Use in-repo GPG keys
We make remote network hits to get the GPG keys which are quite
unreliable, and apt_key does not support using a proxy properly [1]
so let's store them inside the role and use them.
The implementation here matches that which was done in the
galera_client role in I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83
This is a re-implementation rather than a backport - the Stein
(aka master) branch only uses the 'distro' install method, so
this code path is not exercised.
Also note that the Erlang yum gpg key and the rabbitmq yum gpg key
are the same, and the Erlang key was never imported - so we've
removed it.
[1] https://github.com/ansible/ansible/issues/31691
Closes-Bug: 1810533
Change-Id: I2715c904975b7940af72bd422904e748d3bae953
(cherry picked from commit 83affc627f)
This commit is contained in:
Jesse Pretorius
parent
3aad60868e
commit
582fd291d8
|
|
@ -58,6 +58,15 @@ rabbitmq_release_version: "{{ _rabbitmq_release_version }}"
|
|||
rabbitmq_package_sha256: "{{ _rabbitmq_package_sha256 }}"
|
||||
rabbitmq_package_path: "{{ _rabbitmq_package_path }}"
|
||||
|
||||
# Set the gpg keys needed to be imported
|
||||
# This should be a list of dicts, with each dict
|
||||
# giving a set of arguments to the applicable
|
||||
# package module. The following is an example for
|
||||
# systems using the apt package manager.
|
||||
# rabbitmq_gpg_keys:
|
||||
# - id: '0xC2E73424D59097AB'
|
||||
# keyserver: 'hkp://keyserver.ubuntu.com:80'
|
||||
# validate_certs: no
|
||||
rabbitmq_gpg_keys: "{{ _rabbitmq_gpg_keys }}"
|
||||
|
||||
# Set the URL for the RabbitMQ repository
|
||||
|
|
|
|||
|
|
@ -0,0 +1,65 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1.4.11 (GNU/Linux)
|
||||
|
||||
mQINBFu7jVkBEADBO7bMOw3KxZG5rJGpyZ/eUegI3qSvt1NtPqTp91oiCOAU4w3C
|
||||
PorCUnMQt/GMMZImlUSlvcd9aIfBaNFXSYWOiKNoKNsJSs790dpXeEScg82M8r+i
|
||||
VZUYh9lrwePtV9mU8jiVLwX0DzEfpuazPdAZY7UaKG/tJGErDYclNs+i7TcbQAca
|
||||
TT39uCM811L488OngXn2lepKUFgbEJ94dWDF8KuO8us0zP2ylTBGavDPo8m5DpaT
|
||||
ZU9t0Emwc8nsr+DAUA9E3/fY77jXITDJdhw3LK9CvLkXwlxLccMuZhaaj1L7izhZ
|
||||
1tH+kusFG0QVaZveG+MrIFPy9kgLIZ8/2HI83ZSjevu4h6Sq2qtl8hMWtPZuw8MN
|
||||
GrzgWRkuRxzZ0LMQG6uvXR1y/yy2eMcIthvyMAoUs1luuUqQKKzNkX+8FaSXikcb
|
||||
oRyjXUWLbE2MdWewsb+YO9i4dqO2KZcF4ryUIA85suHVqRYlRy1/HCB1jyMTGZC7
|
||||
LEnW+S8YRMiMifP2xTXduyrBQil4r8NqRT+G8GsE3p6RbVormIlwB3Kx6TIcPYP/
|
||||
ErOnL23TdMtYeIQnkctV67o6zxTz/9JNW1DL+YVbx2B4YOrDbiW+OvU74BKNU9lD
|
||||
zeBUdGa31SBL7nF9iEQ1FBVc+/HEbxKA7Zd/6tDBS+/iU+USbTrSgrN+RQARAQAB
|
||||
tHVodHRwczovL3BhY2thZ2VjbG91ZC5pby9yYWJiaXRtcS9yYWJiaXRtcS1zZXJ2
|
||||
ZXIgKGh0dHBzOi8vcGFja2FnZWNsb3VkLmlvL2RvY3MjZ3BnX3NpZ25pbmcpIDxz
|
||||
dXBwb3J0QHBhY2thZ2VjbG91ZC5pbz6JAjgEEwECACIFAlu7jVkCGy8GCwkIBwMC
|
||||
BhUIAgkKCwQWAgMBAh4BAheAAAoJEPTniSBNIG+JASgP/3Rc3A1OWDvbcAt1TRfT
|
||||
fHT7kniepAc76o/kBd2WJ5aT3wp634SWXS6+/fl8u/mz6FIYE14k6tmMlFW7i7IO
|
||||
8WY1BADBKUDvcbZ8eAVa5hx2wQesMrKrhnO/c+YRkqM4/008Pa2QkACzUDh4c0qD
|
||||
f/ZLD/BuBnfVDwGcYQbZwzKiCwRIxLXHyhD4KriQCdrDce/SlJhVoCnngIc+sEeY
|
||||
/R9VmORo3Lh5TRs5ivTZCB8eWXezudXTQq5oyXsu2gs4EyNsRnUD0bFx7aRsuFZS
|
||||
vu56wUgvlSo7C+ZJ8wYIcjYzap7ezOPbGbMH2E7IZ9BXEMV/85sQjK875VWeoLAr
|
||||
okzy9ydDzChgaBn92/0k1bbQyLIVCxIStGPQHCM8XbBhciSwlzXrH70QB4KlEbQN
|
||||
Kt0CpNznF50gR3gWzenO+j6NEENmMcyvKrZwjbdOKJ5sjeLBoLZTIpGqrwctz97r
|
||||
6BhCd5SZ5uqUo1twO+cwkDK/z5k5S8GNoHbejuidiFbd+FNSRx6CNDdoYI8DsyDj
|
||||
1cTGFdPHYTNPraIIYV2f1mYFXUWG28OSwkxH2vVqZhyMKtFDv23Qwng+sQaTPkSd
|
||||
KyolYNxH6HW+rynJkZDZ+Mr0zNSjQu7+WYT2d98E/JIZKW6Wonr6TPYhjrIUHOVq
|
||||
hiqfhAf2EmsI539P9SJneiSvuQINBFu7jVkBEADIrsPaPST3/NGiwCss6pducMmk
|
||||
FiC9R8O+vRTpBz1gJkEzEhHani28fJNWuhYHWCDAIoUuprvgbnM3+EtrzVATPy7u
|
||||
FD1fB0bxEVy2Bvsa2PQ5Z0Wz24OftzXCYUAp2IhOjdK3wNzTLd4o14vnQCcplGD7
|
||||
/5uVvY0bQ4Ejpo/pYxQQhQqHrLZzP2t/O6nxtOVkosxGE9ozsjIuNAttNYhBSvS6
|
||||
C4Skp0ycIPjAybvxRCOFshiAjiwwSslZOCNiPpuXjfRqndlhDyZGpRyzH02x7myj
|
||||
/gga551qym3j+LswUYId/ayVZZn7ZqtCQPQkU2tMpjxatFbqT6469UdbEqjbq5hH
|
||||
MylQVXp1gf7VHmgYa+wzjO+ZZC/Bdp3SPc3NmHJXGDIzUrp8e2tc7oF1E4BBCxX0
|
||||
Lu+GbgARsQIsbaY3BSJTIJErtltzK8YIcALbSiVR9GKRqPDQY8EQIs9eXgQh5O8u
|
||||
NjCNswFqbf1U7Kbe99zvrWoZZpl/il3sOSCLbukVa9dZhpvfATBdbpZnn4XFrzes
|
||||
5nssy4VbuLDpF1r2q6T4tdJIjYweTs4acf2sAsaVZJugM6qb5Nlrv5hOvmWnlqmC
|
||||
TYPICrFcBQYvYleu1lcr/tHMOC18iplRiUQ0jIZP/gxrDDyBnKnhPGP0hEeOtTsc
|
||||
vFxC3ddEKLLwaFvSGQARAQABiQQ+BBgBAgAJBQJbu41ZAhsuAikJEPTniSBNIG+J
|
||||
wV0gBBkBAgAGBQJbu41ZAAoJEPZgnmDcYoFOaM8P/3CyZAaPE1C06S3p2DE8L7u/
|
||||
GOOTxn7XCqApReBwo5hdw9cGMWPe/gJzrWs+ZulIsGqJeGeKeaHtyGp1m6n/P/4T
|
||||
6CDHLmCNsAPySu8s6JOhjQ01IuMn9Z/wRtISpAbNTbT6n2A/p12CCJhi+G6dywYh
|
||||
BbBN6YkDxd0VkY6gLb42rxgtLQlXOCLJ9GWxAHoBz1bi7e4/ErhIqPJKxDiqyNzS
|
||||
8EFlLQWSkWFNzyyBYTA1FD26s2hWFPqqKW4D92qLd393S8wvmRbDgBS2+rikqQri
|
||||
8Co/2cSs4k+vmkghyd9IrNMa1XERbYZz4XPpheKFMXibdRR+opL6oUG2lc5M6kAw
|
||||
v94ObWZJxYdyJ61NyZiUaeg6K/6x/6oRDTudVNe1StRANbtxcfCp3MvCRMN62Epk
|
||||
HnwnXJA11G12Zm6RhurWrYww+v3GQ7HKP11ABWkekds/FUQ6DaGTYHwvnO1ZBCOq
|
||||
HANM636X8a2EJnoR3dUHMdB6xuo7gyv47JPpunPLt00N6gI/Oblpo9vKFvSXiKc3
|
||||
MfQhj7SjtwJkd/NC7JU5e1juy5hvFBSG7ZxLUwm18Xh4kJ1Czxi2BkP3sw9DXk+7
|
||||
5nWVnfQ4hYQ9VhYwtru1RTJUirO9fGi8/1b6JWG7+blifGqjNBTX5lVSE1Vgp7QD
|
||||
/Jl1/RyoFw5s2uZjA+1+oCgP+QFvBiTKRPMKS7N5qNZ4pHPXbI8vBGQP3tPNTgFz
|
||||
no8yfdx97hhoVSPcRgZta6n1S1DC/qd6lGuabGwHBzhI2InNY/AeFMpQnyoltS6c
|
||||
w23lJUVhb0937KDb9/cDfGE6tqwqJM605VPU+5tKTWBgIN3s9LdcpkWAd02qVdhb
|
||||
tQ98+s5BI1nxNzYr8uexuFMDaJjB/Yk0YPo14Q8oee50dZv1PryXNt3BSfUdoW/e
|
||||
gcUshx0r35gzQhMqucqXjo4xaG4gNTH7e0WBVTzsSHC03huZytHxZkTIyhnpuIgX
|
||||
hy+z2LpaP5xqJUfcrnhr2+O/j67g+Ha+O0605TgKsm0NBbPVbr6411/BNekQt6gk
|
||||
qorHnOwFofysX2yI500i+XU7q0lqgc0ajg1laiILSAoK4q/NLTsvrqVHEd5Sbods
|
||||
1bfYxeBJnihHkZm/GDDE8T4hdldVSgugifsz601WfStl3QB/Iz3R4ea+OYJ4ccER
|
||||
w0mMCSZe5beBd65M6vufBsfOaVxFnCLhuXyTOs8d4Su0LvIZnzdknmWiTBnAYme+
|
||||
8pW2QDeOJE3UgpLD0V3fg8fREQ+7VvoHSwCrm5Iv71Cl6gndNaK5EjviSjxUzovl
|
||||
b2YnngicVK1goXboBQeRmP5qAd8sO32sSejyfaBq1Dalh8D+85z2I8SsU1JU+D0B
|
||||
PF1z
|
||||
=AD8w
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1.4.10 (GNU/Linux)
|
||||
Version: GnuPG v1
|
||||
|
||||
mQINBE8v+uABEACgAlBUDDjc6PF7uI6mlTGnkemHF4trRINtocZKzvyKBmN+pPiV
|
||||
CjJ3o6NwGmN/McHHyN1sB40n5IZbPtECi5hm+GmHWTkPG0jNQ0f9VDxoIb2eK/Xn
|
||||
|
|
@ -49,4 +49,4 @@ lvijXzabGtFaVDmxV5oGHW8orpirR3CMgn0DKE5QcH8412d9ByvjK3UcmBTwEnQk
|
|||
Og0Ce4+ypBIERtufK1osg9lALv/abGtow2S6pdzfdFlISyiLA3HOUQ/spkuPvAe8
|
||||
ctmKvzuuerI6mVQjg/80PJ4fEV0=
|
||||
=VAR1
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
The data structure for ``rabbitmq_gpg_keys`` has been changed to be
|
||||
a dict passed directly to the applicable apt_key/rpm_key module. As such
|
||||
any overrides would need to be reviewed to ensure that they do not pass
|
||||
any key/value pairs which would cause the module to fail.
|
||||
- |
|
||||
The default values for ``rabbitmq_gpg_keys`` have been changed for
|
||||
all supported platforms will use vendored keys. This means that the task
|
||||
execution will no longer reach out to the internet to add the keys,
|
||||
making offline or proxy-based installations easier and more reliable.
|
||||
|
|
@ -27,38 +27,26 @@
|
|||
version: "{{ rabbitmq_erlang_version_spec }}"
|
||||
priority: 1000
|
||||
|
||||
- block:
|
||||
- name: Add rabbitmq apt-keys
|
||||
apt_key:
|
||||
id: "{{ item.hash_id }}"
|
||||
keyserver: "{{ item.keyserver | default(omit) }}"
|
||||
data: "{{ item.data | default(omit) }}"
|
||||
url: "{{ item.url | default(omit) }}"
|
||||
state: "present"
|
||||
register: add_keys
|
||||
until: add_keys is success
|
||||
retries: 5
|
||||
delay: 2
|
||||
with_items: "{{ rabbitmq_gpg_keys }}"
|
||||
tags:
|
||||
- rabbitmq-apt-keys
|
||||
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
||||
copy:
|
||||
src: "gpg/{{ item.id }}"
|
||||
dest: "{{ item.file }}"
|
||||
mode: '0644'
|
||||
with_items: "{{ rabbitmq_gpg_keys | selectattr('file','defined') | list }}"
|
||||
tags:
|
||||
- rabbitmq-apt-keys
|
||||
|
||||
rescue:
|
||||
- name: Add rabbitmq apt-keys using fallback keyserver
|
||||
apt_key:
|
||||
id: "{{ item.hash_id }}"
|
||||
keyserver: "{{ item.fallback_keyserver | default(omit) }}"
|
||||
url: "{{ item.fallback_url | default(omit) }}"
|
||||
state: "present"
|
||||
register: add_keys_fallback
|
||||
until: add_keys_fallback is success
|
||||
retries: 5
|
||||
delay: 2
|
||||
with_items: "{{ rabbitmq_gpg_keys }}"
|
||||
when:
|
||||
- (item.fallback_keyserver is defined or item.fallback_url is defined)
|
||||
tags:
|
||||
- rabbitmq-apt-keys
|
||||
- name: Install gpg keys
|
||||
apt_key: "{{ key }}"
|
||||
with_items: "{{ rabbitmq_gpg_keys }}"
|
||||
loop_control:
|
||||
loop_var: key
|
||||
register: _add_apt_keys
|
||||
until: _add_apt_keys is success
|
||||
retries: 5
|
||||
delay: 2
|
||||
tags:
|
||||
- rabbitmq-apt-keys
|
||||
|
||||
# When updating the cache in the apt_repository
|
||||
# task, and the update fails, a retry does not
|
||||
|
|
|
|||
|
|
@ -17,17 +17,22 @@
|
|||
when:
|
||||
- rabbitmq_install_method != 'distro'
|
||||
block:
|
||||
- name: Copy GPG keys
|
||||
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/pki/rpm-gpg/{{ item }}"
|
||||
src: "gpg/{{ item.key | basename }}"
|
||||
dest: "{{ item.key }}"
|
||||
mode: '0644'
|
||||
with_items: "{{ rabbitmq_gpg_keys }}"
|
||||
|
||||
- name: Add GPG keys
|
||||
rpm_key:
|
||||
state: present
|
||||
key: "/etc/pki/rpm-gpg/{{ item }}"
|
||||
- name: Install gpg keys
|
||||
rpm_key: "{{ key }}"
|
||||
with_items: "{{ rabbitmq_gpg_keys }}"
|
||||
loop_control:
|
||||
loop_var: key
|
||||
register: _add_yum_keys
|
||||
until: _add_yum_keys is success
|
||||
retries: 5
|
||||
delay: 2
|
||||
|
||||
- name: Install RabbitMQ yum mirror
|
||||
yum_repository:
|
||||
|
|
|
|||
|
|
@ -22,17 +22,22 @@
|
|||
when:
|
||||
- rabbitmq_install_method != 'distro'
|
||||
block:
|
||||
- name: Copy GPG keys
|
||||
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/pki/rpm-gpg/{{ item }}"
|
||||
src: "gpg/{{ item.key | basename }}"
|
||||
dest: "{{ item.key }}"
|
||||
mode: '0644'
|
||||
with_items: "{{ rabbitmq_gpg_keys }}"
|
||||
|
||||
- name: Add GPG keys
|
||||
rpm_key:
|
||||
state: present
|
||||
key: "/etc/pki/rpm-gpg/{{ item }}"
|
||||
- name: Install gpg keys
|
||||
rpm_key: "{{ key }}"
|
||||
with_items: "{{ rabbitmq_gpg_keys }}"
|
||||
loop_control:
|
||||
loop_var: key
|
||||
register: _add_zypper_keys
|
||||
until: _add_zypper_keys is success
|
||||
retries: 5
|
||||
delay: 2
|
||||
|
||||
# NOTE(hwoarang) For the upgrade job we fetch the old version from upstream and the new one from OBS. zypper gets upset if you
|
||||
# get the updaded package during an update so you need to pass --force to actually force such a change. However, --force forces a
|
||||
|
|
|
|||
|
|
@ -21,8 +21,8 @@ _rabbitmq_package_sha256: "1a40596279f901e31d1ebc4f75b1360b603745f3bed79d4260f70
|
|||
_rabbitmq_package_path: "/opt/rabbitmq-server.rpm"
|
||||
|
||||
_rabbitmq_gpg_keys:
|
||||
- RPM-GPG-KEY-RabbitMQ
|
||||
- RPM-GPG-KEY-PackageCloud
|
||||
- key: /etc/pki/rpm-gpg/RPM-GPG-KEY-RabbitMQ
|
||||
- key: /etc/pki/rpm-gpg/RPM-GPG-KEY-PackageCloud
|
||||
|
||||
_rabbitmq_repo_url: "https://packagecloud.io/rabbitmq/rabbitmq-server/el/7/$basearch"
|
||||
_rabbitmq_repo:
|
||||
|
|
|
|||
|
|
@ -24,8 +24,8 @@ _rabbitmq_package_sha256: "58a1d5242c84cae1752f149eaf2f4d26d2d886eb5812c8eaf4c98
|
|||
_rabbitmq_package_path: "/opt/rabbitmq-server.rpm"
|
||||
|
||||
_rabbitmq_gpg_keys:
|
||||
- RPM-GPG-KEY-RabbitMQ
|
||||
- RPM-GPG-KEY-Erlang
|
||||
- key: /etc/pki/RPM-GPG-KEY-RabbitMQ
|
||||
- key: /etc/pki/RPM-GPG-KEY-PackageCloud
|
||||
|
||||
rabbitmq_distro_packages:
|
||||
- rabbitmq-server
|
||||
|
|
|
|||
|
|
@ -21,14 +21,10 @@ _rabbitmq_package_sha256: "156163a595b5cd648ae80008eb7080392aab1de843b364b1760ec
|
|||
_rabbitmq_package_path: "/opt/rabbitmq-server.deb"
|
||||
|
||||
_rabbitmq_gpg_keys:
|
||||
- key_name: 'rabbitmq'
|
||||
keyserver: 'hkp://keyserver.ubuntu.com:80'
|
||||
fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
|
||||
hash_id: '0x6B73A36E6026DFCA'
|
||||
- key_name: 'erlang_solutions'
|
||||
keyserver: 'hkp://keyserver.ubuntu.com:80'
|
||||
fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
|
||||
hash_id: '0xd208507ca14f4fca'
|
||||
- id: 4D206F89
|
||||
file: /etc/ssl/packagecloud-key
|
||||
- id: A14F4FCA
|
||||
file: /etc/ssl/erlang-key
|
||||
|
||||
_rabbitmq_repo_url: "http://www.rabbitmq.com/debian"
|
||||
_rabbitmq_repo:
|
||||
|
|
|
|||
|
|
@ -21,14 +21,10 @@ _rabbitmq_package_sha256: "72939a9474110daa158a395a60c73baaf84c896aa530efcc9ef31
|
|||
_rabbitmq_package_path: "/opt/rabbitmq-server.deb"
|
||||
|
||||
_rabbitmq_gpg_keys:
|
||||
- key_name: 'rabbitmq'
|
||||
keyserver: 'hkp://keyserver.ubuntu.com:80'
|
||||
fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
|
||||
hash_id: '0x6B73A36E6026DFCA'
|
||||
- key_name: 'erlang_solutions'
|
||||
keyserver: 'hkp://keyserver.ubuntu.com:80'
|
||||
fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
|
||||
hash_id: '0xd208507ca14f4fca'
|
||||
- id: 4D206F89
|
||||
file: /etc/ssl/packagecloud-key
|
||||
- id: A14F4FCA
|
||||
file: /etc/ssl/erlang-key
|
||||
|
||||
_rabbitmq_repo_url: "http://www.rabbitmq.com/debian"
|
||||
_rabbitmq_repo:
|
||||
|
|
|
|||
Loading…
Reference in New Issue