Browse Source

Normalise in-repo GPG key implementation

To ensure that we have a consistent implementation
between the galera_client and galera_server roles,
we change the galera_server role to match galera_client
as was done in I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83

This updates it to a mechanism which will be easier to
maintain.

Change-Id: I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528
Jesse Pretorius 4 months ago
parent
commit
c2b73bff52

+ 8
- 0
defaults/main.yml View File

@@ -51,6 +51,14 @@ galera_repo_url: "{{ _galera_repo_url }}"
51 51
 galera_repo: "{{ _galera_repo }}"
52 52
 
53 53
 # Set the gpg keys needed to be imported
54
+# This should be a list of dicts, with each dict
55
+# giving a set of arguments to the applicable
56
+# package module. The following is an example for
57
+# systems using the apt package manager.
58
+# galera_gpg_keys:
59
+#   - id: '0xF1656F24C74CD1D8'
60
+#     keyserver: 'hkp://keyserver.ubuntu.com:80'
61
+#     validate_certs: no
54 62
 galera_gpg_keys: "{{ _galera_gpg_keys | default([]) }}"
55 63
 
56 64
 # Set the rpo information for the Percona Xtrabackup repository

files/gpg/1BB943DB → files/gpg/RPM-GPG-KEY-MariaDB View File


files/gpg/CD2EFD2A → files/gpg/RPM-GPG-KEY-percona View File


+ 12
- 0
releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml View File

@@ -0,0 +1,12 @@
1
+---
2
+upgrade:
3
+  - |
4
+    The data structure for ``galera_gpg_keys`` has been changed to be
5
+    a dict passed directly to the applicable apt_key/rpm_key module. As such
6
+    any overrides would need to be reviewed to ensure that they do not pass
7
+    any key/value pairs which would cause the module to fail.
8
+  - |
9
+    The default values for ``galera_gpg_keys`` have been changed for
10
+    all supported platforms will use vendored keys. This means that the task
11
+    execution will no longer reach out to the internet to add the keys,
12
+    making offline or proxy-based installations easier and more reliable.

+ 4
- 7
tasks/galera_install_apt.yml View File

@@ -20,16 +20,13 @@
20 20
 
21 21
 - name: If a keyfile is provided, copy the gpg keyfile to the key location
22 22
   copy:
23
-    src: "{{ item.keyfile }}"
24
-    dest: "{{ item.key }}"
23
+    src: "gpg/{{ item.id }}"
24
+    dest: "{{ item.file }}"
25 25
     mode: '0644'
26
-  with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
26
+  with_items: "{{ galera_gpg_keys | selectattr('file','defined') | list }}"
27 27
 
28 28
 - name: Install gpg keys
29
-  apt_key:
30
-    id: "{{ key.id }}"
31
-    file: "{{ key.key | default(omit) }}"
32
-    state: "{{ key.state | default('present') }}"
29
+  apt_key: "{{ key }}"
33 30
   with_items: "{{ galera_gpg_keys }}"
34 31
   loop_control:
35 32
     loop_var: key

+ 3
- 6
tasks/galera_install_yum.yml View File

@@ -51,16 +51,13 @@
51 51
 
52 52
 - name: If a keyfile is provided, copy the gpg keyfile to the key location
53 53
   copy:
54
-    src: "{{ item.keyfile }}"
54
+    src: "gpg/{{ item.key | basename }}"
55 55
     dest: "{{ item.key }}"
56 56
     mode: '0644'
57
-  with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
57
+  with_items: "{{ galera_gpg_keys }}"
58 58
 
59 59
 - name: Install gpg keys
60
-  rpm_key:
61
-    key: "{{ key.key }}"
62
-    validate_certs: "{{ key.validate_certs | default(omit) }}"
63
-    state: "{{ key.state | default('present') }}"
60
+  rpm_key: "{{ key }}"
64 61
   with_items: "{{ galera_gpg_keys }}"
65 62
   loop_control:
66 63
     loop_var: key

+ 5
- 8
tasks/galera_install_zypper.yml View File

@@ -32,21 +32,18 @@
32 32
 
33 33
 - name: If a keyfile is provided, copy the gpg keyfile to the key location
34 34
   copy:
35
-    src: "{{ item.keyfile }}"
35
+    src: "gpg/{{ item.key | basename }}"
36 36
     dest: "{{ item.key }}"
37 37
     mode: '0644'
38
-  with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
38
+  with_items: "{{ galera_gpg_keys }}"
39 39
 
40 40
 - name: Install gpg keys
41
-  rpm_key:
42
-    key: "{{ key.key }}"
43
-    validate_certs: "{{ key.validate_certs | default(omit) }}"
44
-    state: "{{ key.state | default('present') }}"
41
+  rpm_key: "{{ key }}"
45 42
   with_items: "{{ galera_gpg_keys }}"
46 43
   loop_control:
47 44
     loop_var: key
48
-  register: _add_yum_keys
49
-  until: _add_yum_keys is success
45
+  register: _add_zypper_keys
46
+  until: _add_zypper_keys is success
50 47
   retries: 5
51 48
   delay: 2
52 49
 

+ 2
- 6
vars/redhat-7.yml View File

@@ -16,13 +16,9 @@
16 16
 # Galera GPG Keys
17 17
 _galera_gpg_keys:
18 18
   # MariaDB Package Signing Key <package-signing-key@mariadb.org>
19
-  - name: mariadb
20
-    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
21
-    keyfile: 'gpg/1BB943DB'
19
+  - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
22 20
   # Percona MySQL Development Team <mysql-dev@percona.com>
23
-  - key_name: percona
24
-    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
25
-    keyfile: 'gpg/CD2EFD2A'
21
+  - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
26 22
 
27 23
 # Default private device setting
28 24
 # This provides some additional security, but it causes problems with creating

+ 2
- 3
vars/suse.yml View File

@@ -15,9 +15,8 @@
15 15
 
16 16
 # Galera GPG Keys
17 17
 _galera_gpg_keys:
18
-  - name: mariadb
19
-    key: /etc/pki/RPM-GPG-KEY-MariaDB
20
-    keyfile: 'gpg/1BB943DB'
18
+  # MariaDB Package Signing Key <package-signing-key@mariadb.org>
19
+  - key: /etc/pki/RPM-GPG-KEY-MariaDB
21 20
 
22 21
 # Default private device setting
23 22
 _galera_disable_privatedevices: yes

+ 4
- 8
vars/ubuntu.yml View File

@@ -22,15 +22,11 @@ _galera_disable_privatedevices: yes
22 22
 # Galera GPG Keys
23 23
 _galera_gpg_keys:
24 24
   # MariaDB Signing Key <signing-key@mariadb.org>
25
-  - name: mariadb
26
-    id: C74CD1D8
27
-    key: /etc/ssl/mariadb-key
28
-    keyfile: 'gpg/C74CD1D8'
25
+  - id: C74CD1D8
26
+    file: /etc/ssl/mariadb-key
29 27
   # Percona MySQL Development Team (Packaging key) <mysql-dev@percona.com>
30
-  - key_name: percona
31
-    id: 8507EFA5
32
-    key: /etc/ssl/percona-pkg-key
33
-    keyfile: 'gpg/8507EFA5'
28
+  - id: 8507EFA5
29
+    file: /etc/ssl/percona-pkg-key
34 30
 
35 31
 galera_server_required_distro_packages:
36 32
   - apt-transport-https

Loading…
Cancel
Save