Vendor in the RDO GPG keys to install

This way we avoid all networking failures. Copy RPM keys into correct place This patch copies the RPM keys into /etc/pki/rpm-gpg/ and maintains their original names. This should allow the LXC cache process to copy over the keys. Combined backport of: - https://review.openstack.org/515103 - https://review.openstack.org/515208 Change-Id: I07b04301629e3b2a176c210ed7989f8d699b7e8c
2017-10-25 16:07:21 +01:00 · 2017-10-25 16:07:21 +01:00 · 816b38f605
parent e9c025fd58
commit 816b38f605
4 changed files with 68 additions and 36 deletions
--- a/files/gpg/RPM-GPG-KEY-CentOS-SIG-Cloud
+++ b/files/gpg/RPM-GPG-KEY-CentOS-SIG-Cloud
@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBFVWcCcBCACfm3eQ0526/I0/p7HpR0NjK7K307XHhnbcbZv1sDUjQABDaqh0
+N4gnZcovf+3fj6pcdOmeOpGI0cKE7Fh68RbEIqyjB7l7+j1grjewR0oCFFZ38KGm
+j+DWQrj1IJW7JU5fH/G0Cu66ix+dJPcuTB3PJTqXN3ce+4TuG09D+epgwfbHlqaT
+pH2qHCu2uiGj/AaRSM/ZZzcInMaeleHSB+NChvaQ0W/m+kK5d/20d7sfkaTfI/pY
+SrodCfVTYxfKAd0TLW03kimHs5/Rdz+iZWecVKv6aFxzaywbrOjmOsy2q0kEWIwX
+MTZrq6cBRRuWyiXsI2zT2YHQ4UK44IxINiaJABEBAAG0WkNlbnRPUyBDbG91ZCBT
+SUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVyZXN0R3JvdXAv
+Q2xvdWQpIDxzZWN1cml0eUBjZW50b3Mub3JnPokBOQQTAQIAIwUCVVZwJwIbAwcL
+CQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPm5/ud2RCnmATUH/3HDtWxpFkmy
+FiA3VGkMt5dp3bgCRSd84X6Orfx1LARowpI4LomCGglGBGXVJePBacwcclorbLaz
+uWrW/wU0efz0aDB5c4NPg/yXfNvujvlda8ADJwZXVBQphzvaIKwl4PqBsEnxC10I
+93T/0iyphAhfMRJ5R8AbEHMj7uF+TWTX/JoyQagllMqWTwoP4DFRutPdOmmjwvSV
+kWItH7hq6z9+M4dhlqeoOvPbL5oCxX7TVmLck02Q5gI4syULOa7sqntzUQKFkhWp
+9U0+5KrBQBKezrurrrkq/WZR3WNE1KQfNQ77f7S2JcXJdOaKgJ7xe7Y2flPq98Aq
+wKXK7l1c3dc=
+=W6yF
+-----END PGP PUBLIC KEY BLOCK-----
--- a/files/gpg/RPM-GPG-KEY-CentOS-SIG-Virtualization-RDO
+++ b/files/gpg/RPM-GPG-KEY-CentOS-SIG-Virtualization-RDO
@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQENBFWB31YBCAC4dFmTzBDOcq4R1RbvQXLkyYfF+yXcsMA5kwZy7kjxnFqBoNPv
+aAjFm3e5huTw2BMZW0viLGJrHZGnsXsE5iNmzom2UgCtrvcG2f65OFGlC1HZ3ajA
+8ZIfdgNQkPpor61xqBCLzIsp55A7YuPNDvatk/+MqGdNv8Ug7iVmhQvI0p1bbaZR
+0GuavmC5EZ/+mDlZ2kHIQOUoInHqLJaX7iw46iLRUnvJ1vATOzTnKidoFapjhzIt
+i4ZSIRaalyJ4sT+oX4CoRzerNnUtIe2k9Hw6cEu4YKGCO7nnuXjMKz7Nz5GgP2Ou
+zIA/fcOmQkSGcn7FoXybWJ8DqBExvkJuDljPABEBAAG0bENlbnRPUyBWaXJ0dWFs
+aXphdGlvbiBTSUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVy
+ZXN0R3JvdXAvVmlydHVhbGl6YXRpb24pIDxzZWN1cml0eUBjZW50b3Mub3JnPokB
+OQQTAQIAIwUCVYHfVgIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEHrr
+voJh6IBsRd0H/A62i5CqfftuySOCE95xMxZRw8+voWO84QS9zYvDEnzcEQpNnHyo
+FNZTpKOghIDtETWxzpY2ThLixcZOTubT+6hUL1n+cuLDVMu4OVXBPoUkRy56defc
+qkWR+UVwQitmlq1ngzwmqVZaB8Hf/mFZiB3B3Jr4dvVgWXRv58jcXFOPb8DdUoAc
+S3u/FLvri92lCaXu08p8YSpFOfT5T55kFICeneqETNYS2E3iKLipHFOLh7EWGM5b
+Wsr7o0r+KltI4Ehy/TjvNX16fa/t9p5pUs8rKyG8SZndxJCsk0MW55G9HFvQ0FmP
+A6vX9WQmbP+ml7jsUxtEJ6MOGJ39jmaUvPc=
+=ZzP+
+-----END PGP PUBLIC KEY BLOCK-----
--- a/tasks/pre_install_yum.yml
+++ b/tasks/pre_install_yum.yml
@ -28,42 +28,34 @@
  tags:
    - add-repo-keys

- name: Get a list of RPM GPG keys
-  shell: "rpm -vv -q centos-release 2>&1 | grep 'to keyring'"
-  args:
-    warn: no
-  changed_when: False
-  register: current_rpm_keys
-  when:
-    - user_external_repo_key is not defined
-  tags:
-    - add-repo-keys
+# Copy all factored-in GPG keys.
+# KeyID 764429E6 from https://raw.githubusercontent.com/rdo-infra/centos-release-openstack/ocata-rdo/RPM-GPG-KEY-CentOS-SIG-Cloud
+# KeyID 61E8806C from keyserver for rdo-qemu-ev
+- name: Copy validated GPG keys
+  copy:
+    src: "gpg/{{ item | basename }}"
+    dest: /etc/pki/rpm-gpg/
+    mode: '0644'
+  with_fileglob:
+    - "gpg/*"

- block:
-    - name: Import GPG keys for repositories if needed
-      shell: "rpm --define '%_hkp_keyserver http://pool.sks-keyservers.net' --import 0x{{ item.keyid  }}"
-      args:
-        warn: no
-      with_items:
-        - "{{ pip_install_rdo_repos_keys }}"
-      when:
-        - item.keyid | lower not in current_rpm_keys.stdout
-        - user_external_repo_key is not defined
-      tags:
-        - add-repo-keys
+- name: Ensure GPG keys have the correct SELinux contexts applied
+  command: restorecon -Rv /etc/pki/rpm-gpg/
+  changed_when: false

-  rescue:
-    - name: Import GPG keys for repositories if needed
-      shell: "rpm --import 0x{{ item.keyid  }}"
-      args:
-        warn: no
-      with_items:
-        - "{{ pip_install_rdo_repos_keys }}"
-      when:
-        - item.keyid | lower not in current_rpm_keys.stdout
-        - user_external_repo_key is not defined
-      tags:
-        - add-repo-keys
+# Handle gpg keys manually
+- name: Install gpg keys
+  rpm_key:
+    key: "{{ key.keyfile | default(key.key) }}"
+    validate_certs: "{{ key.validate_certs | default(omit) }}"
+    state: "{{ key.state | default('present') }}"
+  with_items: "{{ pip_install_rdo_repos_keys }}"
+  loop_control:
+    loop_var: key
+  register: _add_yum_keys
+  until: _add_yum_keys | success
+  retries: 5
+  delay: 2

 - name: Check for existing yum repositories
  shell: "yum-config-manager | grep 'repo:'"
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -35,9 +35,9 @@ pip_install_remove_distro_packages:

 pip_install_rdo_repos_keys:
  - repo: openstack-pike
-    keyid: 764429E6
+    keyfile: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud
  - repo: rdo-qemu-ev
-    keyid: 61E8806C
+    keyfile: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Virtualization-RDO

 pip_install_rdo_repos:
  - file: rdo-qemu-ev