Merge "Normalise in-repo GPG key implementation"

This commit is contained in:
Zuul 2018-12-18 14:44:28 +00:00 committed by Gerrit Code Review
commit 1d84ae7ae0
10 changed files with 40 additions and 38 deletions

View File

@ -51,6 +51,14 @@ galera_repo_url: "{{ _galera_repo_url }}"
galera_repo: "{{ _galera_repo }}"
# Set the gpg keys needed to be imported
# This should be a list of dicts, with each dict
# giving a set of arguments to the applicable
# package module. The following is an example for
# systems using the apt package manager.
# galera_gpg_keys:
# - id: '0xF1656F24C74CD1D8'
# keyserver: 'hkp://keyserver.ubuntu.com:80'
# validate_certs: no
galera_gpg_keys: "{{ _galera_gpg_keys | default([]) }}"
# Set the rpo information for the Percona Xtrabackup repository

View File

@ -0,0 +1,12 @@
---
upgrade:
- |
The data structure for ``galera_gpg_keys`` has been changed to be
a dict passed directly to the applicable apt_key/rpm_key module. As such
any overrides would need to be reviewed to ensure that they do not pass
any key/value pairs which would cause the module to fail.
- |
The default values for ``galera_gpg_keys`` have been changed for
all supported platforms will use vendored keys. This means that the task
execution will no longer reach out to the internet to add the keys,
making offline or proxy-based installations easier and more reliable.

View File

@ -20,16 +20,13 @@
- name: If a keyfile is provided, copy the gpg keyfile to the key location
copy:
src: "{{ item.keyfile }}"
dest: "{{ item.key }}"
src: "gpg/{{ item.id }}"
dest: "{{ item.file }}"
mode: '0644'
with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
with_items: "{{ galera_gpg_keys | selectattr('file','defined') | list }}"
- name: Install gpg keys
apt_key:
id: "{{ key.id }}"
file: "{{ key.key | default(omit) }}"
state: "{{ key.state | default('present') }}"
apt_key: "{{ key }}"
with_items: "{{ galera_gpg_keys }}"
loop_control:
loop_var: key

View File

@ -51,16 +51,13 @@
- name: If a keyfile is provided, copy the gpg keyfile to the key location
copy:
src: "{{ item.keyfile }}"
src: "gpg/{{ item.key | basename }}"
dest: "{{ item.key }}"
mode: '0644'
with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
with_items: "{{ galera_gpg_keys }}"
- name: Install gpg keys
rpm_key:
key: "{{ key.key }}"
validate_certs: "{{ key.validate_certs | default(omit) }}"
state: "{{ key.state | default('present') }}"
rpm_key: "{{ key }}"
with_items: "{{ galera_gpg_keys }}"
loop_control:
loop_var: key

View File

@ -32,21 +32,18 @@
- name: If a keyfile is provided, copy the gpg keyfile to the key location
copy:
src: "{{ item.keyfile }}"
src: "gpg/{{ item.key | basename }}"
dest: "{{ item.key }}"
mode: '0644'
with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
with_items: "{{ galera_gpg_keys }}"
- name: Install gpg keys
rpm_key:
key: "{{ key.key }}"
validate_certs: "{{ key.validate_certs | default(omit) }}"
state: "{{ key.state | default('present') }}"
rpm_key: "{{ key }}"
with_items: "{{ galera_gpg_keys }}"
loop_control:
loop_var: key
register: _add_yum_keys
until: _add_yum_keys is success
register: _add_zypper_keys
until: _add_zypper_keys is success
retries: 5
delay: 2

View File

@ -16,13 +16,9 @@
# Galera GPG Keys
_galera_gpg_keys:
# MariaDB Package Signing Key <package-signing-key@mariadb.org>
- name: mariadb
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
keyfile: 'gpg/1BB943DB'
- key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
# Percona MySQL Development Team <mysql-dev@percona.com>
- key_name: percona
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
keyfile: 'gpg/CD2EFD2A'
- key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
# Default private device setting
# This provides some additional security, but it causes problems with creating

View File

@ -15,9 +15,8 @@
# Galera GPG Keys
_galera_gpg_keys:
- name: mariadb
key: /etc/pki/RPM-GPG-KEY-MariaDB
keyfile: 'gpg/1BB943DB'
# MariaDB Package Signing Key <package-signing-key@mariadb.org>
- key: /etc/pki/RPM-GPG-KEY-MariaDB
# Default private device setting
_galera_disable_privatedevices: yes

View File

@ -22,15 +22,11 @@ _galera_disable_privatedevices: yes
# Galera GPG Keys
_galera_gpg_keys:
# MariaDB Signing Key <signing-key@mariadb.org>
- name: mariadb
id: C74CD1D8
key: /etc/ssl/mariadb-key
keyfile: 'gpg/C74CD1D8'
- id: C74CD1D8
file: /etc/ssl/mariadb-key
# Percona MySQL Development Team (Packaging key) <mysql-dev@percona.com>
- key_name: percona
id: 8507EFA5
key: /etc/ssl/percona-pkg-key
keyfile: 'gpg/8507EFA5'
- id: 8507EFA5
file: /etc/ssl/percona-pkg-key
galera_server_required_distro_packages:
- apt-transport-https