diff --git a/defaults/main.yml b/defaults/main.yml index ceec824a..d77b75dd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -51,6 +51,14 @@ galera_repo_url: "{{ _galera_repo_url }}" galera_repo: "{{ _galera_repo }}" # Set the gpg keys needed to be imported +# This should be a list of dicts, with each dict +# giving a set of arguments to the applicable +# package module. The following is an example for +# systems using the apt package manager. +# galera_gpg_keys: +# - id: '0xF1656F24C74CD1D8' +# keyserver: 'hkp://keyserver.ubuntu.com:80' +# validate_certs: no galera_gpg_keys: "{{ _galera_gpg_keys | default([]) }}" # Set the rpo information for the Percona Xtrabackup repository diff --git a/files/gpg/1BB943DB b/files/gpg/RPM-GPG-KEY-MariaDB similarity index 100% rename from files/gpg/1BB943DB rename to files/gpg/RPM-GPG-KEY-MariaDB diff --git a/files/gpg/CD2EFD2A b/files/gpg/RPM-GPG-KEY-percona similarity index 100% rename from files/gpg/CD2EFD2A rename to files/gpg/RPM-GPG-KEY-percona diff --git a/releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml b/releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml new file mode 100644 index 00000000..a690deca --- /dev/null +++ b/releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The data structure for ``galera_gpg_keys`` has been changed to be + a dict passed directly to the applicable apt_key/rpm_key module. As such + any overrides would need to be reviewed to ensure that they do not pass + any key/value pairs which would cause the module to fail. + - | + The default values for ``galera_gpg_keys`` have been changed for + all supported platforms will use vendored keys. This means that the task + execution will no longer reach out to the internet to add the keys, + making offline or proxy-based installations easier and more reliable. diff --git a/tasks/galera_install_apt.yml b/tasks/galera_install_apt.yml index 793565e9..a107c059 100644 --- a/tasks/galera_install_apt.yml +++ b/tasks/galera_install_apt.yml @@ -20,16 +20,13 @@ - name: If a keyfile is provided, copy the gpg keyfile to the key location copy: - src: "{{ item.keyfile }}" - dest: "{{ item.key }}" + src: "gpg/{{ item.id }}" + dest: "{{ item.file }}" mode: '0644' - with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}" + with_items: "{{ galera_gpg_keys | selectattr('file','defined') | list }}" - name: Install gpg keys - apt_key: - id: "{{ key.id }}" - file: "{{ key.key | default(omit) }}" - state: "{{ key.state | default('present') }}" + apt_key: "{{ key }}" with_items: "{{ galera_gpg_keys }}" loop_control: loop_var: key diff --git a/tasks/galera_install_yum.yml b/tasks/galera_install_yum.yml index 2454afca..c90ef4cc 100644 --- a/tasks/galera_install_yum.yml +++ b/tasks/galera_install_yum.yml @@ -51,16 +51,13 @@ - name: If a keyfile is provided, copy the gpg keyfile to the key location copy: - src: "{{ item.keyfile }}" + src: "gpg/{{ item.key | basename }}" dest: "{{ item.key }}" mode: '0644' - with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}" + with_items: "{{ galera_gpg_keys }}" - name: Install gpg keys - rpm_key: - key: "{{ key.key }}" - validate_certs: "{{ key.validate_certs | default(omit) }}" - state: "{{ key.state | default('present') }}" + rpm_key: "{{ key }}" with_items: "{{ galera_gpg_keys }}" loop_control: loop_var: key diff --git a/tasks/galera_install_zypper.yml b/tasks/galera_install_zypper.yml index 3040fe50..b960489e 100644 --- a/tasks/galera_install_zypper.yml +++ b/tasks/galera_install_zypper.yml @@ -32,21 +32,18 @@ - name: If a keyfile is provided, copy the gpg keyfile to the key location copy: - src: "{{ item.keyfile }}" + src: "gpg/{{ item.key | basename }}" dest: "{{ item.key }}" mode: '0644' - with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}" + with_items: "{{ galera_gpg_keys }}" - name: Install gpg keys - rpm_key: - key: "{{ key.key }}" - validate_certs: "{{ key.validate_certs | default(omit) }}" - state: "{{ key.state | default('present') }}" + rpm_key: "{{ key }}" with_items: "{{ galera_gpg_keys }}" loop_control: loop_var: key - register: _add_yum_keys - until: _add_yum_keys is success + register: _add_zypper_keys + until: _add_zypper_keys is success retries: 5 delay: 2 diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml index 5994fcff..3484c712 100644 --- a/vars/redhat-7.yml +++ b/vars/redhat-7.yml @@ -16,13 +16,9 @@ # Galera GPG Keys _galera_gpg_keys: # MariaDB Package Signing Key - - name: mariadb - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB - keyfile: 'gpg/1BB943DB' + - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB # Percona MySQL Development Team - - key_name: percona - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona - keyfile: 'gpg/CD2EFD2A' + - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona # Default private device setting # This provides some additional security, but it causes problems with creating diff --git a/vars/suse.yml b/vars/suse.yml index ce276313..d28ca8a4 100644 --- a/vars/suse.yml +++ b/vars/suse.yml @@ -15,9 +15,8 @@ # Galera GPG Keys _galera_gpg_keys: - - name: mariadb - key: /etc/pki/RPM-GPG-KEY-MariaDB - keyfile: 'gpg/1BB943DB' + # MariaDB Package Signing Key + - key: /etc/pki/RPM-GPG-KEY-MariaDB # Default private device setting _galera_disable_privatedevices: yes diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index 86f08775..fddbd348 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -22,15 +22,11 @@ _galera_disable_privatedevices: yes # Galera GPG Keys _galera_gpg_keys: # MariaDB Signing Key - - name: mariadb - id: C74CD1D8 - key: /etc/ssl/mariadb-key - keyfile: 'gpg/C74CD1D8' + - id: C74CD1D8 + file: /etc/ssl/mariadb-key # Percona MySQL Development Team (Packaging key) - - key_name: percona - id: 8507EFA5 - key: /etc/ssl/percona-pkg-key - keyfile: 'gpg/8507EFA5' + - id: 8507EFA5 + file: /etc/ssl/percona-pkg-key galera_server_required_distro_packages: - apt-transport-https