Allow the usage of own repos instead of uca/rdo

If a deployer has a mirror of uca/rdo, it probably wants to use it. Defining the URL currently works, but that process wouldn't work if the mirror is using a different key. This commit keeps the current behavior of using UCA with signing packages from upstream everywhere, but with this change, you can also define your own mirror (CentOS/Ubuntu) with your own key. Change-Id: Icd9c3b6b7b824cb5cb29fd745777e4c6148e6481 Signed-off-by: Jean-Philippe Evrard <jean-philippe.evrard@rackspace.co.uk>
2017-02-10 15:50:01 +00:00 · 2017-02-10 15:50:01 +00:00 · 27669f193c
parent dd3cf42a4f
commit 27669f193c
2 changed files with 104 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -16,6 +16,40 @@
 uca_enable: True
 uca_apt_repo_url: "http://ubuntu-cloud.archive.canonical.com/ubuntu"

+# If you want to use your own keys for UCA or RDO (instead of ubuntu or
+# CentOS defaults), please define user_external_repo_key dict with
+# keys/values corresponding to the ansible module arguments for your
+# distribution.
+#
+# For CentOS you'd define the following:
+#user_external_repo_key:
+#  key: https://my-repo.example.com/signing-key.asc
+# You could also use key: <keyid> from a keyserver, see ansible rpm_key doc.
+# Validate cert option from the module is also supported.
+# In CentOS, refusing to use the RDO package also forces you to add your own
+# repository. See below to know how to include your own repository.
+#
+# For Ubuntu, you'd define the following:
+#user_external_repo_key:
+#  url: https://my-repo.example.com/signing-key.asc
+# This leverages apt_key module, and passes the id, keyserver, and url argument.
+# Therefore, you can ensure the id of the key you want to import with id: <keyid>
+# or replace the source url with a keyserver.
+
+# If you have defined another set of keys you want to include, the chances are
+# high you want to give also your own repository.
+# For CentOS, define the following dict+key/values:
+#user_external_repo:
+#  name: "mymirror"
+#  baseurl: "http://mymirrorurl/baseurl/"
+#See also gpgcheck, gpgkey, description of the Ansible yum_repository module
+# For Ubuntu, define something like the following:
+#user_external_repo:
+#  repo: "deb http://mymirrorurl/ubuntu/ xenial main"
+#  filename: "mymirror"
+# If your mirror includes UCA mirroring, you may then want to disable using uca
+# by setting in your user variables uca_enable: False
+
 # Set the package install state for distribution packages
 # Options are 'present' and 'latest'
 pip_install_package_state: "latest"
--- a/tasks/pre_install.yml
+++ b/tasks/pre_install.yml
@ -20,10 +20,13 @@
  when:
    - ansible_pkg_mgr == 'apt'

- name: Install external repo key package
+# Under CentOS, this will add the repo and its key to the keyring
+# Under Ubuntu, this will only add the key
+- name: Install external repo key with package
  package:
    name: "{{ pip_install_external_repo_key_package }}"
    state: "{{ pip_install_package_state }}"
+  when: user_external_repo_key is not defined
  tags:
    - add-repo-keys

@ -43,6 +46,72 @@
  tags:
    - add-uca-repo

+- name: Install external repo key manually (apt)
+  apt_key:
+    id: "{{ user_external_repo_key.id | default(omit) }}"
+    keyserver: "{{ user_external_repo_key.keyserver | default(omit) }}"
+    url: "{{ user_external_repo_key.url | default(omit) }}"
+    state: present
+  when:
+    - ansible_pkg_mgr == 'apt'
+    - user_external_repo_key is defined
+  register: add_keys
+  until: add_keys|success
+  retries: 5
+  delay: 2
+  tags:
+    - add-repo-keys
+
+- name: Install external repo key manually (rpm)
+  rpm_key:
+    key: "{{ user_external_repo_key.key }}"
+    validate_certs: "{{ user_external_repo_key.validate_certs | default(omit) }}"
+    state: present
+  when:
+    - ansible_pkg_mgr == 'yum'
+    - user_external_repo_key is defined
+  register: add_keys
+  until: add_keys|success
+  retries: 5
+  delay: 2
+  tags:
+    - add-repo-keys
+
+- name: Install external repo manually (apt)
+  apt_repository:
+    repo: "{{ user_external_repo.repo }}"
+    state: "{{ user_external_repo.state | default('present') }}"
+    update_cache: yes
+    filename: "{{ user_external_repo.filename | default(omit) }}"
+  register: user_external_repo
+  until: user_external_repo|success
+  retries: 5
+  delay: 2
+  when:
+    - ansible_pkg_mgr == 'apt'
+    - user_external_repo is defined
+  tags:
+    - add-external-repo
+
+- name: Install external repo manually (yum)
+  yum_repository:
+    name: "{{ user_external_repo.name }}"
+    description: "{{ user_external_repo.description | default(omit) }}"
+    baseurl: "{{ user_external_repo.baseurl | default(omit) }}"
+    gpgkey: "{{ user_external_repo.gpgkey | default(omit) }}"
+    gpgcheck: "{{ user_external_repo.gpgcheck | default(omit) }}"
+    enabled: "{{ user_external_repo.enabled | default('yes') }}"
+  register: user_external_repo
+  until: user_external_repo|success
+  retries: 5
+  delay: 2
+  when:
+    - ansible_pkg_mgr == 'yum'
+    - user_external_repo is defined
+    - user_external_repo.name is defined
+  tags:
+    - add-external-repo
+
 - name: Install packages
  package:
    name: "{{ item }}"