Normalise in-repo GPG key implementation

To ensure that we have a consistent implementation between the galera_client and galera_server roles, we change the galera_server role to match galera_client as was done in I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83 This updates it to a mechanism which will be easier to maintain. Change-Id: I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528
2018-12-17 18:21:37 +00:00 · 2018-12-17 18:21:37 +00:00 · c2b73bff52
parent 30bdc809bb
commit c2b73bff52
10 changed files with 40 additions and 38 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -51,6 +51,14 @@ galera_repo_url: "{{ _galera_repo_url }}"
 galera_repo: "{{ _galera_repo }}"
 # Set the gpg keys needed to be imported
 # This should be a list of dicts, with each dict
 # giving a set of arguments to the applicable
 # package module. The following is an example for
 # systems using the apt package manager.
 # galera_gpg_keys:
 #   - id: '0xF1656F24C74CD1D8'
 #     keyserver: 'hkp://keyserver.ubuntu.com:80'
 #     validate_certs: no
 galera_gpg_keys: "{{ _galera_gpg_keys | default([]) }}"
 # Set the rpo information for the Percona Xtrabackup repository
--- a/files/gpg/RPM-GPG-KEY-MariaDB
+++ b/files/gpg/RPM-GPG-KEY-MariaDB
--- a/files/gpg/RPM-GPG-KEY-percona
+++ b/files/gpg/RPM-GPG-KEY-percona
--- a/releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml
+++ b/releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml
@ -0,0 +1,12 @@
 ---
 upgrade:
  - |
    The data structure for ``galera_gpg_keys`` has been changed to be
    a dict passed directly to the applicable apt_key/rpm_key module. As such
    any overrides would need to be reviewed to ensure that they do not pass
    any key/value pairs which would cause the module to fail.
  - |
    The default values for ``galera_gpg_keys`` have been changed for
    all supported platforms will use vendored keys. This means that the task
    execution will no longer reach out to the internet to add the keys,
    making offline or proxy-based installations easier and more reliable.
--- a/tasks/galera_install_apt.yml
+++ b/tasks/galera_install_apt.yml
@ -20,16 +20,13 @@
 - name: If a keyfile is provided, copy the gpg keyfile to the key location
  copy:
-    src: "{{ item.keyfile }}"
+    src: "gpg/{{ item.id }}"
-    dest: "{{ item.key }}"
+    dest: "{{ item.file }}"
    mode: '0644'
-  with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
+  with_items: "{{ galera_gpg_keys | selectattr('file','defined') | list }}"
 - name: Install gpg keys
-  apt_key:
+  apt_key: "{{ key }}"
    id: "{{ key.id }}"
    file: "{{ key.key | default(omit) }}"
    state: "{{ key.state | default('present') }}"
  with_items: "{{ galera_gpg_keys }}"
  loop_control:
    loop_var: key
--- a/tasks/galera_install_yum.yml
+++ b/tasks/galera_install_yum.yml
@ -51,16 +51,13 @@
 - name: If a keyfile is provided, copy the gpg keyfile to the key location
  copy:
-    src: "{{ item.keyfile }}"
+    src: "gpg/{{ item.key | basename }}"
    dest: "{{ item.key }}"
    mode: '0644'
-  with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
+  with_items: "{{ galera_gpg_keys }}"
 - name: Install gpg keys
-  rpm_key:
+  rpm_key: "{{ key }}"
    key: "{{ key.key }}"
    validate_certs: "{{ key.validate_certs | default(omit) }}"
    state: "{{ key.state | default('present') }}"
  with_items: "{{ galera_gpg_keys }}"
  loop_control:
    loop_var: key
--- a/tasks/galera_install_zypper.yml
+++ b/tasks/galera_install_zypper.yml
@ -32,21 +32,18 @@
 - name: If a keyfile is provided, copy the gpg keyfile to the key location
  copy:
-    src: "{{ item.keyfile }}"
+    src: "gpg/{{ item.key | basename }}"
    dest: "{{ item.key }}"
    mode: '0644'
-  with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
+  with_items: "{{ galera_gpg_keys }}"
 - name: Install gpg keys
-  rpm_key:
+  rpm_key: "{{ key }}"
    key: "{{ key.key }}"
    validate_certs: "{{ key.validate_certs | default(omit) }}"
    state: "{{ key.state | default('present') }}"
  with_items: "{{ galera_gpg_keys }}"
  loop_control:
    loop_var: key
-  register: _add_yum_keys
+  register: _add_zypper_keys
-  until: _add_yum_keys is success
+  until: _add_zypper_keys is success
  retries: 5
  delay: 2
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -16,13 +16,9 @@
 # Galera GPG Keys
 _galera_gpg_keys:
  # MariaDB Package Signing Key <package-signing-key@mariadb.org>
-  - name: mariadb
+  - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
    keyfile: 'gpg/1BB943DB'
  # Percona MySQL Development Team <mysql-dev@percona.com>
-  - key_name: percona
+  - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
    keyfile: 'gpg/CD2EFD2A'
 # Default private device setting
 # This provides some additional security, but it causes problems with creating
--- a/vars/suse.yml
+++ b/vars/suse.yml
@ -15,9 +15,8 @@
 # Galera GPG Keys
 _galera_gpg_keys:
-  - name: mariadb
+  # MariaDB Package Signing Key <package-signing-key@mariadb.org>
-    key: /etc/pki/RPM-GPG-KEY-MariaDB
+  - key: /etc/pki/RPM-GPG-KEY-MariaDB
    keyfile: 'gpg/1BB943DB'
 # Default private device setting
 _galera_disable_privatedevices: yes
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -22,15 +22,11 @@ _galera_disable_privatedevices: yes
 # Galera GPG Keys
 _galera_gpg_keys:
  # MariaDB Signing Key <signing-key@mariadb.org>
-  - name: mariadb
+  - id: C74CD1D8
-    id: C74CD1D8
+    file: /etc/ssl/mariadb-key
    key: /etc/ssl/mariadb-key
    keyfile: 'gpg/C74CD1D8'
  # Percona MySQL Development Team (Packaging key) <mysql-dev@percona.com>
-  - key_name: percona
+  - id: 8507EFA5
-    id: 8507EFA5
+    file: /etc/ssl/percona-pkg-key
    key: /etc/ssl/percona-pkg-key
    keyfile: 'gpg/8507EFA5'
 galera_server_required_distro_packages:
  - apt-transport-https