From 08c4f96e0ab418e5d17ecac9f0e575dd1de64ded Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Mon, 27 Mar 2017 07:58:58 -0500
Subject: [PATCH] Install RDO release RPM without GPG checks

The RDO release RPM isn't signed, but all of the repositories it
configures have GPG signing enabled. Although CentOS normally doesn't
check GPG signatures for packages that are installed locally, the
security role enables those checks for all local packages.

Change-Id: I7823f386a510e2e35d79f9a1046ad48f7e58db7c
---
 common-tasks/test-set-nodepool-vars.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/common-tasks/test-set-nodepool-vars.yml b/common-tasks/test-set-nodepool-vars.yml
index 67d41348..fbaa5297 100644
--- a/common-tasks/test-set-nodepool-vars.yml
+++ b/common-tasks/test-set-nodepool-vars.yml
@@ -34,10 +34,15 @@
   when:
     - ansible_os_family == 'Debian'
 
+# NOTE(mhayden): GPG checking for local package installs is normally disabled
+# by default in CentOS, but the openstack-ansible-security role enables GPG
+# checking for local packages. The RDO repository package isn't signed, but the
+# repos it installs have GPG checking enabled.
 - name: Install the RDO release package
   yum:
     name: "https://repos.fedorapeople.org/repos/openstack/openstack-ocata/rdo-release-ocata.rpm"
     state: "present"
+    disable_gpg_check: yes
   when:
     - ansible_pkg_mgr == 'yum'