Use in-repo GPG keys

We make remote network hits to get the GPG keys which are quite unreliable, and apt_key does not support using a proxy properly [1] so this change installs them from files inside the role. The implementation here is derived from that which was done in the galera_server role in I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528. [1] https://github.com/ansible/ansible/issues/31691 Change-Id: Id040de19dbefc820851928c9a3589f20a6b4bd61 Closes-Bug: #1815430
2019-02-13 18:27:39 +00:00 · 2019-02-13 18:27:39 +00:00 · 58be4bd5e3
commit 58be4bd5e3
parent 0a724692fd
8 changed files with 166 additions and 51 deletions
--- a/files/gpg/460f3994
+++ b/files/gpg/460f3994
@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.6
+Comment: Hostname: keyserver.ubuntu.com
+
+mQINBFX4hgkBEADLqn6O+UFp+ZuwccNldwvh5PzEwKUPlXKPLjQfXlQRig1flpCHE0HJ5wgG
+lCtYd3Ol9f9+qU24kDNzfbs5bud58BeE7zFaZ4s0JMOMuVm7p8JhsvkUC/Lo/7NFh25e4kgJ
+pjvnwua7c2YrA44ggRb1QT19ueOZLK5wCQ1mR+0GdrcHRCLr7Sdw1d7aLxMT+5nvqfzsmbDu
+llsWOD6RnMdcqhOxZZvpay8OeuK+yb8FVQ4sOIzBFiNi5cNOFFHg+8dZQoDrK3BpwNxYdGHs
+YIwU9u6DWWqXybBnB9jd2pve9PlzQUbOeHEa4Z+jPqxY829f4ldaql7ig8e6BaInTfs2wPnH
+J+606g2UH86QUmrVAjVzlLCmnqoGymoAPGA4ObHu9X3kO8viMBId9FzooVqR8a9En7ZE0Dm9
+O7puzXR7A1f5sHozJdYHnr32I+B8iOixhDUtxIY4GA8biGATNaPd8XR2Ca1hPuZRVuIiGG9H
+DqUEtXhVfY5qjTjaThIVKtYgEkWMT+Wet3DPPiWT3ftNOE907e6EWEBCHgsEuuZnAbku1GgD
+LBH4/a/yo9bNvGZKRaTUM/1TXhM5XgVKjd07B4cChgKypAVHvef3HKfCG2U/DkyALjteHt/V
+807MtSlQyYaXUTGtDCrQPSlMK5TjmqUnDwy6Qdq8dtWN3DtBWQARAQABtCpDZXBoLmNvbSAo
+cmVsZWFzZSBrZXkpIDxzZWN1cml0eUBjZXBoLmNvbT6JAjgEEwECACIFAlX4hgkCGwMGCwkI
+BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOhKwsBGDzmUXdIQAI8YPcZMBWdv489q8CzxlfRI
+RZ3Gv/G/8CH+EOExcmkVZ89mVHngCdAPDOYCl8twWXC1lwJuLDBtkUOHXNuR5+Jcl5zFOUyl
+dq1Hv8u03vjnGT7lLJkJoqpGl9QD8nBqRvBU7EM+CU7kP8+09b+088pULil+8x46PwgXkvOQ
+wfVKSOr740Q4J4nm/nUOyTNtToYntmt2fAVWDTIuyPpAqA6jcqSOC7Xoz9cYxkVWnYMLBUyS
+XmSS0uxl3p+wK0lMG0my/gb+alke5PAQjcE5dtXYzCn+8Lj0uSfCk8Gy0ZOK2oiUjaCGYN6D
+u72qDRFBnR3jaoFqi03bGBIMnglGuAPyBZiI7LJgzuT9xumjKTJW3kN4YJxMNYu1FzmIyFZp
+yvZ7930vB2UpCOiIaRdZiX4Z6ZN2frD3a/vBxBNqiNh/BO+Dex+PDfI4TqwF8zlcjt4XZ2te
+Q8nNMR/D8oiYTUW8hwR4laEmDy7ASxe0p5aijmUApWq5UTsF+s/QbwugccU0iR5orksM5u9M
+ZH4J/mFGKzOltfGXNLYI6D5Mtwrnyi0BsF5eY0u6vkdivtdqrq2DXY+ftuqLOQ7b+t1Rctbc
+MHGPptlxFuN9ufP5TiTWSpfqDwmHCLsTk2vFiMwcHdLpQ1IH8ORVRgPPsiBnBOJ/kIiXG2Sx
+PUTjjEGOVgeA
+=/Tod
+-----END PGP PUBLIC KEY BLOCK-----
--- a/files/gpg/RPM-GPG-KEY-EPEL-7
+++ b/files/gpg/RPM-GPG-KEY-EPEL-7
@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+mQINBFKuaIQBEAC1UphXwMqCAarPUH/ZsOFslabeTVO2pDk5YnO96f+rgZB7xArB
+OSeQk7B90iqSJ85/c72OAn4OXYvT63gfCeXpJs5M7emXkPsNQWWSju99lW+AqSNm
+jYWhmRlLRGl0OO7gIwj776dIXvcMNFlzSPj00N2xAqjMbjlnV2n2abAE5gq6VpqP
+vFXVyfrVa/ualogDVmf6h2t4Rdpifq8qTHsHFU3xpCz+T6/dGWKGQ42ZQfTaLnDM
+jToAsmY0AyevkIbX6iZVtzGvanYpPcWW4X0RDPcpqfFNZk643xI4lsZ+Y2Er9Yu5
+S/8x0ly+tmmIokaE0wwbdUu740YTZjCesroYWiRg5zuQ2xfKxJoV5E+Eh+tYwGDJ
+n6HfWhRgnudRRwvuJ45ztYVtKulKw8QQpd2STWrcQQDJaRWmnMooX/PATTjCBExB
+9dkz38Druvk7IkHMtsIqlkAOQMdsX1d3Tov6BE2XDjIG0zFxLduJGbVwc/6rIc95
+T055j36Ez0HrjxdpTGOOHxRqMK5m9flFbaxxtDnS7w77WqzW7HjFrD0VeTx2vnjj
+GqchHEQpfDpFOzb8LTFhgYidyRNUflQY35WLOzLNV+pV3eQ3Jg11UFwelSNLqfQf
+uFRGc+zcwkNjHh5yPvm9odR1BIfqJ6sKGPGbtPNXo7ERMRypWyRz0zi0twARAQAB
+tChGZWRvcmEgRVBFTCAoNykgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
+AgAiBQJSrmiEAhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBqL66iNSxk
+5cfGD/4spqpsTjtDM7qpytKLHKruZtvuWiqt5RfvT9ww9GUUFMZ4ZZGX4nUXg49q
+ixDLayWR8ddG/s5kyOi3C0uX/6inzaYyRg+Bh70brqKUK14F1BrrPi29eaKfG+Gu
+MFtXdBG2a7OtPmw3yuKmq9Epv6B0mP6E5KSdvSRSqJWtGcA6wRS/wDzXJENHp5re
+9Ism3CYydpy0GLRA5wo4fPB5uLdUhLEUDvh2KK//fMjja3o0L+SNz8N0aDZyn5Ax
+CU9RB3EHcTecFgoy5umRj99BZrebR1NO+4gBrivIfdvD4fJNfNBHXwhSH9ACGCNv
+HnXVjHQF9iHWApKkRIeh8Fr2n5dtfJEF7SEX8GbX7FbsWo29kXMrVgNqHNyDnfAB
+VoPubgQdtJZJkVZAkaHrMu8AytwT62Q4eNqmJI1aWbZQNI5jWYqc6RKuCK6/F99q
+thFT9gJO17+yRuL6Uv2/vgzVR1RGdwVLKwlUjGPAjYflpCQwWMAASxiv9uPyYPHc
+ErSrbRG0wjIfAR3vus1OSOx3xZHZpXFfmQTsDP7zVROLzV98R3JwFAxJ4/xqeON4
+vCPFU6OsT3lWQ8w7il5ohY95wmujfr6lk89kEzJdOTzcn7DBbUru33CQMGKZ3Evt
+RjsC7FDbL017qxS+ZVA/HGkyfiu4cpgV8VUnbql5eAZ+1Ll6Dw==
+=hdPa
+-----END PGP PUBLIC KEY BLOCK-----
--- a/files/gpg/ceph_com_keys_release
+++ b/files/gpg/ceph_com_keys_release
@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFX4hgkBEADLqn6O+UFp+ZuwccNldwvh5PzEwKUPlXKPLjQfXlQRig1flpCH
+E0HJ5wgGlCtYd3Ol9f9+qU24kDNzfbs5bud58BeE7zFaZ4s0JMOMuVm7p8JhsvkU
+C/Lo/7NFh25e4kgJpjvnwua7c2YrA44ggRb1QT19ueOZLK5wCQ1mR+0GdrcHRCLr
+7Sdw1d7aLxMT+5nvqfzsmbDullsWOD6RnMdcqhOxZZvpay8OeuK+yb8FVQ4sOIzB
+FiNi5cNOFFHg+8dZQoDrK3BpwNxYdGHsYIwU9u6DWWqXybBnB9jd2pve9PlzQUbO
+eHEa4Z+jPqxY829f4ldaql7ig8e6BaInTfs2wPnHJ+606g2UH86QUmrVAjVzlLCm
+nqoGymoAPGA4ObHu9X3kO8viMBId9FzooVqR8a9En7ZE0Dm9O7puzXR7A1f5sHoz
+JdYHnr32I+B8iOixhDUtxIY4GA8biGATNaPd8XR2Ca1hPuZRVuIiGG9HDqUEtXhV
+fY5qjTjaThIVKtYgEkWMT+Wet3DPPiWT3ftNOE907e6EWEBCHgsEuuZnAbku1GgD
+LBH4/a/yo9bNvGZKRaTUM/1TXhM5XgVKjd07B4cChgKypAVHvef3HKfCG2U/DkyA
+LjteHt/V807MtSlQyYaXUTGtDCrQPSlMK5TjmqUnDwy6Qdq8dtWN3DtBWQARAQAB
+tCpDZXBoLmNvbSAocmVsZWFzZSBrZXkpIDxzZWN1cml0eUBjZXBoLmNvbT6JAjgE
+EwECACIFAlX4hgkCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOhKwsBG
+DzmUXdIQAI8YPcZMBWdv489q8CzxlfRIRZ3Gv/G/8CH+EOExcmkVZ89mVHngCdAP
+DOYCl8twWXC1lwJuLDBtkUOHXNuR5+Jcl5zFOUyldq1Hv8u03vjnGT7lLJkJoqpG
+l9QD8nBqRvBU7EM+CU7kP8+09b+088pULil+8x46PwgXkvOQwfVKSOr740Q4J4nm
+/nUOyTNtToYntmt2fAVWDTIuyPpAqA6jcqSOC7Xoz9cYxkVWnYMLBUySXmSS0uxl
+3p+wK0lMG0my/gb+alke5PAQjcE5dtXYzCn+8Lj0uSfCk8Gy0ZOK2oiUjaCGYN6D
+u72qDRFBnR3jaoFqi03bGBIMnglGuAPyBZiI7LJgzuT9xumjKTJW3kN4YJxMNYu1
+FzmIyFZpyvZ7930vB2UpCOiIaRdZiX4Z6ZN2frD3a/vBxBNqiNh/BO+Dex+PDfI4
+TqwF8zlcjt4XZ2teQ8nNMR/D8oiYTUW8hwR4laEmDy7ASxe0p5aijmUApWq5UTsF
+s/QbwugccU0iR5orksM5u9MZH4J/mFGKzOltfGXNLYI6D5Mtwrnyi0BsF5eY0u6
+vkdivtdqrq2DXY+ftuqLOQ7b+t1RctbcMHGPptlxFuN9ufP5TiTWSpfqDwmHCLsT
+k2vFiMwcHdLpQ1IH8ORVRgPPsiBnBOJ/kIiXG2SxPUTjjEGOVgeA
+=/Tod
+-----END PGP PUBLIC KEY BLOCK-----
--- a/releasenotes/notes/use_vendored_gpg_keys-f268bd4f4cb7d105.yaml
+++ b/releasenotes/notes/use_vendored_gpg_keys-f268bd4f4cb7d105.yaml
@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    The data structure for ``ceph_gpg_keys`` has been changed to be a list of
+    dicts, each of which is passed directly to the applicable apt_key/rpm_key
+    module. As such any overrides would need to be reviewed to ensure that they
+    do not pass any key/value pairs which would cause the module to fail.
+  - |
+    The default values for ``ceph_gpg_keys`` have been changed for all
+    supported platforms and now use vendored keys. This means that the task
+    execution will no longer reach out to the internet to add the keys,
+    making offline or proxy-based installations easier and more reliable.
+  - |
+    A new value ``epel_gpg_keys`` can be overridden to use a different GPG key
+    for the EPEL-7 RPM package repo instead of the vendored key used by default.
+
--- a/tasks/ceph_preinstall_apt.yml
+++ b/tasks/ceph_preinstall_apt.yml
@ -22,38 +22,24 @@
  when:
    - ceph_pkg_source == 'ceph'

- name: Add ceph apt-keys
-  block:
-    - name: Add keys (primary keyserver)
-      apt_key:
-        id: "{{ item.hash_id }}"
-        keyserver: "{{ item.keyserver | default(omit) }}"
-        data: "{{ item.data | default(omit) }}"
-        url: "{{ item.url | default(omit) }}"
-        state: "present"
-      register: add_keys
-      until: add_keys is success
-      retries: 5
-      delay: 2
-      with_items: "{{ ceph_gpg_keys }}"
-      when:
-        - ceph_pkg_source == 'ceph'
+- name: If a keyfile is provided, copy the gpg keyfile to the key location
+  copy:
+    src: "gpg/{{ item.id }}"
+    dest: "{{ item.file }}"
+    mode: '0644'
+  with_items: "{{ ceph_gpg_keys | selectattr('file','defined') | list }}"

-  rescue:
-    - name: Add keys (fallback keyserver)
-      apt_key:
-        id: "{{ item.hash_id }}"
-        keyserver: "{{ item.fallback_keyserver | default(omit) }}"
-        url: "{{ item.fallback_url | default(omit) }}"
-        state: "present"
-      register: add_keys_fallback
-      until: add_keys_fallback is success
-      retries: 5
-      delay: 2
-      with_items: "{{ ceph_gpg_keys }}"
-      when:
-        - ceph_pkg_source == 'ceph'
-        - item.fallback_keyserver is defined or item.fallback_url is defined
+- name: Add ceph apt-keys
+  apt_key: "{{ key }}"
+  with_items: "{{ ceph_gpg_keys }}"
+  loop_control:
+    loop_var: key
+  register: add_apt_keys
+  until: add_apt_keys is success
+  retries: 5
+  delay: 2
+  when:
+    - ceph_pkg_source == 'ceph'

 - name: add ubuntu cloud archive key package
  apt:
--- a/tasks/ceph_preinstall_yum.yml
+++ b/tasks/ceph_preinstall_yum.yml
@ -13,14 +13,24 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Install EPEL gpg keys
-  rpm_key:
-    key: "http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7"
-    state: present
+- name: Copy EPEL gpg keyfile to the key location
+  copy:
+    src: "gpg/{{ item.key | basename }}"
+    dest: "{{ item.key }}"
+    mode: '0644'
+  with_items: "{{ epel_gpg_keys }}"
  when:
    - ansible_pkg_mgr in ['yum','dnf']
-  register: _add_yum_keys
-  until: _add_yum_keys is success
+
+- name: Install EPEL gpg keys
+  rpm_key: "{{ key }}"
+  with_items: "{{ epel_gpg_keys }}"
+  loop_control:
+    loop_var: key
+  when:
+    - ansible_pkg_mgr in ['yum','dnf']
+  register: _add_epel_keys
+  until: _add_epel_keys is success
  retries: 5
  delay: 2

@ -40,18 +50,27 @@
  retries: 5
  delay: 2

- name: Add ceph rpm key
-  rpm_key:
-    key: "{{ ceph_gpg_keys }}"
-    state: "present"
-  register: add_keys
-  until: add_keys is success
-  failed_when: false
-  retries: 5
-  delay: 2
+- name: Copy Ceph gpg keyfile to the key location
+  copy:
+    src: "gpg/{{ item.key | basename }}"
+    dest: "{{ item.key }}"
+    mode: '0644'
+  with_items: "{{ ceph_gpg_keys }}"
  when:
    - ceph_pkg_source == 'ceph'

+- name: Install Ceph gpg keys
+  rpm_key: "{{ key }}"
+  with_items: "{{ ceph_gpg_keys }}"
+  loop_control:
+    loop_var: key
+  when:
+    - ceph_pkg_source == 'ceph'
+  register: _add_ceph_keys
+  until: _add_ceph_keys is success
+  retries: 5
+  delay: 2
+
 - name: Add ceph repo
  yum_repository:
    name: ceph
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -14,7 +14,14 @@
 # limitations under the License.

 # Ceph GPG Keys
-ceph_gpg_keys: 'https://download.ceph.com/keys/release.asc'
+ceph_gpg_keys:
+  # download.ceph.com/keys/release.asc
+  - key: /etc/pki/rpm-gpg/ceph_com_keys_release
+
+# EPEL GPG Keys
+epel_gpg_keys:
+  # Extra Packages for Enterprise Linux 7
+  - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

 libvirt_package: libvirt-daemon-kvm
 libvirt_service_name: libvirtd
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -18,11 +18,12 @@
 cache_timeout: 600

 # Ceph GPG Keys
+# This should be a list of dicts, with each dict giving
+# a valid set of arguments to the apt_key module. These
+# could specify either a key file or a URL.
 ceph_gpg_keys:
-  - key_name: 'ceph'
-    keyserver: 'hkp://keyserver.ubuntu.com:80'
-    fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
-    hash_id: '0xe84ac2c0460f3994'
+  - id: 460f3994
+    file: /etc/ssl/ceph-key

 # The apt-key command won't del a key when you give it the hash_id, so we have
 # to use the short key ID here instead.