFiMwcHdLpQ1IH8ORVRgPPsiBnBOJ/kIiXG2SxPUTjjEGOVgeA
=/Tod
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -0,0 +1,16 @@
---
upgrade:
- |
The data structure for ``ceph_gpg_keys`` has been changed to be a list of
dicts, each of which is passed directly to the applicable apt_key/rpm_key
module. As such any overrides would need to be reviewed to ensure that they
do not pass any key/value pairs which would cause the module to fail.
- |
The default values for ``ceph_gpg_keys`` have been changed for all
supported platforms and now use vendored keys. This means that the task
execution will no longer reach out to the internet to add the keys,
making offline or proxy-based installations easier and more reliable.
- |
A new value ``epel_gpg_keys`` can be overridden to use a different GPG key
for the EPEL-7 RPM package repo instead of the vendored key used by default.

View File

@ -22,38 +22,24 @@
when:
- ceph_pkg_source == 'ceph'
- name: Add ceph apt-keys
block:
- name: Add keys (primary keyserver)
apt_key:
id: "{{ item.hash_id }}"
keyserver: "{{ item.keyserver | default(omit) }}"
data: "{{ item.data | default(omit) }}"
url: "{{ item.url | default(omit) }}"
state: "present"
register: add_keys
until: add_keys is success
retries: 5
delay: 2
with_items: "{{ ceph_gpg_keys }}"
when:
- ceph_pkg_source == 'ceph'
- name: If a keyfile is provided, copy the gpg keyfile to the key location
copy:
src: "gpg/{{ item.id }}"
dest: "{{ item.file }}"
mode: '0644'
with_items: "{{ ceph_gpg_keys | selectattr('file','defined') | list }}"
rescue:
- name: Add keys (fallback keyserver)
apt_key:
id: "{{ item.hash_id }}"
keyserver: "{{ item.fallback_keyserver | default(omit) }}"
url: "{{ item.fallback_url | default(omit) }}"
state: "present"
register: add_keys_fallback
until: add_keys_fallback is success
retries: 5
delay: 2
with_items: "{{ ceph_gpg_keys }}"
when:
- ceph_pkg_source == 'ceph'
- item.fallback_keyserver is defined or item.fallback_url is defined
- name: Add ceph apt-keys
apt_key: "{{ key }}"
with_items: "{{ ceph_gpg_keys }}"
loop_control:
loop_var: key
register: add_apt_keys
until: add_apt_keys is success
retries: 5
delay: 2
when:
- ceph_pkg_source == 'ceph'
- name: add ubuntu cloud archive key package
apt:

View File

@ -13,14 +13,24 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Install EPEL gpg keys
rpm_key:
key: "http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7"
state: present
- name: Copy EPEL gpg keyfile to the key location
copy:
src: "gpg/{{ item.key | basename }}"
dest: "{{ item.key }}"
mode: '0644'
with_items: "{{ epel_gpg_keys }}"
when:
- ansible_pkg_mgr in ['yum','dnf']
register: _add_yum_keys
until: _add_yum_keys is success
- name: Install EPEL gpg keys
rpm_key: "{{ key }}"
with_items: "{{ epel_gpg_keys }}"
loop_control:
loop_var: key
when:
- ansible_pkg_mgr in ['yum','dnf']
register: _add_epel_keys
until: _add_epel_keys is success
retries: 5
delay: 2
@ -40,18 +50,27 @@
retries: 5
delay: 2
- name: Add ceph rpm key
rpm_key:
key: "{{ ceph_gpg_keys }}"
state: "present"
register: add_keys
until: add_keys is success
failed_when: false
retries: 5
delay: 2
- name: Copy Ceph gpg keyfile to the key location
copy:
src: "gpg/{{ item.key | basename }}"
dest: "{{ item.key }}"
mode: '0644'
with_items: "{{ ceph_gpg_keys }}"
when:
- ceph_pkg_source == 'ceph'
- name: Install Ceph gpg keys
rpm_key: "{{ key }}"
with_items: "{{ ceph_gpg_keys }}"
loop_control:
loop_var: key
when:
- ceph_pkg_source == 'ceph'
register: _add_ceph_keys
until: _add_ceph_keys is success
retries: 5
delay: 2
- name: Add ceph repo
yum_repository:
name: ceph

View File

@ -14,7 +14,14 @@
# limitations under the License.
# Ceph GPG Keys
ceph_gpg_keys: 'https://download.ceph.com/keys/release.asc'
ceph_gpg_keys:
# download.ceph.com/keys/release.asc
- key: /etc/pki/rpm-gpg/ceph_com_keys_release
# EPEL GPG Keys
epel_gpg_keys:
# Extra Packages for Enterprise Linux 7
- key: /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
libvirt_package: libvirt-daemon-kvm
libvirt_service_name: libvirtd

View File

@ -18,11 +18,12 @@
cache_timeout: 600
# Ceph GPG Keys
# This should be a list of dicts, with each dict giving
# a valid set of arguments to the apt_key module. These
# could specify either a key file or a URL.
ceph_gpg_keys:
- key_name: 'ceph'
keyserver: 'hkp://keyserver.ubuntu.com:80'
fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
hash_id: '0xe84ac2c0460f3994'
- id: 460f3994
file: /etc/ssl/ceph-key
# The apt-key command won't del a key when you give it the hash_id, so we have
# to use the short key ID here instead.