From b875cc30b179b6d6c3159bf0f432d0dec181f8e3 Mon Sep 17 00:00:00 2001 From: Duncan Martin Walker Date: Tue, 25 Feb 2020 14:12:32 +0000 Subject: [PATCH] Allow non-url Elastic gpg key specification It is currently the case that the elastic GPG key must be specified as a remote URL within the elastic_repositories role. This causes issues in the case that remote URLs specifying the GPG key are inaccessible due to e.g. firewalls at deploy time. In analogy to Change-ID I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528, this commit allows the GPG key to be provided not only via a remote URL, but also in-data or through a file by allowing the full range of apt_key input types (url, file, data etc) to be provided. The default behaviour is changed to use the vendor key in the role files. Change-Id: Ic48db01029c4b94845ccacfba7440b13a59ab873 --- .../elastic_repositories/defaults/main.yml | 7 ++++- .../46095ACC8548582C1A2699A9D27D666CD88E42B4 | 31 +++++++++++++++++++ .../tasks/elastic_apt_repos.yml | 22 ++++++++----- .../elastic_repositories/vars/ubuntu.yml | 5 ++- 4 files changed, 56 insertions(+), 9 deletions(-) create mode 100644 elk_metrics_7x/roles/elastic_repositories/files/gpg/46095ACC8548582C1A2699A9D27D666CD88E42B4 diff --git a/elk_metrics_7x/roles/elastic_repositories/defaults/main.yml b/elk_metrics_7x/roles/elastic_repositories/defaults/main.yml index aaf44ae2..829c0d00 100644 --- a/elk_metrics_7x/roles/elastic_repositories/defaults/main.yml +++ b/elk_metrics_7x/roles/elastic_repositories/defaults/main.yml @@ -23,4 +23,9 @@ elastic_repo_distro_packages: [] # elastic_apt_repo: # repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' # state: "{{ ((elk_package_state | default('present')) == 'absent') | ternary('absent', 'present') }}" -# key_url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + +# This should be a list of dicts, with each dict +# giving a set of arguments to the applicable +# package module. Defaults to the remote url +# https://artifacts.elastic.co/GPG-KEY-elasticsearch +elastic_gpg_keys: "{{ _elastic_gpg_keys | default([]) }}" diff --git a/elk_metrics_7x/roles/elastic_repositories/files/gpg/46095ACC8548582C1A2699A9D27D666CD88E42B4 b/elk_metrics_7x/roles/elastic_repositories/files/gpg/46095ACC8548582C1A2699A9D27D666CD88E42B4 new file mode 100644 index 00000000..1b50dcca --- /dev/null +++ b/elk_metrics_7x/roles/elastic_repositories/files/gpg/46095ACC8548582C1A2699A9D27D666CD88E42B4 @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/elk_metrics_7x/roles/elastic_repositories/tasks/elastic_apt_repos.yml b/elk_metrics_7x/roles/elastic_repositories/tasks/elastic_apt_repos.yml index b46376bb..f046e638 100644 --- a/elk_metrics_7x/roles/elastic_repositories/tasks/elastic_apt_repos.yml +++ b/elk_metrics_7x/roles/elastic_repositories/tasks/elastic_apt_repos.yml @@ -13,13 +13,21 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: add Elastic search public GPG key - apt_key: - url: "{{ elastic_repo.key_url }}" - state: "present" - register: _apt_task - until: _apt_task is success - retries: 3 +- name: If a keyfile is provided, copy the gpg keyfile to the key location + copy: + src: "gpg/{{ item.id }}" + dest: "{{ item.file }}" + mode: '0644' + with_items: "{{ elastic_gpg_keys | selectattr('file','defined') | list }}" + +- name: Install Elastic gpg keys + apt_key: "{{ key }}" + with_items: "{{ elastic_gpg_keys }}" + loop_control: + loop_var: key + register: _add_apt_keys + until: _add_apt_keys is success + retries: 5 delay: 2 tags: - package_install diff --git a/elk_metrics_7x/roles/elastic_repositories/vars/ubuntu.yml b/elk_metrics_7x/roles/elastic_repositories/vars/ubuntu.yml index 2542fecd..7130b424 100644 --- a/elk_metrics_7x/roles/elastic_repositories/vars/ubuntu.yml +++ b/elk_metrics_7x/roles/elastic_repositories/vars/ubuntu.yml @@ -20,6 +20,9 @@ elastic_repo_distro_packages: _elastic_repo: repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' state: "{{ ((elk_package_state | default('present')) == 'absent') | ternary('absent', 'present') }}" - key_url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" elastic_repo: "{{ elastic_apt_repo | default(_elastic_repo) }}" + +_elastic_gpg_keys: + - id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 + file: /etc/ssl/elastic-key