From 14daf3972f3e7a36ff45ad9c3d13321a4ea720c0 Mon Sep 17 00:00:00 2001
From: Matt Thompson <mattt@defunct.ca>
Date: Tue, 29 Sep 2015 14:22:25 +0100
Subject: [PATCH] Update ceph key hash

Ceph packages are currently failing to install due to [1].  This commit
updates ceph_client/defaults/main.yml to use the latest Ceph signing
key.  Additionally, we add a new variable ceph_revoked_gpg_keys and
task to ensure revoked keys get removed.

[1] http://ceph.com/releases/important-security-notice-regarding-signing-key-and-binary-downloads-of-ceph/

Change-Id: I3c3f69c0eb471982c314816ae90a69458e48ded6
---
 defaults/main.yml         |  6 +++++-
 tasks/ceph_preinstall.yml | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index be58c77..ee20661 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -29,8 +29,12 @@ ceph_gpg_keys:
   - key_name: 'ceph'
     keyserver: 'hkp://keyserver.ubuntu.com:80'
     fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
-    hash_id: '0x7ebfdd5d17ed316d'
+    hash_id: '0xe84ac2c0460f3994'
 
+# The apt-key command won't del a key when you give it the hash_id, so we have
+# to use the short key ID here instead.
+ceph_revoked_gpg_keys:
+  - '17ED316D'
 
 # Ceph Repositories
 ceph_apt_repo_url_region: "www"  # or "eu" for Netherlands based mirror
diff --git a/tasks/ceph_preinstall.yml b/tasks/ceph_preinstall.yml
index 6994398..32d3c14 100644
--- a/tasks/ceph_preinstall.yml
+++ b/tasks/ceph_preinstall.yml
@@ -13,6 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Remove revoked ceph apt-keys
+  apt_key:
+    id: "{{ item }}"
+    state: "absent"
+  register: revoke_keys
+  with_items: ceph_revoked_gpg_keys
+  tags:
+    - ceph-apt-keys
+
 - name: Add ceph apt-keys
   apt_key:
     id: "{{ item.hash_id }}"
@@ -52,3 +61,14 @@
   tags:
     - ceph-repos
 
+# This is being added specifically for when a key is revoked, but should apply
+# to other tasks also.  The cache needs updating after changing keys but
+# ceph_install.yml (where packages get installed) only does so if cache > 600
+# seconds.
+- name: Update apt cache
+  apt:
+    update_cache: yes
+  when: revoke_keys|changed or add_keys|changed or add_keys_fallback|changed or add_repos|changed
+  tags:
+    - ceph-apt-keys
+    - ceph-repos