Normalise in-repo GPG key implementation
To ensure that we have a consistent implementation between the galera_client and galera_server roles, we change the galera_server role to match galera_client as was done in I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83 This updates it to a mechanism which will be easier to maintain. Change-Id: I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528
This commit is contained in:
parent
30bdc809bb
commit
c2b73bff52
@ -51,6 +51,14 @@ galera_repo_url: "{{ _galera_repo_url }}"
|
|||||||
galera_repo: "{{ _galera_repo }}"
|
galera_repo: "{{ _galera_repo }}"
|
||||||
|
|
||||||
# Set the gpg keys needed to be imported
|
# Set the gpg keys needed to be imported
|
||||||
|
# This should be a list of dicts, with each dict
|
||||||
|
# giving a set of arguments to the applicable
|
||||||
|
# package module. The following is an example for
|
||||||
|
# systems using the apt package manager.
|
||||||
|
# galera_gpg_keys:
|
||||||
|
# - id: '0xF1656F24C74CD1D8'
|
||||||
|
# keyserver: 'hkp://keyserver.ubuntu.com:80'
|
||||||
|
# validate_certs: no
|
||||||
galera_gpg_keys: "{{ _galera_gpg_keys | default([]) }}"
|
galera_gpg_keys: "{{ _galera_gpg_keys | default([]) }}"
|
||||||
|
|
||||||
# Set the rpo information for the Percona Xtrabackup repository
|
# Set the rpo information for the Percona Xtrabackup repository
|
||||||
|
12
releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml
Normal file
12
releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The data structure for ``galera_gpg_keys`` has been changed to be
|
||||||
|
a dict passed directly to the applicable apt_key/rpm_key module. As such
|
||||||
|
any overrides would need to be reviewed to ensure that they do not pass
|
||||||
|
any key/value pairs which would cause the module to fail.
|
||||||
|
- |
|
||||||
|
The default values for ``galera_gpg_keys`` have been changed for
|
||||||
|
all supported platforms will use vendored keys. This means that the task
|
||||||
|
execution will no longer reach out to the internet to add the keys,
|
||||||
|
making offline or proxy-based installations easier and more reliable.
|
@ -20,16 +20,13 @@
|
|||||||
|
|
||||||
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
||||||
copy:
|
copy:
|
||||||
src: "{{ item.keyfile }}"
|
src: "gpg/{{ item.id }}"
|
||||||
dest: "{{ item.key }}"
|
dest: "{{ item.file }}"
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
|
with_items: "{{ galera_gpg_keys | selectattr('file','defined') | list }}"
|
||||||
|
|
||||||
- name: Install gpg keys
|
- name: Install gpg keys
|
||||||
apt_key:
|
apt_key: "{{ key }}"
|
||||||
id: "{{ key.id }}"
|
|
||||||
file: "{{ key.key | default(omit) }}"
|
|
||||||
state: "{{ key.state | default('present') }}"
|
|
||||||
with_items: "{{ galera_gpg_keys }}"
|
with_items: "{{ galera_gpg_keys }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: key
|
loop_var: key
|
||||||
|
@ -51,16 +51,13 @@
|
|||||||
|
|
||||||
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
||||||
copy:
|
copy:
|
||||||
src: "{{ item.keyfile }}"
|
src: "gpg/{{ item.key | basename }}"
|
||||||
dest: "{{ item.key }}"
|
dest: "{{ item.key }}"
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
|
with_items: "{{ galera_gpg_keys }}"
|
||||||
|
|
||||||
- name: Install gpg keys
|
- name: Install gpg keys
|
||||||
rpm_key:
|
rpm_key: "{{ key }}"
|
||||||
key: "{{ key.key }}"
|
|
||||||
validate_certs: "{{ key.validate_certs | default(omit) }}"
|
|
||||||
state: "{{ key.state | default('present') }}"
|
|
||||||
with_items: "{{ galera_gpg_keys }}"
|
with_items: "{{ galera_gpg_keys }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: key
|
loop_var: key
|
||||||
|
@ -32,21 +32,18 @@
|
|||||||
|
|
||||||
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
||||||
copy:
|
copy:
|
||||||
src: "{{ item.keyfile }}"
|
src: "gpg/{{ item.key | basename }}"
|
||||||
dest: "{{ item.key }}"
|
dest: "{{ item.key }}"
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
|
with_items: "{{ galera_gpg_keys }}"
|
||||||
|
|
||||||
- name: Install gpg keys
|
- name: Install gpg keys
|
||||||
rpm_key:
|
rpm_key: "{{ key }}"
|
||||||
key: "{{ key.key }}"
|
|
||||||
validate_certs: "{{ key.validate_certs | default(omit) }}"
|
|
||||||
state: "{{ key.state | default('present') }}"
|
|
||||||
with_items: "{{ galera_gpg_keys }}"
|
with_items: "{{ galera_gpg_keys }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: key
|
loop_var: key
|
||||||
register: _add_yum_keys
|
register: _add_zypper_keys
|
||||||
until: _add_yum_keys is success
|
until: _add_zypper_keys is success
|
||||||
retries: 5
|
retries: 5
|
||||||
delay: 2
|
delay: 2
|
||||||
|
|
||||||
|
@ -16,13 +16,9 @@
|
|||||||
# Galera GPG Keys
|
# Galera GPG Keys
|
||||||
_galera_gpg_keys:
|
_galera_gpg_keys:
|
||||||
# MariaDB Package Signing Key <package-signing-key@mariadb.org>
|
# MariaDB Package Signing Key <package-signing-key@mariadb.org>
|
||||||
- name: mariadb
|
- key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
|
||||||
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
|
|
||||||
keyfile: 'gpg/1BB943DB'
|
|
||||||
# Percona MySQL Development Team <mysql-dev@percona.com>
|
# Percona MySQL Development Team <mysql-dev@percona.com>
|
||||||
- key_name: percona
|
- key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
|
||||||
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
|
|
||||||
keyfile: 'gpg/CD2EFD2A'
|
|
||||||
|
|
||||||
# Default private device setting
|
# Default private device setting
|
||||||
# This provides some additional security, but it causes problems with creating
|
# This provides some additional security, but it causes problems with creating
|
||||||
|
@ -15,9 +15,8 @@
|
|||||||
|
|
||||||
# Galera GPG Keys
|
# Galera GPG Keys
|
||||||
_galera_gpg_keys:
|
_galera_gpg_keys:
|
||||||
- name: mariadb
|
# MariaDB Package Signing Key <package-signing-key@mariadb.org>
|
||||||
key: /etc/pki/RPM-GPG-KEY-MariaDB
|
- key: /etc/pki/RPM-GPG-KEY-MariaDB
|
||||||
keyfile: 'gpg/1BB943DB'
|
|
||||||
|
|
||||||
# Default private device setting
|
# Default private device setting
|
||||||
_galera_disable_privatedevices: yes
|
_galera_disable_privatedevices: yes
|
||||||
|
@ -22,15 +22,11 @@ _galera_disable_privatedevices: yes
|
|||||||
# Galera GPG Keys
|
# Galera GPG Keys
|
||||||
_galera_gpg_keys:
|
_galera_gpg_keys:
|
||||||
# MariaDB Signing Key <signing-key@mariadb.org>
|
# MariaDB Signing Key <signing-key@mariadb.org>
|
||||||
- name: mariadb
|
- id: C74CD1D8
|
||||||
id: C74CD1D8
|
file: /etc/ssl/mariadb-key
|
||||||
key: /etc/ssl/mariadb-key
|
|
||||||
keyfile: 'gpg/C74CD1D8'
|
|
||||||
# Percona MySQL Development Team (Packaging key) <mysql-dev@percona.com>
|
# Percona MySQL Development Team (Packaging key) <mysql-dev@percona.com>
|
||||||
- key_name: percona
|
- id: 8507EFA5
|
||||||
id: 8507EFA5
|
file: /etc/ssl/percona-pkg-key
|
||||||
key: /etc/ssl/percona-pkg-key
|
|
||||||
keyfile: 'gpg/8507EFA5'
|
|
||||||
|
|
||||||
galera_server_required_distro_packages:
|
galera_server_required_distro_packages:
|
||||||
- apt-transport-https
|
- apt-transport-https
|
||||||
|
Loading…
Reference in New Issue
Block a user