Normalise in-repo GPG key implementation
To ensure that we have a consistent implementation between the galera_client and galera_server roles, we change the galera_server role to match galera_client as was done in I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83 This updates it to a mechanism which will be easier to maintain. Change-Id: I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528
This commit is contained in:
Jesse Pretorius
Jonathan Rosser
parent
30bdc809bb
commit
c2b73bff52
|
|
@ -51,6 +51,14 @@ galera_repo_url: "{{ _galera_repo_url }}"
|
|||
galera_repo: "{{ _galera_repo }}"
|
||||
|
||||
# Set the gpg keys needed to be imported
|
||||
# This should be a list of dicts, with each dict
|
||||
# giving a set of arguments to the applicable
|
||||
# package module. The following is an example for
|
||||
# systems using the apt package manager.
|
||||
# galera_gpg_keys:
|
||||
# - id: '0xF1656F24C74CD1D8'
|
||||
# keyserver: 'hkp://keyserver.ubuntu.com:80'
|
||||
# validate_certs: no
|
||||
galera_gpg_keys: "{{ _galera_gpg_keys | default([]) }}"
|
||||
|
||||
# Set the rpo information for the Percona Xtrabackup repository
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
The data structure for ``galera_gpg_keys`` has been changed to be
|
||||
a dict passed directly to the applicable apt_key/rpm_key module. As such
|
||||
any overrides would need to be reviewed to ensure that they do not pass
|
||||
any key/value pairs which would cause the module to fail.
|
||||
- |
|
||||
The default values for ``galera_gpg_keys`` have been changed for
|
||||
all supported platforms will use vendored keys. This means that the task
|
||||
execution will no longer reach out to the internet to add the keys,
|
||||
making offline or proxy-based installations easier and more reliable.
|
||||
|
|
@ -20,16 +20,13 @@
|
|||
|
||||
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
||||
copy:
|
||||
src: "{{ item.keyfile }}"
|
||||
dest: "{{ item.key }}"
|
||||
src: "gpg/{{ item.id }}"
|
||||
dest: "{{ item.file }}"
|
||||
mode: '0644'
|
||||
with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
|
||||
with_items: "{{ galera_gpg_keys | selectattr('file','defined') | list }}"
|
||||
|
||||
- name: Install gpg keys
|
||||
apt_key:
|
||||
id: "{{ key.id }}"
|
||||
file: "{{ key.key | default(omit) }}"
|
||||
state: "{{ key.state | default('present') }}"
|
||||
apt_key: "{{ key }}"
|
||||
with_items: "{{ galera_gpg_keys }}"
|
||||
loop_control:
|
||||
loop_var: key
|
||||
|
|
|
|||
|
|
@ -51,16 +51,13 @@
|
|||
|
||||
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
||||
copy:
|
||||
src: "{{ item.keyfile }}"
|
||||
src: "gpg/{{ item.key | basename }}"
|
||||
dest: "{{ item.key }}"
|
||||
mode: '0644'
|
||||
with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
|
||||
with_items: "{{ galera_gpg_keys }}"
|
||||
|
||||
- name: Install gpg keys
|
||||
rpm_key:
|
||||
key: "{{ key.key }}"
|
||||
validate_certs: "{{ key.validate_certs | default(omit) }}"
|
||||
state: "{{ key.state | default('present') }}"
|
||||
rpm_key: "{{ key }}"
|
||||
with_items: "{{ galera_gpg_keys }}"
|
||||
loop_control:
|
||||
loop_var: key
|
||||
|
|
|
|||
|
|
@ -32,21 +32,18 @@
|
|||
|
||||
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
||||
copy:
|
||||
src: "{{ item.keyfile }}"
|
||||
src: "gpg/{{ item.key | basename }}"
|
||||
dest: "{{ item.key }}"
|
||||
mode: '0644'
|
||||
with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
|
||||
with_items: "{{ galera_gpg_keys }}"
|
||||
|
||||
- name: Install gpg keys
|
||||
rpm_key:
|
||||
key: "{{ key.key }}"
|
||||
validate_certs: "{{ key.validate_certs | default(omit) }}"
|
||||
state: "{{ key.state | default('present') }}"
|
||||
rpm_key: "{{ key }}"
|
||||
with_items: "{{ galera_gpg_keys }}"
|
||||
loop_control:
|
||||
loop_var: key
|
||||
register: _add_yum_keys
|
||||
until: _add_yum_keys is success
|
||||
register: _add_zypper_keys
|
||||
until: _add_zypper_keys is success
|
||||
retries: 5
|
||||
delay: 2
|
||||
|
||||
|
|
|
|||
|
|
@ -16,13 +16,9 @@
|
|||
# Galera GPG Keys
|
||||
_galera_gpg_keys:
|
||||
# MariaDB Package Signing Key <package-signing-key@mariadb.org>
|
||||
- name: mariadb
|
||||
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
|
||||
keyfile: 'gpg/1BB943DB'
|
||||
- key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
|
||||
# Percona MySQL Development Team <mysql-dev@percona.com>
|
||||
- key_name: percona
|
||||
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
|
||||
keyfile: 'gpg/CD2EFD2A'
|
||||
- key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
|
||||
|
||||
# Default private device setting
|
||||
# This provides some additional security, but it causes problems with creating
|
||||
|
|
|
|||
|
|
@ -15,9 +15,8 @@
|
|||
|
||||
# Galera GPG Keys
|
||||
_galera_gpg_keys:
|
||||
- name: mariadb
|
||||
key: /etc/pki/RPM-GPG-KEY-MariaDB
|
||||
keyfile: 'gpg/1BB943DB'
|
||||
# MariaDB Package Signing Key <package-signing-key@mariadb.org>
|
||||
- key: /etc/pki/RPM-GPG-KEY-MariaDB
|
||||
|
||||
# Default private device setting
|
||||
_galera_disable_privatedevices: yes
|
||||
|
|
|
|||
|
|
@ -22,15 +22,11 @@ _galera_disable_privatedevices: yes
|
|||
# Galera GPG Keys
|
||||
_galera_gpg_keys:
|
||||
# MariaDB Signing Key <signing-key@mariadb.org>
|
||||
- name: mariadb
|
||||
id: C74CD1D8
|
||||
key: /etc/ssl/mariadb-key
|
||||
keyfile: 'gpg/C74CD1D8'
|
||||
- id: C74CD1D8
|
||||
file: /etc/ssl/mariadb-key
|
||||
# Percona MySQL Development Team (Packaging key) <mysql-dev@percona.com>
|
||||
- key_name: percona
|
||||
id: 8507EFA5
|
||||
key: /etc/ssl/percona-pkg-key
|
||||
keyfile: 'gpg/8507EFA5'
|
||||
- id: 8507EFA5
|
||||
file: /etc/ssl/percona-pkg-key
|
||||
|
||||
galera_server_required_distro_packages:
|
||||
- apt-transport-https
|
||||
|
|
|
|||
Loading…
Reference in New Issue