Vendor in the RDO GPG keys to install

This way we avoid all networking failures. Change-Id: If95de543d2a2a7ad22435900e7923fc942cdd297
2017-10-25 15:01:54 +00:00 · 2017-10-25 15:01:54 +00:00 · 926290de04
parent 31305eda68
commit 926290de04
4 changed files with 64 additions and 38 deletions
--- a/files/gpg/61E8806C
+++ b/files/gpg/61E8806C
@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQENBFWB31YBCAC4dFmTzBDOcq4R1RbvQXLkyYfF+yXcsMA5kwZy7kjxnFqBoNPv
+aAjFm3e5huTw2BMZW0viLGJrHZGnsXsE5iNmzom2UgCtrvcG2f65OFGlC1HZ3ajA
+8ZIfdgNQkPpor61xqBCLzIsp55A7YuPNDvatk/+MqGdNv8Ug7iVmhQvI0p1bbaZR
+0GuavmC5EZ/+mDlZ2kHIQOUoInHqLJaX7iw46iLRUnvJ1vATOzTnKidoFapjhzIt
+i4ZSIRaalyJ4sT+oX4CoRzerNnUtIe2k9Hw6cEu4YKGCO7nnuXjMKz7Nz5GgP2Ou
+zIA/fcOmQkSGcn7FoXybWJ8DqBExvkJuDljPABEBAAG0bENlbnRPUyBWaXJ0dWFs
+aXphdGlvbiBTSUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVy
+ZXN0R3JvdXAvVmlydHVhbGl6YXRpb24pIDxzZWN1cml0eUBjZW50b3Mub3JnPokB
+OQQTAQIAIwUCVYHfVgIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEHrr
+voJh6IBsRd0H/A62i5CqfftuySOCE95xMxZRw8+voWO84QS9zYvDEnzcEQpNnHyo
+FNZTpKOghIDtETWxzpY2ThLixcZOTubT+6hUL1n+cuLDVMu4OVXBPoUkRy56defc
+qkWR+UVwQitmlq1ngzwmqVZaB8Hf/mFZiB3B3Jr4dvVgWXRv58jcXFOPb8DdUoAc
+S3u/FLvri92lCaXu08p8YSpFOfT5T55kFICeneqETNYS2E3iKLipHFOLh7EWGM5b
+Wsr7o0r+KltI4Ehy/TjvNX16fa/t9p5pUs8rKyG8SZndxJCsk0MW55G9HFvQ0FmP
+A6vX9WQmbP+ml7jsUxtEJ6MOGJ39jmaUvPc=
+=ZzP+
+-----END PGP PUBLIC KEY BLOCK-----
--- a/files/gpg/764429E6
+++ b/files/gpg/764429E6
@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBFVWcCcBCACfm3eQ0526/I0/p7HpR0NjK7K307XHhnbcbZv1sDUjQABDaqh0
+N4gnZcovf+3fj6pcdOmeOpGI0cKE7Fh68RbEIqyjB7l7+j1grjewR0oCFFZ38KGm
+j+DWQrj1IJW7JU5fH/G0Cu66ix+dJPcuTB3PJTqXN3ce+4TuG09D+epgwfbHlqaT
+pH2qHCu2uiGj/AaRSM/ZZzcInMaeleHSB+NChvaQ0W/m+kK5d/20d7sfkaTfI/pY
+SrodCfVTYxfKAd0TLW03kimHs5/Rdz+iZWecVKv6aFxzaywbrOjmOsy2q0kEWIwX
+MTZrq6cBRRuWyiXsI2zT2YHQ4UK44IxINiaJABEBAAG0WkNlbnRPUyBDbG91ZCBT
+SUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVyZXN0R3JvdXAv
+Q2xvdWQpIDxzZWN1cml0eUBjZW50b3Mub3JnPokBOQQTAQIAIwUCVVZwJwIbAwcL
+CQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPm5/ud2RCnmATUH/3HDtWxpFkmy
+FiA3VGkMt5dp3bgCRSd84X6Orfx1LARowpI4LomCGglGBGXVJePBacwcclorbLaz
+uWrW/wU0efz0aDB5c4NPg/yXfNvujvlda8ADJwZXVBQphzvaIKwl4PqBsEnxC10I
+93T/0iyphAhfMRJ5R8AbEHMj7uF+TWTX/JoyQagllMqWTwoP4DFRutPdOmmjwvSV
+kWItH7hq6z9+M4dhlqeoOvPbL5oCxX7TVmLck02Q5gI4syULOa7sqntzUQKFkhWp
+9U0+5KrBQBKezrurrrkq/WZR3WNE1KQfNQ77f7S2JcXJdOaKgJ7xe7Y2flPq98Aq
+wKXK7l1c3dc=
+=W6yF
+-----END PGP PUBLIC KEY BLOCK-----
--- a/tasks/openstack_host_install_yum.yml
+++ b/tasks/openstack_host_install_yum.yml
@ -21,43 +21,29 @@
    - openstack-yum-packages
    - openstack-packages

- name: Get a list of RPM GPG keys
-  shell: "rpm -vv -q centos-release 2>&1 | grep 'to keyring'"
-  args:
-    warn: no
-  changed_when: False
-  register: current_rpm_keys
-  tags:
-    - openstack-yum-packages
-    - openstack-packages
+# Copy all factored-in GPG keys.
+# KeyID 764429E6 from https://raw.githubusercontent.com/rdo-infra/centos-release-openstack/ocata-rdo/RPM-GPG-KEY-CentOS-SIG-Cloud
+# KeyID 61E8806C from keyserver for rdo-qemu-ev
+- name: Copy validated GPG keys
+  copy:
+    src: "gpg/{{ item | basename }}"
+    dest: /tmp/
+  with_fileglob:
+    - "gpg/*"

- block:
-    - name: Import GPG keys for repositories if needed
-      shell: "rpm --define '%_hkp_keyserver http://pool.sks-keyservers.net' --import 0x{{ item.keyid  }}"
-      args:
-        warn: no
-      with_items:
-        - "{{ openstack_host_rdo_repos_keys }}"
-      when:
-        - item.keyid | lower not in current_rpm_keys.stdout
-        - user_external_repo_key is not defined
-      tags:
-        - openstack-yum-packages
-        - openstack-packages
-
-  rescue:
-    - name: Import GPG keys for repositories if needed
-      shell: "rpm --import 0x{{ item.keyid  }}"
-      args:
-        warn: no
-      with_items:
-        - "{{ openstack_host_rdo_repos_keys }}"
-      when:
-        - item.keyid | lower not in current_rpm_keys.stdout
-        - user_external_repo_key is not defined
-      tags:
-        - openstack-yum-packages
-        - openstack-packages
+# Handle gpg keys manually
+- name: Install gpg keys
+  rpm_key:
+    key: "{{ key.keyfile | default(key.key) }}"
+    validate_certs: "{{ key.validate_certs | default(omit) }}"
+    state: "{{ key.state | default('present') }}"
+  with_items: "{{ openstack_host_rdo_repos_keys }}"
+  loop_control:
+    loop_var: key
+  register: _add_yum_keys
+  until: _add_yum_keys | success
+  retries: 5
+  delay: 2

 - name: Check for existing yum repositories
  shell: "yum-config-manager | grep 'repo:'"
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -81,9 +81,9 @@ openstack_host_required_distro_packages:

 openstack_host_rdo_repos_keys:
  - repo: openstack-pike
-    keyid: 764429E6
+    keyfile: /tmp/764429E6
  - repo: rdo-qemu-ev
-    keyid: 61E8806C
+    keyfile: /tmp/61E8806C

 openstack_host_rdo_repos:
  - file: rdo-qemu-ev